a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc

Analysis

max time kernel
150s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Size

2.2MB
MD5

3dd16a69ae2efa70fbc2d6262cec8711
SHA1

01e80986f14fa79285b60b702a4fdb3517f1bc9c
SHA256

a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc
SHA512

f6f4008ba7f25de05853411c21c2cba18e9426a9d7add3de4dc17d603a626c74d8988ba30f9d31aa8d4dacbc9fb5ba1cb9ff28e6af2ac0eeb6201a522ac995e4
SSDEEP

49152:Luu30mRbTChxKCnFnQXBbrtgb/iQvu0UHOYy:LH0mR6hxvWbrtUTrUHOYy

Score

9^/10

evasion persistence

Malware Config

Signatures

UPX dump on OEP (original entry point) 59 IoCs

resource	yara_rule
behavioral2/memory/1688-176-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4452-315-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-348-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-353-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/1688-397-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4452-412-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-431-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-432-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/3408-444-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4544-446-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4544-475-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-496-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-495-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4960-508-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/3464-510-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/3464-538-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-540-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-541-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/1848-570-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-585-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-586-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/1908-598-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/2420-622-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-635-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-636-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4912-648-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4672-672-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-685-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-686-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/1088-698-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-711-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-712-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/2672-724-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/3944-748-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-761-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-762-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/3240-774-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/408-798-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-811-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-812-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/3860-824-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4092-848-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-850-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-849-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4520-874-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-887-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-888-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/224-900-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/3128-924-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-938-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-937-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/2044-950-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/2168-974-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-987-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-988-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/1640-1000-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4120-1013-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/4992-1014-0x0000000000400000-0x000000000048D000-memory.dmp	UPX
behavioral2/memory/1484-1026-0x0000000000400000-0x000000000048D000-memory.dmp	UPX

Adds policy Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 26 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3576	netsh.exe
3012	netsh.exe
2840	netsh.exe
1000	netsh.exe
1188	netsh.exe
4152	netsh.exe
4616	netsh.exe
4884	netsh.exe
1304	netsh.exe
1836	netsh.exe
4824	netsh.exe
1084	netsh.exe
1188	netsh.exe
444	netsh.exe
3408	netsh.exe
1564	netsh.exe
3172	netsh.exe
4344	netsh.exe
4276	netsh.exe
3608	netsh.exe
4884	netsh.exe
4468	netsh.exe
3744	netsh.exe
4384	netsh.exe
2004	netsh.exe
900	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WdExt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	launch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	@AE6513.tmp.exe

Executes dropped EXE 33 IoCs

pid	Process
1788	@AE6513.tmp.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1608	WdExt.exe
4452	KHATRA.exe
3740	launch.exe
4280	wtmps.exe
4120	Xplorer.exe
4636	mscaps.exe
4992	gHost.exe
3408	KHATRA.exe
4544	KHATRA.exe
4960	KHATRA.exe
3464	KHATRA.exe
1848	KHATRA.exe
1908	KHATRA.exe
2420	KHATRA.exe
4912	KHATRA.exe
4672	KHATRA.exe
1088	KHATRA.exe
2672	KHATRA.exe
3944	KHATRA.exe
3240	KHATRA.exe
408	KHATRA.exe
3860	KHATRA.exe
4092	KHATRA.exe
4520	KHATRA.exe
224	KHATRA.exe
3128	KHATRA.exe
2044	KHATRA.exe
2168	KHATRA.exe
1640	KHATRA.exe
1484	KHATRA.exe
2644	KHATRA.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	@AE6513.tmp.exe
1608	WdExt.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe

Modifies WinLogon 2 TTPs 26 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 55 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1688-176-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-348-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/1688-397-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4452-412-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-431-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-432-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/3408-444-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4544-475-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-496-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-495-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4960-508-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/3464-538-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-540-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-541-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/1848-570-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-585-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-586-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/1908-598-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/2420-622-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-635-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-636-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4912-648-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4672-672-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-685-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-686-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/1088-698-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-711-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-712-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/2672-724-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/3944-748-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-761-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-762-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/3240-774-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/408-798-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-811-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-812-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/3860-824-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4092-848-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-850-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-849-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4520-874-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-887-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-888-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/224-900-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/3128-924-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-938-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-937-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/2044-950-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/2168-974-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-987-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-988-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/1640-1000-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4120-1013-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/4992-1014-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe
behavioral2/memory/1484-1026-0x0000000000400000-0x000000000048D000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1788	@AE6513.tmp.exe
1788	@AE6513.tmp.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1608	WdExt.exe
1608	WdExt.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4120	Xplorer.exe
4992	gHost.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
4452	KHATRA.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
4452	KHATRA.exe
3408	KHATRA.exe
3408	KHATRA.exe
4544	KHATRA.exe
4544	KHATRA.exe
4960	KHATRA.exe
4960	KHATRA.exe
3464	KHATRA.exe
3464	KHATRA.exe
1848	KHATRA.exe
1848	KHATRA.exe
1908	KHATRA.exe
1908	KHATRA.exe
2420	KHATRA.exe
2420	KHATRA.exe
4912	KHATRA.exe
4912	KHATRA.exe
4672	KHATRA.exe
4672	KHATRA.exe
1088	KHATRA.exe
1088	KHATRA.exe
2672	KHATRA.exe
2672	KHATRA.exe
3944	KHATRA.exe
3944	KHATRA.exe
3240	KHATRA.exe
3240	KHATRA.exe
408	KHATRA.exe
408	KHATRA.exe
3860	KHATRA.exe
3860	KHATRA.exe
4092	KHATRA.exe
4092	KHATRA.exe
4520	KHATRA.exe
4520	KHATRA.exe
224	KHATRA.exe
224	KHATRA.exe
3128	KHATRA.exe
3128	KHATRA.exe
2044	KHATRA.exe
2044	KHATRA.exe
2168	KHATRA.exe
2168	KHATRA.exe
1640	KHATRA.exe
1640	KHATRA.exe
1484	KHATRA.exe
1484	KHATRA.exe
2644	KHATRA.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
4452	KHATRA.exe
1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
4452	KHATRA.exe
3408	KHATRA.exe
3408	KHATRA.exe
4544	KHATRA.exe
4544	KHATRA.exe
4960	KHATRA.exe
4960	KHATRA.exe
3464	KHATRA.exe
3464	KHATRA.exe
1848	KHATRA.exe
1848	KHATRA.exe
1908	KHATRA.exe
1908	KHATRA.exe
2420	KHATRA.exe
2420	KHATRA.exe
4912	KHATRA.exe
4912	KHATRA.exe
4672	KHATRA.exe
4672	KHATRA.exe
1088	KHATRA.exe
1088	KHATRA.exe
2672	KHATRA.exe
2672	KHATRA.exe
3944	KHATRA.exe
3944	KHATRA.exe
3240	KHATRA.exe
3240	KHATRA.exe
408	KHATRA.exe
408	KHATRA.exe
3860	KHATRA.exe
3860	KHATRA.exe
4092	KHATRA.exe
4092	KHATRA.exe
4520	KHATRA.exe
4520	KHATRA.exe
224	KHATRA.exe
224	KHATRA.exe
3128	KHATRA.exe
3128	KHATRA.exe
2044	KHATRA.exe
2044	KHATRA.exe
2168	KHATRA.exe
2168	KHATRA.exe
1640	KHATRA.exe
1640	KHATRA.exe
1484	KHATRA.exe
1484	KHATRA.exe
2644	KHATRA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2952	2280	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	83
PID 2280 wrote to memory of 2952	2280	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	83
PID 2280 wrote to memory of 2952	2280	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	83
PID 2280 wrote to memory of 2952	2280	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	83
PID 2280 wrote to memory of 2952	2280	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	83
PID 2952 wrote to memory of 1788	2952	explorer.exe	84
PID 2952 wrote to memory of 1788	2952	explorer.exe	84
PID 2952 wrote to memory of 1788	2952	explorer.exe	84
PID 2952 wrote to memory of 1688	2952	explorer.exe	85
PID 2952 wrote to memory of 1688	2952	explorer.exe	85
PID 2952 wrote to memory of 1688	2952	explorer.exe	85
PID 1788 wrote to memory of 2104	1788	@AE6513.tmp.exe	86
PID 1788 wrote to memory of 2104	1788	@AE6513.tmp.exe	86
PID 1788 wrote to memory of 2104	1788	@AE6513.tmp.exe	86
PID 1788 wrote to memory of 3300	1788	@AE6513.tmp.exe	88
PID 1788 wrote to memory of 3300	1788	@AE6513.tmp.exe	88
PID 1788 wrote to memory of 3300	1788	@AE6513.tmp.exe	88
PID 2104 wrote to memory of 1608	2104	cmd.exe	90
PID 2104 wrote to memory of 1608	2104	cmd.exe	90
PID 2104 wrote to memory of 1608	2104	cmd.exe	90
PID 1608 wrote to memory of 2024	1608	WdExt.exe	91
PID 1608 wrote to memory of 2024	1608	WdExt.exe	91
PID 1608 wrote to memory of 2024	1608	WdExt.exe	91
PID 1688 wrote to memory of 4452	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	93
PID 1688 wrote to memory of 4452	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	93
PID 1688 wrote to memory of 4452	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	93
PID 2024 wrote to memory of 3740	2024	cmd.exe	94
PID 2024 wrote to memory of 3740	2024	cmd.exe	94
PID 2024 wrote to memory of 3740	2024	cmd.exe	94
PID 3740 wrote to memory of 2116	3740	launch.exe	97
PID 3740 wrote to memory of 2116	3740	launch.exe	97
PID 3740 wrote to memory of 2116	3740	launch.exe	97
PID 2116 wrote to memory of 4280	2116	cmd.exe	99
PID 2116 wrote to memory of 4280	2116	cmd.exe	99
PID 2116 wrote to memory of 4280	2116	cmd.exe	99
PID 4452 wrote to memory of 4120	4452	KHATRA.exe	100
PID 4452 wrote to memory of 4120	4452	KHATRA.exe	100
PID 4452 wrote to memory of 4120	4452	KHATRA.exe	100
PID 4280 wrote to memory of 4636	4280	wtmps.exe	101
PID 4280 wrote to memory of 4636	4280	wtmps.exe	101
PID 4280 wrote to memory of 4636	4280	wtmps.exe	101
PID 1688 wrote to memory of 4992	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	102
PID 1688 wrote to memory of 4992	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	102
PID 1688 wrote to memory of 4992	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	102
PID 4452 wrote to memory of 4648	4452	KHATRA.exe	108
PID 4452 wrote to memory of 4648	4452	KHATRA.exe	108
PID 4452 wrote to memory of 4648	4452	KHATRA.exe	108
PID 4648 wrote to memory of 1352	4648	cmd.exe	110
PID 4648 wrote to memory of 1352	4648	cmd.exe	110
PID 4648 wrote to memory of 1352	4648	cmd.exe	110
PID 1688 wrote to memory of 208	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	111
PID 1688 wrote to memory of 208	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	111
PID 1688 wrote to memory of 208	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	111
PID 208 wrote to memory of 2228	208	cmd.exe	113
PID 208 wrote to memory of 2228	208	cmd.exe	113
PID 208 wrote to memory of 2228	208	cmd.exe	113
PID 4452 wrote to memory of 980	4452	KHATRA.exe	114
PID 4452 wrote to memory of 980	4452	KHATRA.exe	114
PID 4452 wrote to memory of 980	4452	KHATRA.exe	114
PID 1688 wrote to memory of 2612	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	116
PID 1688 wrote to memory of 2612	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	116
PID 1688 wrote to memory of 2612	1688	a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe	116
PID 980 wrote to memory of 4960	980	cmd.exe	118
PID 980 wrote to memory of 4960	980	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
"C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\@AE6513.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AE6513.tmp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 1608
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        10⤵
        Executes dropped EXE
        
        PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:3300
- - C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe
    "C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe"
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Windows\Xplorer.exe
        
        "C:\Windows\Xplorer.exe" /Windows
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4120
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:316
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:444
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:1188
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4468
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4276
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:3576
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:372
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:3408
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:1836
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:632
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:1564
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:1084
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4824
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4152
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:2004
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:2840
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4616
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:1188
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:3172
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:864
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:100
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:3744
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4384
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:900
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:3012
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4884
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:3608
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:540
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4344
      - C:\Windows\SysWOW64\KHATRA.exe
        
        C:\Windows\system32\KHATRA.exe
        6⤵
        Adds policy Run key to start application
        Disables RegEdit via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Modifies WinLogon
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        7⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        8⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        7⤵
        
        PID:740
        
        C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        8⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        7⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        7⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        8⤵
        Modifies Windows Firewall
        
        PID:4884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3188
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:836
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        
        PID:1000
  - - C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: GetForegroundWindowSpam
      PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      Suspicious use of WriteProcessMemory
      PID:208
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:2612
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:3144
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:2332
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        
        PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
188f153b5735ce43d45c43cae9bee153

SHA1
d54e38a2642ff3dcd247c1fc0e2b8b2a66df98f7

SHA256
3b1f30be067a0f47a70060001e3e1a576f15fd77beac2271a493b6755a3a9bae

SHA512
1286448539d549bef72f20c51f3cda712e03ee053d458f3ec748adefdc802b7257137f18c45b9b2497a5f068c9d580baf83de7243e72d61ee2872f3b241fa9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7947.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\@AE6513.tmp.exe

