Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 01:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Resource
win7-20240508-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
-
Size
2.2MB
-
MD5
3dd16a69ae2efa70fbc2d6262cec8711
-
SHA1
01e80986f14fa79285b60b702a4fdb3517f1bc9c
-
SHA256
a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc
-
SHA512
f6f4008ba7f25de05853411c21c2cba18e9426a9d7add3de4dc17d603a626c74d8988ba30f9d31aa8d4dacbc9fb5ba1cb9ff28e6af2ac0eeb6201a522ac995e4
-
SSDEEP
49152:Luu30mRbTChxKCnFnQXBbrtgb/iQvu0UHOYy:LH0mR6hxvWbrtUTrUHOYy
Score
10/10
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 31 IoCs
resource yara_rule behavioral1/memory/2688-528-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1084-529-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2688-530-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-531-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-532-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-535-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-534-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-537-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-538-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-540-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-541-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-543-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-544-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-547-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-548-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-552-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-553-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-555-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-556-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-558-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-559-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-561-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-562-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-564-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-565-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-567-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-568-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-570-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-571-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/1916-573-0x0000000000400000-0x000000000048D000-memory.dmp UPX behavioral1/memory/2620-574-0x0000000000400000-0x000000000048D000-memory.dmp UPX -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" KHATRA.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce" a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run KHATRA.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" KHATRA.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 2372 netsh.exe 1744 netsh.exe -
Executes dropped EXE 9 IoCs
pid Process 2576 @AE16BC.tmp.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 1084 KHATRA.exe 876 WdExt.exe 1916 Xplorer.exe 2620 gHost.exe 2588 launch.exe 2480 wtmps.exe 2528 mscaps.exe -
Loads dropped DLL 16 IoCs
pid Process 2652 explorer.exe 2652 explorer.exe 2652 explorer.exe 2652 explorer.exe 2576 @AE16BC.tmp.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 536 cmd.exe 536 cmd.exe 876 WdExt.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2580 cmd.exe 2580 cmd.exe 1716 cmd.exe 1716 cmd.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\"" launch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BCSSync = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe" KHATRA.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: gHost.exe File opened (read-only) \??\e: gHost.exe File opened (read-only) \??\m: gHost.exe File opened (read-only) \??\n: gHost.exe File opened (read-only) \??\w: gHost.exe File opened (read-only) \??\y: gHost.exe File opened (read-only) \??\z: gHost.exe File opened (read-only) \??\l: gHost.exe File opened (read-only) \??\i: gHost.exe File opened (read-only) \??\k: gHost.exe File opened (read-only) \??\o: gHost.exe File opened (read-only) \??\p: gHost.exe File opened (read-only) \??\q: gHost.exe File opened (read-only) \??\s: gHost.exe File opened (read-only) \??\t: gHost.exe File opened (read-only) \??\g: gHost.exe File opened (read-only) \??\v: gHost.exe File opened (read-only) \??\u: gHost.exe File opened (read-only) \??\b: gHost.exe File opened (read-only) \??\j: gHost.exe File opened (read-only) \??\r: gHost.exe File opened (read-only) \??\x: gHost.exe File opened (read-only) \??\a: gHost.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe" KHATRA.exe -
