zloader | 02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Size

2.2MB
MD5

21f3048771aabc6dc4be59001e31b98f
SHA1

a20b94a3f31817bb322c586e3cb318e51524def0
SHA256

02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607
SHA512

065804a5e4fe5e44ff4b0af57c530c0fedc0f5d9ff8219a7bb9ad1d4e5afce64e437a796e09691eda393e94318813a5a4d4b2864567179814cee0f2e047b75ba
SSDEEP

49152:Luu30KZbTChxKCnFnQXBbrtgb/iQvu0UHOY8:LH0KZ6hxvWbrtUTrUHOY8

Score

10^/10

zloader botnet evasion persistence trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

UPX dump on OEP (original entry point) 30 IoCs

resource	yara_rule
behavioral1/memory/2316-525-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2104-526-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-527-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-528-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-530-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-531-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-535-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-534-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-537-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-538-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-540-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-541-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-543-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-544-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-549-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-548-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-551-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-552-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-554-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-555-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-558-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-557-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-560-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-561-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-563-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-564-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-566-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-567-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/2516-570-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral1/memory/1352-569-0x0000000000400000-0x000000000048D000-memory.dmp	UPX

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1892	netsh.exe
2040	netsh.exe

Executes dropped EXE 9 IoCs

pid	Process
2864	@AE3208.tmp.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2104	KHATRA.exe
2136	WdExt.exe
1352	Xplorer.exe
2516	gHost.exe
2836	launch.exe
2748	wtmps.exe
2908	mscaps.exe