Filesize
1.7MB

MD5
0333d72729b8430e448fed1d7337627c

SHA1
513ed07954962870f75de65765494b346cdc2906

SHA256
9727bb7c238ccd96f6a88dacf7a291fec2214bef1eb5694a8f311aae6a02b07b

SHA512
696cf6cf7395a5898208bba3bdad499fdb897e5448f00f2dfd10b213b71fab52b955367392f5970464ec74d6d4b602b112197b23245c559f5585272f47653061

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5e04fde7fc118e447c2cfd1e93aac7245f881c43d34d48e0a5d39c663b5e2cc.exe

Filesize
475KB

MD5
f76e712e7d4a7105beae26912839a54e

SHA1
4fdb2bdf9e0c71efc34a297b3f1eb9bdee227a69

SHA256
c25155bf317cd421d795762bb5c3d7737c8fdc3e4acf0a3e178117df15d47997

SHA512
7a428894a6162d47c9703ebb922436155c1795a547a69d2a23c4d5749393b2e28a3f1afcc96c21bb00ad20d6e570692a1a4525d9741e8e294d2c20a3cc8f129f

Download Submit
C:\Users\Admin\AppData\Local\Temp\autBE6E.tmp

Filesize
125KB

MD5
4e43a95d88010accdf635bf6ade9ad05

SHA1
1c7136b3402af411b66288e1f460b9c7447850c3

SHA256
b6b7ede5e5de9c5bf60f8775fcfb1f5bc0faf4aa99c2404fd2090dcfa75f6408

SHA512
090d97c64ebb887353a7386532cec5ca7a84f84c831fc4213d42ce29aed607e535409f2d446dd552cad1d121ac960bb099603c05acb3f1bd168ab1983a5a9c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B3D.tmp

Filesize
1.0MB

MD5
df2c63605573c2398d796370c11cb26c

SHA1
efba97e2184ba3941edb008fcc61d8873b2b1653

SHA256
07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

SHA512
d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B5D.tmp

Filesize
229KB

MD5
6f90e1169d19dfde14d6f753f06c862b

SHA1
e9bca93c68d7df73d000f4a6e6eb73a343682ac5

SHA256
70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc

SHA512
f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B5E.tmp

Filesize
120KB

MD5
f558c76b0376af9273717fa24d99ebbf

SHA1
f84bcece5c6138b62ef94e9d668cf26178ee14cc

SHA256
01631353726dc51bcea311dbc012572cf96775e516b1c79a2de572ef15954b7a

SHA512
2092d1e126d0420fec5fc0311d6b99762506563f4890e4049e48e2d87dde5ac3e2e2ecc986ab305de2c6ceb619f18879a69a815d3241ccf8140bc5ea00c6768d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B6F.tmp

Filesize
126KB

MD5
02ae22335713a8f6d6adf80bf418202b

SHA1
4c40c11f43df761b92a5745f85a799db7b389215

SHA256
ae5697f849fa48db6d3d13455c224fcf6ceb0602a1e8ac443e211dd0f32d50f4

SHA512
727d16102bfc768535b52a37e4e7b5d894f5daa268d220df108382c36dcce063afdbc31fd495a7a61305263ec4cd7e92713d894faa35b585c0b379217a1d929c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B7F.tmp

Filesize
89KB

MD5
09203a9741b91f3a9ed01c82dcb8778d

SHA1
13e6f3fb169cd6aa5e4d450417a7e15665a2e140

SHA256
63149ad45db380f5dd15f65d9ceb2611d53a0a66e022483bee4ce2ff7d2610e2

SHA512
9e9e6fe0dd713417d0e28ba787cf862d55ecda9ee9f3df1eada144657f6a3b6ada1984fd05a3fffcd597a9715383225a8e40b6e5d0d8d39ec0d3a64b8dea9846

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B80.tmp

Filesize
99KB

MD5
9a27bfb55dd768ae81ca8716db2da343

SHA1
55da0f4282bd838f72f435a5d4d24ac15b04482b

SHA256
5ec8093ef5939d1abce1c576097b584fb600b94ad767c1da897f7cb7f0063d26

SHA512
d9bb49d2f282ed09c351a1d8eb2540781e6a7fb39265473fd59d146bfc162f27a4ab1405301ed7395c12929a80551a399437d7d794d7ac48650e9037b60eb69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B91.tmp

Filesize
172KB

MD5
2634fa3a332c297711cb59d43f54ffce

SHA1
8e2b68d0ee4e792efb1945ba86eceb87f07087d2

SHA256
27c945ccb84aa024f1f063701327e829a7ef3a7ede4a43b2febbb1dddbdf8740

SHA512
84e4799b9b18a7cc7be685c793a9b4fb135ea331d1d235fe823e1d7091130f131ab2fbad1da4dea795e82547aa16b00f4e2a9faaa96cb522d795f9abfda2fc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6B92.tmp

Filesize
276KB

MD5
e07c6a9e595f045fadc463dfda44ab16

SHA1
e6b199272ade02613f2003c365a4cb1487431e23

SHA256
d2fa6f9686386a92253a9c5ea25ace702a111483540b60c1300789235cea7fdc

SHA512
f3c630ae8381b99519aeeadbc2918810e7fb09a909f73ee6c46f4e9d3cf8c5051a5cf763db6a775d6cd8713ccf95a63b18df9ed756fa28276e8d7ab6a47f2cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtmps.exe

Filesize
276KB

MD5
75c1467042b38332d1ea0298f29fb592

SHA1
f92ea770c2ddb04cf0d20914578e4c482328f0f8

SHA256
3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

SHA512
5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

Filesize
172KB

MD5
daac1781c9d22f5743ade0cb41feaebf

SHA1
e2549eeeea42a6892b89d354498fcaa8ffd9cac4

SHA256
6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

SHA512
190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
7be4057e47f03dd58dd15b4a0bf51ed3

SHA1
a61c5f265cf92ca3a461cdd182b4ccfbbcb1b11f

SHA256
6016a7081c2945658845775b4bcc635afd1d716f207542732b1abe78a289b8cb

SHA512
6419e68621763d6b37959acbb91674edbee0077ba173aefaf134861e52ad435e8a58d3dbb0b916ef9a4e812a9bce3b8cc180ffd88e695e59be7135340b6b408b

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
d04dfac1dd94da4f6f1a601374971df3

SHA1
3db28cc5977f7f858b0bb9fa1f11e5e934e4cd44

SHA256
ca3b2b39edb7ae61fbbf2846cc423688eedfa86921a436cf5cac55a42884e7e1

SHA512
d0e628cff2985e308566dfab01ca2039dd5d999d3aca4a6af658fba467d52b9dea48d6c7e6a968b8955b96e95debf4a6293b7dca37639ffd66e22dd398399b8b

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
126B

MD5
7e17c8ceaab0c0fa2485057c25e81932

SHA1
b30075363fa685af9715c8507732be1a0dbedbb0

SHA256
13336f8adf5fdf1b87d6fe2d190ff5183eeba9f35d04945d0a4262aa9ac6639f

SHA512
5f2343bd9d3849377f3178aea2086878207a9505883b5c9bc8beee64bc9dbe6a105c0eb0b0dd256145f2c22aabac8b843a9be922759d01df455801466aab9870

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
102B

MD5
3ca08f080a7a28416774d80552d4aa08

SHA1
0b5f0ba641204b27adac4140fd45dce4390dbf24

SHA256
4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0

SHA512
0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
388KB

MD5
8d7db101a7211fe3309dc4dc8cf2dd0a

SHA1
6c2781eadf53b3742d16dab2f164baf813f7ac85

SHA256
93db7c9699594caa19490280842fbebec3877278c92128b92e63d75fcd01397a

SHA512
8b139d447068519997f7bbc2c7c2fe3846b89ae1fba847258277c9ab92a93583b28fae7ffa444768929ed5852cc914c0270446cbf0bd20aca49bde6b6f809c83

Download Submit
C:\Windows\INF\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
memory/224-900-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/408-798-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1088-698-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1484-1026-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1640-1000-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1688-176-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1688-397-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1788-21-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1848-570-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/1908-598-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2044-950-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2168-974-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2420-622-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2672-724-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2952-0-0x00000000004D3000-0x00000000004D5000-memory.dmp

Filesize
8KB

Download
memory/3128-924-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3240-774-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3408-444-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3408-414-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3464-538-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3464-510-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3860-824-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3944-748-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4092-848-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-937-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-585-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-495-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-635-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-987-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-811-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-540-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-685-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-1013-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-431-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-711-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-887-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-849-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-348-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4120-761-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4452-412-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4452-315-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4520-874-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4544-475-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4544-446-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4672-672-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4912-648-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-477-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4960-508-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-938-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-762-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-888-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-432-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-496-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-812-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-686-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-712-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-353-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-636-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-988-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-850-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-586-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-1014-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/4992-541-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download