AutoIT Executable 31 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2688-528-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1084-529-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2688-530-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-531-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-532-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-535-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-534-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-537-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-538-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-540-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-541-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-543-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-544-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-547-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-548-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-552-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-553-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-555-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-556-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-558-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-559-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-561-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-562-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-564-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-565-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-567-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-568-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-570-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-571-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/1916-573-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe behavioral1/memory/2620-574-0x0000000000400000-0x000000000048D000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF KHATRA.exe File created C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe KHATRA.exe File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\mscaps.exe wtmps.exe File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\KHATRA.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe File created C:\Windows\SysWOW64\mscaps.exe wtmps.exe File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\KHATRA.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Xplorer.exe KHATRA.exe File opened for modification C:\Windows\system\gHost.exe KHATRA.exe File opened for modification C:\Windows\Xplorer.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe File opened for modification C:\Windows\system\gHost.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe File opened for modification C:\Windows\KHATARNAKH.exe KHATRA.exe File opened for modification C:\Windows\inf\Autoplay.inF KHATRA.exe File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\System\gHost.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe File opened for modification C:\Windows\inf\Autoplay.inF a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe File created C:\Windows\KHATARNAKH.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe File opened for modification C:\Windows\KHATARNAKH.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File created C:\Windows\Xplorer.exe a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter" KHATRA.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main KHATRA.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ = "ItemProperty" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\ = "OutlookBarShortcutsEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ = "ExplorersEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ = "_NavigationFolders" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\ = "_SolutionsModule" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ = "_SharingItem" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ = "ApplicationEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ = "OutlookBarPaneEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ = "_NotesModule" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\ = "_SyncObject" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ = "_MoveOrCopyRuleAction" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\ = "_Items" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046} OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2756 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2576 @AE16BC.tmp.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1916 Xplorer.exe 2620 gHost.exe 2756 OUTLOOK.