Loads dropped DLL 16 IoCs

pid	Process
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2832	explorer.exe
2864	@AE3208.tmp.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
1708	cmd.exe
1708	cmd.exe
2136	WdExt.exe
1352	Xplorer.exe
1728	cmd.exe
1352	Xplorer.exe
1728	cmd.exe
2596	cmd.exe
2596	cmd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 30 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2316-525-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2104-526-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-527-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-528-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-530-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-531-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-535-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-534-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-537-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-538-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-540-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-541-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-543-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-544-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-549-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-548-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-551-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-552-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-554-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-555-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-558-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-557-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-560-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-561-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-563-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-564-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-566-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-567-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/2516-570-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral1/memory/1352-569-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\KHATRA.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Xplorer.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File opened for modification	C:\Windows\Xplorer.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File opened for modification	C:\Windows\system\gHost.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\system\gHost.exe	KHATRA.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\KHATARNAKH.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File created	C:\Windows\System\gHost.exe	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ = "InspectorEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\ = "SyncObjectEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ = "_AttachmentSelection"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ = "_TextRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ = "OlkPageControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\ = "_ContactsModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ = "_Rule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ = "_UserDefinedProperty"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ = "_Table"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ = "_CalendarModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ = "_Rules"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ = "_TableView"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1856	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2864	@AE3208.tmp.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1352	Xplorer.exe
2516	gHost.exe
1856	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2104	KHATRA.exe
1856	OUTLOOK.EXE
1856	OUTLOOK.EXE
1856	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
2104	KHATRA.exe
1856	OUTLOOK.EXE
1856	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1856	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2832	2684	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	28
PID 2684 wrote to memory of 2832	2684	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	28
PID 2684 wrote to memory of 2832	2684	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	28
PID 2684 wrote to memory of 2832	2684	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	28
PID 2684 wrote to memory of 2832	2684	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	28
PID 2684 wrote to memory of 2832	2684	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	28
PID 2832 wrote to memory of 2864	2832	explorer.exe	29
PID 2832 wrote to memory of 2864	2832	explorer.exe	29
PID 2832 wrote to memory of 2864	2832	explorer.exe	29
PID 2832 wrote to memory of 2864	2832	explorer.exe	29
PID 2832 wrote to memory of 2316	2832	explorer.exe	30
PID 2832 wrote to memory of 2316	2832	explorer.exe	30
PID 2832 wrote to memory of 2316	2832	explorer.exe	30
PID 2832 wrote to memory of 2316	2832	explorer.exe	30
PID 2864 wrote to memory of 1708	2864	@AE3208.tmp.exe	32
PID 2864 wrote to memory of 1708	2864	@AE3208.tmp.exe	32
PID 2864 wrote to memory of 1708	2864	@AE3208.tmp.exe	32
PID 2864 wrote to memory of 1708	2864	@AE3208.tmp.exe	32
PID 2316 wrote to memory of 2104	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	31
PID 2316 wrote to memory of 2104	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	31
PID 2316 wrote to memory of 2104	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	31
PID 2316 wrote to memory of 2104	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	31
PID 2864 wrote to memory of 2272	2864	@AE3208.tmp.exe	34
PID 2864 wrote to memory of 2272	2864	@AE3208.tmp.exe	34
PID 2864 wrote to memory of 2272	2864	@AE3208.tmp.exe	34
PID 2864 wrote to memory of 2272	2864	@AE3208.tmp.exe	34
PID 1708 wrote to memory of 2136	1708	cmd.exe	36
PID 1708 wrote to memory of 2136	1708	cmd.exe	36
PID 1708 wrote to memory of 2136	1708	cmd.exe	36
PID 1708 wrote to memory of 2136	1708	cmd.exe	36
PID 2104 wrote to memory of 1352	2104	KHATRA.exe	37
PID 2104 wrote to memory of 1352	2104	KHATRA.exe	37
PID 2104 wrote to memory of 1352	2104	KHATRA.exe	37
PID 2104 wrote to memory of 1352	2104	KHATRA.exe	37
PID 2136 wrote to memory of 1728	2136	WdExt.exe	38
PID 2136 wrote to memory of 1728	2136	WdExt.exe	38
PID 2136 wrote to memory of 1728	2136	WdExt.exe	38
PID 2136 wrote to memory of 1728	2136	WdExt.exe	38
PID 1352 wrote to memory of 2516	1352	Xplorer.exe	40
PID 1352 wrote to memory of 2516	1352	Xplorer.exe	40
PID 1352 wrote to memory of 2516	1352	Xplorer.exe	40
PID 1352 wrote to memory of 2516	1352	Xplorer.exe	40
PID 1728 wrote to memory of 2836	1728	cmd.exe	41
PID 1728 wrote to memory of 2836	1728	cmd.exe	41
PID 1728 wrote to memory of 2836	1728	cmd.exe	41
PID 1728 wrote to memory of 2836	1728	cmd.exe	41
PID 1728 wrote to memory of 2836	1728	cmd.exe	41
PID 1728 wrote to memory of 2836	1728	cmd.exe	41
PID 1728 wrote to memory of 2836	1728	cmd.exe	41
PID 2836 wrote to memory of 2596	2836	launch.exe	42
PID 2836 wrote to memory of 2596	2836	launch.exe	42
PID 2836 wrote to memory of 2596	2836	launch.exe	42
PID 2836 wrote to memory of 2596	2836	launch.exe	42
PID 2836 wrote to memory of 2596	2836	launch.exe	42
PID 2836 wrote to memory of 2596	2836	launch.exe	42
PID 2836 wrote to memory of 2596	2836	launch.exe	42
PID 2316 wrote to memory of 2512	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	44
PID 2316 wrote to memory of 2512	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	44
PID 2316 wrote to memory of 2512	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	44
PID 2316 wrote to memory of 2512	2316	02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe	44
PID 2596 wrote to memory of 2748	2596	cmd.exe	45
PID 2596 wrote to memory of 2748	2596	cmd.exe	45
PID 2596 wrote to memory of 2748	2596	cmd.exe	45
PID 2596 wrote to memory of 2748	2596	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
"C:\Users\Admin\AppData\Local\Temp\02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\@AE3208.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE3208.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2136
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2136
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        10⤵
        Executes dropped EXE
        
        PID:2908
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:2272
- - C:\Users\Admin\AppData\Local\Temp\02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe
    "C:\Users\Admin\AppData\Local\Temp\02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe"
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\Xplorer.exe
        
        "C:\Windows\Xplorer.exe" /Windows
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\System\gHost.exe
        
        "C:\Windows\System\gHost.exe" /Reproduce
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2736
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:764
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1064
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:2512
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2416
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:2872
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1892

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
77ed70cd4b78d488dbdb03748be96f08

SHA1
2d5b2c8f09c01845f7c1de36a8397f8a801bf4cc

SHA256
952762eec1529b0a5ad41a21d7fe5b2c2cd76dc9f416b3c40dd0d19a263890c0

SHA512
d7378cff75041d6abdbb3566f46ade25c89c2e23db9ce8dddc26282411c1d45f88e771fa3a66da3606d9efed2180f83be6fc3a7efe44e667804a07eb2435076e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
86abad826d74b6b454c36dab44981325