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 1084 KHATRA.exe 2756 OUTLOOK.EXE 2756 OUTLOOK.EXE 2756 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 1084 KHATRA.exe 2756 OUTLOOK.EXE 2756 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2756 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2652 2252 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 28 PID 2252 wrote to memory of 2652 2252 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 28 PID 2252 wrote to memory of 2652 2252 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 28 PID 2252 wrote to memory of 2652 2252 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 28 PID 2252 wrote to memory of 2652 2252 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 28 PID 2252 wrote to memory of 2652 2252 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 28 PID 2652 wrote to memory of 2576 2652 explorer.exe 29 PID 2652 wrote to memory of 2576 2652 explorer.exe 29 PID 2652 wrote to memory of 2576 2652 explorer.exe 29 PID 2652 wrote to memory of 2576 2652 explorer.exe 29 PID 2652 wrote to memory of 2688 2652 explorer.exe 30 PID 2652 wrote to memory of 2688 2652 explorer.exe 30 PID 2652 wrote to memory of 2688 2652 explorer.exe 30 PID 2652 wrote to memory of 2688 2652 explorer.exe 30 PID 2576 wrote to memory of 536 2576 @AE16BC.tmp.exe 31 PID 2576 wrote to memory of 536 2576 @AE16BC.tmp.exe 31 PID 2576 wrote to memory of 536 2576 @AE16BC.tmp.exe 31 PID 2576 wrote to memory of 536 2576 @AE16BC.tmp.exe 31 PID 2576 wrote to memory of 844 2576 @AE16BC.tmp.exe 32 PID 2576 wrote to memory of 844 2576 @AE16BC.tmp.exe 32 PID 2576 wrote to memory of 844 2576 @AE16BC.tmp.exe 32 PID 2576 wrote to memory of 844 2576 @AE16BC.tmp.exe 32 PID 2688 wrote to memory of 1084 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 33 PID 2688 wrote to memory of 1084 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 33 PID 2688 wrote to memory of 1084 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 33 PID 2688 wrote to memory of 1084 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 33 PID 536 wrote to memory of 876 536 cmd.exe 36 PID 536 wrote to memory of 876 536 cmd.exe 36 PID 536 wrote to memory of 876 536 cmd.exe 36 PID 536 wrote to memory of 876 536 cmd.exe 36 PID 1084 wrote to memory of 1916 1084 KHATRA.exe 37 PID 1084 wrote to memory of 1916 1084 KHATRA.exe 37 PID 1084 wrote to memory of 1916 1084 KHATRA.exe 37 PID 1084 wrote to memory of 1916 1084 KHATRA.exe 37 PID 876 wrote to memory of 2580 876 WdExt.exe 38 PID 876 wrote to memory of 2580 876 WdExt.exe 38 PID 876 wrote to memory of 2580 876 WdExt.exe 38 PID 876 wrote to memory of 2580 876 WdExt.exe 38 PID 2688 wrote to memory of 2620 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 40 PID 2688 wrote to memory of 2620 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 40 PID 2688 wrote to memory of 2620 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 40 PID 2688 wrote to memory of 2620 2688 a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe 40 PID 2580 wrote to memory of 2588 2580 cmd.exe 41 PID 2580 wrote to memory of 2588 2580 cmd.exe 41 PID 2580 wrote to memory of 2588 2580 cmd.exe 41 PID 2580 wrote to memory of 2588 2580 cmd.exe 41 PID 2580 wrote to memory of 2588 2580 cmd.exe 41 PID 2580 wrote to memory of 2588 2580 cmd.exe 41 PID 2580 wrote to memory of 2588 2580 cmd.exe 41 PID 2588 wrote to memory of 1716 2588 launch.exe 42 PID 2588 wrote to memory of 1716 2588 launch.exe 42 PID 2588 wrote to memory of 1716 2588 launch.exe 42 PID 2588 wrote to memory of 1716 2588 launch.exe 42 PID 2588 wrote to memory of 1716 2588 launch.exe 42 PID 2588 wrote to memory of 1716 2588 launch.exe 42 PID 2588 wrote to memory of 1716 2588 launch.exe 42 PID 1716 wrote to memory of 2480 1716 cmd.exe 44 PID 1716 wrote to memory of 2480 1716 cmd.exe 44 PID 1716 wrote to memory of 2480 1716 cmd.exe 44 PID 1716 wrote to memory of 2480 1716 cmd.exe 44 PID 1716 wrote to memory of 2480 1716 cmd.exe 44 PID 1716 wrote to memory of 2480 1716 cmd.exe 44 PID 1716 wrote to memory of 2480 1716 cmd.exe 44 PID 1084 wrote to memory of 2592 1084 KHATRA.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe"C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\@AE16BC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\@AE16BC.tmp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 8767⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\wtmps.exe"C:\Users\Admin\AppData\Local\Temp\wtmps.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\mscaps.exe"C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe10⤵
- Executes dropped EXE
PID:2528
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "4⤵PID:844
-
-
-
C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe"C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe"3⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\KHATRA.exeC:\Windows\system32\KHATRA.exe4⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\Xplorer.exe"C:\Windows\Xplorer.exe" /Windows5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes5⤵PID:2592
-
C:\Windows\SysWOW64\at.exeAT /delete /yes6⤵PID:2932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:2484
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe6⤵PID:1740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:1648
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll6⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵PID:1436
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System6⤵
- Modifies Windows Firewall
PID:2372
-
-
-
-
C:\Windows\System\gHost.exe"C:\Windows\System\gHost.exe" /Reproduce4⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