SHA1
63603adb31c6ecb0a1db47271122f57a49363b76

SHA256
1ad3665a8bcf1bf76fc18cd6c624843d30d8f43b727b9d7964bdafe255f10439

SHA512
8a1637e3c881815d1a395841eee311b9c0c6159349c29cbfc7634335b8e5ef0a58276abbad42e6c43e3874a139b6cadec34299043e72931ea0ad6ff08ed12599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\02cb5c5e7e3c2ab21849927122d00aff871db962752410a303728394fd39f607.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Users\Admin\AppData\Local\Temp\424E.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp366C.tmp

Filesize
1.0MB

MD5
df2c63605573c2398d796370c11cb26c

SHA1
efba97e2184ba3941edb008fcc61d8873b2b1653

SHA256
07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

SHA512
d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
9dd1a2b69f01debb3c909e2c1e1f8ae0

SHA1
636204a6f6b54a77934e3d80ded532e3f5d10d60

SHA256
14d4686c06b3f7a58be8ba64dc721f73a19b762b23714ef0927a53b515a81ff9

SHA512
a5815713deb353ab9535ec7deb3440b1862f4643b9a55f3a7e8d423e94918ee9e61ec3db39f86e1286c425a2fb0deec0dc2af58c1f19de5e3681c9db4b543c8a

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
102B

MD5
1d68f046cd6a9197038fb2445d2bea05

SHA1
d8dca54cfa0b2ad404bce32d5d94634bcfc9b2d7

SHA256
9cddd4b2ac719f01052deef3aa558fbfbcd21d5728215651345c3d2b9ba250d9

SHA512
2720d071fd02b2cf0d9f1de8dd19117fd128f213dd7f66fa8adb00d7873a5de58d2f2618100d28eec85db707d9e34d20258f9a1f76acf75fe668e66722e1cc4c

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
a735de0b1aaceb6f3cde4ec79ac0e1ae

SHA1
2bde7d75f8f3662e6cb5299dc5ef1cc6782555d6

SHA256
26bfd3b697f50eacad679bbdd9068d4bafa6800a0fcc7518b88b5fbc343a3941

SHA512
5df4144f19f07a6ce9ba0812c5e92a10b45d8e423cf15c15650335a836ae3d9efd496d276309c13d0410dc8bde5e664a37e610f282d1371dcc249194ae9dafdd

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
126B

MD5
14c4c4a9f1c551db69c8cb67a9c6cee4

SHA1
baf26b22b7b6087042531ff015069ee39e0f475e

SHA256
7c2240a462561eba3e5f9cdbd31441630ffa4ec29f82493b7489ca02d1c2897a

SHA512
01f4e6362dc7ad197c3d2983fc9ea3659902d71770ecbde5ddda6459be3e34df5ea340b822869fa497cd5a1813927b49a89cf14d74d9bab2d13ee91503ffe551

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
C:\Windows\inf\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
\Users\Admin\AppData\Local\Temp\@AE3208.tmp.exe

Filesize
1.7MB

MD5
7cd76ff367fb5f5f08c50dad034f65e6

SHA1
37096bdb613d7400f820ef36b58b861306504877

SHA256
e7a1c9fa2a8166e78f2f3bd732720f6e0c7c36289686e904f6fa52877fb7364f

SHA512
813d95e5f9ff94288de9e3444adee81ccd17e531d524730b3d72fc4f0f76d1f2836922285521d1d6f8e4b12d9b87c4532b8de512f2fd771e07341bd94fb919ce

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/1352-543-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-563-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-554-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-548-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-530-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-557-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-540-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-560-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-534-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-566-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-569-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-537-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-551-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1352-527-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1856-400-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2104-526-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2104-284-0x0000000004420000-0x00000000044AD000-memory.dmp

Filesize
564KB

Download
memory/2104-235-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2104-244-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/2316-22-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2316-193-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2316-525-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2316-232-0x0000000004030000-0x00000000040BD000-memory.dmp

Filesize
564KB

Download
memory/2516-552-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-528-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-549-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-541-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-535-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-531-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-538-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-555-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-558-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-544-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-570-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-561-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-567-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2516-564-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2832-20-0x0000000002A50000-0x0000000002ADD000-memory.dmp

Filesize
564KB

Download
memory/2832-18-0x0000000002A50000-0x0000000002ADD000-memory.dmp

Filesize
564KB

Download
memory/2836-353-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2864-23-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download