PID:2620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes4⤵PID:1144
-
C:\Windows\SysWOW64\at.exeAT /delete /yes5⤵PID:1244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe4⤵PID:1032
-
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe5⤵PID:1480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll4⤵PID:1676
-
C:\Windows\SysWOW64\regsvr32.exeRegSvr32 /S C:\Windows\system32\avphost.dll5⤵PID:1592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System4⤵PID:2368
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System5⤵
- Modifies Windows Firewall
PID:1744
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2756
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5630374ddc3c2234298e6e20491cdbad1
SHA1e7139a9591afa87978853c414345092690e9e6c8
SHA256415b3302ce6fc0a76d362b54680d4dd738c3038b30d5783a651dba9a964b5ad4
SHA5123130357f45ef113ff3426babddc25ac0faebabbff711167c26757c20a8627fbd823f1e50a87619c897a378dddfe4750a8a93876676f7bc6329dec71f12933bfb
-
Filesize
240KB
MD584299c2e19c2b31c9bb377d032e72d2e
SHA1c09b1da66a6ad98e9101111ca21540dc4228277a
SHA256d59413b24c7c08bf4546b771a6ec36f4116033ab65339e46db08e281c9751b2b
SHA512e847e55488f30af4729dac365f145b8b5ed925ca0e5e258d81ed1c5873df20a04da3ac007bb0f46d40e3e23546eb147c2d1694308e92ac25fb7e9051b0e3238b
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31
-
Filesize
406B
MD537512bcc96b2c0c0cf0ad1ed8cfae5cd
SHA1edf7f17ce28e1c4c82207cab8ca77f2056ea545c
SHA25627e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f
SHA5126d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641
-
Filesize
120KB
MD5f558c76b0376af9273717fa24d99ebbf
SHA1f84bcece5c6138b62ef94e9d668cf26178ee14cc
SHA25601631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a
SHA5122092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d
-
Filesize
172KB
MD5daac1781c9d22f5743ade0cb41feaebf
SHA1e2549eeeea42a6892b89d354498fcaa8ffd9cac4
SHA2566a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c
SHA512190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160
-
Filesize
129B
MD5d1073c9b34d1bbd570928734aacff6a5
SHA178714e24e88d50e0da8da9d303bec65b2ee6d903
SHA256b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020
SHA5124f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f
-
Filesize
196B
MD5761137d07c5276e224003addfc498635
SHA1e69d3f147328fd8744b8802e6e240216f3b1a515
SHA2569945de4c16d5510203a557f3686955a6c58137d9d9656c84fbfd8e3ad5584f3f
SHA512bc8ed875786f8f9585ad434488deb7e280fc86c38d4b9cbc960e6897c3878e80a8c2b261f885e4ab86ff96859d98e1ffcab68f850d91f606b09f931376efdbfe
-
Filesize
125B
MD519e2ee044b5f0ef952d2f864860ecb39
SHA1a71194f8de6dce946fa62d2ff3cdf8d473d19ce0
SHA256e14d87d489dbb49efbaa7af4b4183663d0399fc4a6e754ddf27215d697cb9ed2
SHA51256f26852c929c025dc00f1c80a14c6dc4cb07ceb90bfdaf06a76dbd74cdf7e81f6decbc92be2b0bd5f0ca3468133e980ff922ce592b73356828dafc7467537df
-
Filesize
102B
MD53ca08f080a7a28416774d80552d4aa08
SHA10b5f0ba641204b27adac4140fd45dce4390dbf24
SHA2564e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0
SHA5120c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01
-
Filesize
200KB
MD578d3c8705f8baf7d34e6a6737d1cfa18
SHA19f09e248a29311dbeefae9d85937b13da042a010
SHA2562c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905
SHA5129a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609
-
Filesize
234B
MD57ae2f1a7ce729d91acfef43516e5a84c
SHA1ebbc99c7e5ac5679de2881813257576ec980fb44
SHA25643b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98
SHA512915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9
-
Filesize
1.7MB
MD50333d72729b8430e448fed1d7337627c
SHA1513ed07954962870f75de65765494b346cdc2906
SHA2569727bb7c238ccd96f6a88dacf7a291fec2214bef1eb5694a8f311aae6a02b07b
SHA512696cf6cf7395a5898208bba3bdad499fdb897e5448f00f2dfd10b213b71fab52b955367392f5970464ec74d6d4b602b112197b23245c559f5585272f47653061
-
\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Filesize475KB
MD5f76e712e7d4a7105beae26912839a54e
SHA14fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69
SHA256c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997
SHA5127a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f
-
Filesize
276KB
MD575c1467042b38332d1ea0298f29fb592
SHA1f92ea770c2ddb04cf0d20914578e4c482328f0f8
SHA2563b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373
SHA5125c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0
-
Filesize
1.7MB
MD5227933e32c0c7767d9d98699e472986e
SHA188465bd35f130c2957b30e70287dfe8ee822526c
SHA2567f2945f692b9843ee961d2d66dc302ed18e0c88ee373e6f924d7de2c2130b0b0
SHA5125fcdde81b310024e635c077ad6074e7361624a9912b81ff3e37b749dde4b8cdb6bbf74a5a5a1c43459f90d7c2e238b8cc07bf344cee27a2c325f0d69810b11d4
-
Filesize
202KB
MD57ff15a4f092cd4a96055ba69f903e3e9
SHA1a3d338a38c2b92f95129814973f59446668402a8
SHA2561b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627
SHA5124b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae