e10874ab420cb32cef248f4ba9a7074268597316d813d1176580a2677e344588

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Size

555KB
MD5

82762edbcceecc53d46d76988ae4d134
SHA1

5c170ede2eadf2003bba8c8bd519876e044ee542
SHA256

e10874ab420cb32cef248f4ba9a7074268597316d813d1176580a2677e344588
SHA512

7c61d74a6e25fcb10bc6e51f9417f77a20583115cf6965bd7578b67fa8101db0887e24b3283ba4f74e3d58652b4eafc9e2136c8150696e493ec2735150fa0508
SSDEEP

6144:sBaZA6AM5tm1BS4i4jARHKhyFxQZZxbU3GABUs4r110glX1Wt10glX19CSYesP91:scA6SbVi42BFx8dU3lMB1fe1fEeshYc

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\G_Host = "\"C:\\Windows\\System\\gHost.exe\" /Reproduce"	KHATRA.exe

Disables RegEdit via registry modification 23 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	KHATRA.exe

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4720	netsh.exe
1324	netsh.exe
2988	netsh.exe
624	netsh.exe
4744	netsh.exe
1676	netsh.exe
2288	netsh.exe
1732	netsh.exe
4316	netsh.exe
3372	netsh.exe
2692	netsh.exe
4048	netsh.exe
3208	netsh.exe
3624	netsh.exe
3440	netsh.exe
1948	netsh.exe
1680	netsh.exe
2308	netsh.exe
3104	netsh.exe
2884	netsh.exe
1456	netsh.exe
532	netsh.exe

Executes dropped EXE 31 IoCs

pid	Process
5060	KHATRA.exe
5024	Xplorer.exe
2300	gHost.exe
3756	gHost.exe
3608	KHATRA.exe
2364	KHATRA.exe
3660	KHATRA.exe
4144	KHATRA.exe
5004	KHATRA.exe
4632	KHATRA.exe
3168	KHATRA.exe
2480	KHATRA.exe
4588	KHATRA.exe
3668	KHATRA.exe
4768	KHATRA.exe
5096	KHATRA.exe
3440	KHATRA.exe
1780	KHATRA.exe
4048	KHATRA.exe
468	KHATRA.exe
2064	KHATRA.exe
4744	KHATRA.exe
3104	KHATRA.exe
3608	KHATRA.exe
4192	KHATRA.exe
1104	KHATRA.exe
3148	KHATRA.exe
1580	KHATRA.exe
5088	KHATRA.exe
3536	KHATRA.exe
184	KHATRA.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1 = "C:\\Windows\\Xplorer.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "\"C:\\Windows\\Xplorer.exe\" /Windows"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Xplorer = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\p:	gHost.exe
File opened (read-only)	\??\q:	gHost.exe
File opened (read-only)	\??\y:	gHost.exe
File opened (read-only)	\??\z:	gHost.exe
File opened (read-only)	\??\k:	gHost.exe
File opened (read-only)	\??\l:	gHost.exe
File opened (read-only)	\??\e:	gHost.exe
File opened (read-only)	\??\g:	gHost.exe
File opened (read-only)	\??\j:	gHost.exe
File opened (read-only)	\??\n:	gHost.exe
File opened (read-only)	\??\o:	gHost.exe
File opened (read-only)	\??\s:	gHost.exe
File opened (read-only)	\??\a:	gHost.exe
File opened (read-only)	\??\b:	gHost.exe
File opened (read-only)	\??\v:	gHost.exe
File opened (read-only)	\??\w:	gHost.exe
File opened (read-only)	\??\i:	gHost.exe
File opened (read-only)	\??\u:	gHost.exe
File opened (read-only)	\??\r:	gHost.exe
File opened (read-only)	\??\t:	gHost.exe
File opened (read-only)	\??\x:	gHost.exe
File opened (read-only)	\??\h:	gHost.exe
File opened (read-only)	\??\m:	gHost.exe

Modifies WinLogon 2 TTPs 23 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman = "C:\\Windows\\system32\\KHATRA.exe"	KHATRA.exe

AutoIT Executable 64 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2300-47-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2300-51-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4036-90-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5060-92-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-112-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-113-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3608-125-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2364-154-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-171-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-172-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3660-184-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5004-188-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4144-187-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-189-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-190-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4144-192-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5004-194-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4632-196-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4632-224-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-241-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-242-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3168-254-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2480-285-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4588-287-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-291-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-290-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3668-294-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4588-295-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-313-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-314-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4768-327-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5096-351-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-365-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-366-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-368-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-367-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3440-380-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1780-405-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-406-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4048-407-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-420-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4048-432-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-445-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-446-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/468-459-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/2064-484-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-497-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-498-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4744-511-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-524-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-526-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3104-538-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3608-562-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-575-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-576-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/4192-589-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1104-590-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3148-591-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-604-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-605-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/1580-617-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5024-630-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/3756-631-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe
behavioral2/memory/5088-643-0x0000000000400000-0x00000000004C5000-memory.dmp	autoit_exe

Drops autorun.inf file 1 TTPs 23 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe
File created	C:\Users\Admin\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF	KHATRA.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File opened for modification	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe
File created	C:\Windows\SysWOW64\KHATRA.exe	KHATRA.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe
File created	C:\Windows\KHATARNAKH.exe	KHATRA.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\INF\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File opened for modification	C:\Windows\Xplorer.exe	KHATRA.exe
File opened for modification	C:\Windows\KHATARNAKH.exe	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File opened for modification	C:\Windows\System\gHost.exe	KHATRA.exe
File opened for modification	C:\Windows\inf\Autoplay.inF	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	KHATRA.exe
File created	C:\Windows\System\gHost.exe	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
File created	C:\Windows\Xplorer.exe	KHATRA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KHATRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KHATRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KHATRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KHATRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KHATRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KHATRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KHATRA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	KHATRA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Internet Exploiter"	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5024	Xplorer.exe
3756	gHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
Token: 33	5060	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5060	KHATRA.exe
Token: 33	5024	Xplorer.exe
Token: SeIncBasePriorityPrivilege	5024	Xplorer.exe
Token: 33	2300	gHost.exe
Token: SeIncBasePriorityPrivilege	2300	gHost.exe
Token: 33	3756	gHost.exe
Token: SeIncBasePriorityPrivilege	3756	gHost.exe
Token: 33	3608	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3608	KHATRA.exe
Token: 33	2364	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2364	KHATRA.exe
Token: 33	3660	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3660	KHATRA.exe
Token: 33	4144	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4144	KHATRA.exe
Token: 33	5004	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5004	KHATRA.exe
Token: 33	4632	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4632	KHATRA.exe
Token: 33	3168	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3168	KHATRA.exe
Token: 33	2480	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2480	KHATRA.exe
Token: 33	4588	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4588	KHATRA.exe
Token: 33	3668	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3668	KHATRA.exe
Token: 33	4768	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4768	KHATRA.exe
Token: 33	5096	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5096	KHATRA.exe
Token: 33	3440	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3440	KHATRA.exe
Token: 33	1780	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1780	KHATRA.exe
Token: 33	4048	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4048	KHATRA.exe
Token: 33	468	KHATRA.exe
Token: SeIncBasePriorityPrivilege	468	KHATRA.exe
Token: 33	2064	KHATRA.exe
Token: SeIncBasePriorityPrivilege	2064	KHATRA.exe
Token: 33	4744	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4744	KHATRA.exe
Token: 33	3104	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3104	KHATRA.exe
Token: 33	3608	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3608	KHATRA.exe
Token: 33	4192	KHATRA.exe
Token: SeIncBasePriorityPrivilege	4192	KHATRA.exe
Token: 33	1104	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1104	KHATRA.exe
Token: 33	3148	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3148	KHATRA.exe
Token: 33	1580	KHATRA.exe
Token: SeIncBasePriorityPrivilege	1580	KHATRA.exe
Token: 33	5088	KHATRA.exe
Token: SeIncBasePriorityPrivilege	5088	KHATRA.exe
Token: 33	3536	KHATRA.exe
Token: SeIncBasePriorityPrivilege	3536	KHATRA.exe
Token: 33	184	KHATRA.exe
Token: SeIncBasePriorityPrivilege	184	KHATRA.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
5060	KHATRA.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
5060	KHATRA.exe
3608	KHATRA.exe
3608	KHATRA.exe
2364	KHATRA.exe
2364	KHATRA.exe
3660	KHATRA.exe
3660	KHATRA.exe
4632	KHATRA.exe
4632	KHATRA.exe
3168	KHATRA.exe
3168	KHATRA.exe
2480	KHATRA.exe
2480	KHATRA.exe
4768	KHATRA.exe
4768	KHATRA.exe
5096	KHATRA.exe
5096	KHATRA.exe
3440	KHATRA.exe
3440	KHATRA.exe
1780	KHATRA.exe
1780	KHATRA.exe
4048	KHATRA.exe
4048	KHATRA.exe
468	KHATRA.exe
468	KHATRA.exe
2064	KHATRA.exe
2064	KHATRA.exe
4744	KHATRA.exe
4744	KHATRA.exe
3104	KHATRA.exe
3104	KHATRA.exe
3608	KHATRA.exe
3608	KHATRA.exe
4192	KHATRA.exe
4192	KHATRA.exe
1580	KHATRA.exe
1580	KHATRA.exe
5088	KHATRA.exe
5088	KHATRA.exe
3536	KHATRA.exe
3536	KHATRA.exe
184	KHATRA.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
5060	KHATRA.exe
4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
5060	KHATRA.exe
3608	KHATRA.exe
3608	KHATRA.exe
2364	KHATRA.exe
2364	KHATRA.exe
3660	KHATRA.exe
3660	KHATRA.exe
4632	KHATRA.exe
4632	KHATRA.exe
3168	KHATRA.exe
3168	KHATRA.exe
2480	KHATRA.exe
2480	KHATRA.exe
4768	KHATRA.exe
4768	KHATRA.exe
5096	KHATRA.exe
5096	KHATRA.exe
3440	KHATRA.exe
3440	KHATRA.exe
1780	KHATRA.exe
1780	KHATRA.exe
4048	KHATRA.exe
4048	KHATRA.exe
468	KHATRA.exe
468	KHATRA.exe
2064	KHATRA.exe
2064	KHATRA.exe
4744	KHATRA.exe
4744	KHATRA.exe
3104	KHATRA.exe
3104	KHATRA.exe
3608	KHATRA.exe
3608	KHATRA.exe
4192	KHATRA.exe
4192	KHATRA.exe
1580	KHATRA.exe
1580	KHATRA.exe
5088	KHATRA.exe
5088	KHATRA.exe
3536	KHATRA.exe
3536	KHATRA.exe
184	KHATRA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 5060	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	87
PID 4036 wrote to memory of 5060	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	87
PID 4036 wrote to memory of 5060	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	87
PID 5060 wrote to memory of 5024	5060	KHATRA.exe	88
PID 5060 wrote to memory of 5024	5060	KHATRA.exe	88
PID 5060 wrote to memory of 5024	5060	KHATRA.exe	88
PID 5024 wrote to memory of 2300	5024	Xplorer.exe	89
PID 5024 wrote to memory of 2300	5024	Xplorer.exe	89
PID 5024 wrote to memory of 2300	5024	Xplorer.exe	89
PID 4036 wrote to memory of 3756	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	90
PID 4036 wrote to memory of 3756	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	90
PID 4036 wrote to memory of 3756	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	90
PID 5060 wrote to memory of 2288	5060	KHATRA.exe	91
PID 5060 wrote to memory of 2288	5060	KHATRA.exe	91
PID 5060 wrote to memory of 2288	5060	KHATRA.exe	91
PID 2288 wrote to memory of 2056	2288	cmd.exe	93
PID 2288 wrote to memory of 2056	2288	cmd.exe	93
PID 2288 wrote to memory of 2056	2288	cmd.exe	93
PID 5060 wrote to memory of 3760	5060	KHATRA.exe	94
PID 5060 wrote to memory of 3760	5060	KHATRA.exe	94
PID 5060 wrote to memory of 3760	5060	KHATRA.exe	94
PID 3760 wrote to memory of 4264	3760	cmd.exe	96
PID 3760 wrote to memory of 4264	3760	cmd.exe	96
PID 3760 wrote to memory of 4264	3760	cmd.exe	96
PID 4036 wrote to memory of 1008	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	97
PID 4036 wrote to memory of 1008	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	97
PID 4036 wrote to memory of 1008	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	97
PID 1008 wrote to memory of 2480	1008	cmd.exe	99
PID 1008 wrote to memory of 2480	1008	cmd.exe	99
PID 1008 wrote to memory of 2480	1008	cmd.exe	99
PID 4036 wrote to memory of 3412	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	100
PID 4036 wrote to memory of 3412	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	100
PID 4036 wrote to memory of 3412	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	100
PID 3412 wrote to memory of 4640	3412	cmd.exe	102
PID 3412 wrote to memory of 4640	3412	cmd.exe	102
PID 3412 wrote to memory of 4640	3412	cmd.exe	102
PID 5060 wrote to memory of 804	5060	KHATRA.exe	103
PID 5060 wrote to memory of 804	5060	KHATRA.exe	103
PID 5060 wrote to memory of 804	5060	KHATRA.exe	103
PID 804 wrote to memory of 944	804	cmd.exe	105
PID 804 wrote to memory of 944	804	cmd.exe	105
PID 804 wrote to memory of 944	804	cmd.exe	105
PID 4036 wrote to memory of 1724	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	108
PID 4036 wrote to memory of 1724	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	108
PID 4036 wrote to memory of 1724	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	108
PID 1724 wrote to memory of 2832	1724	cmd.exe	110
PID 1724 wrote to memory of 2832	1724	cmd.exe	110
PID 1724 wrote to memory of 2832	1724	cmd.exe	110
PID 5060 wrote to memory of 3744	5060	KHATRA.exe	111
PID 5060 wrote to memory of 3744	5060	KHATRA.exe	111
PID 5060 wrote to memory of 3744	5060	KHATRA.exe	111
PID 3744 wrote to memory of 2988	3744	cmd.exe	113
PID 3744 wrote to memory of 2988	3744	cmd.exe	113
PID 3744 wrote to memory of 2988	3744	cmd.exe	113
PID 4036 wrote to memory of 2336	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	114
PID 4036 wrote to memory of 2336	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	114
PID 4036 wrote to memory of 2336	4036	82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe	114
PID 2336 wrote to memory of 624	2336	cmd.exe	116
PID 2336 wrote to memory of 624	2336	cmd.exe	116
PID 2336 wrote to memory of 624	2336	cmd.exe	116
PID 5024 wrote to memory of 3608	5024	Xplorer.exe	120
PID 5024 wrote to memory of 3608	5024	Xplorer.exe	120
PID 5024 wrote to memory of 3608	5024	Xplorer.exe	120
PID 3608 wrote to memory of 572	3608	KHATRA.exe	121

C:\Users\Admin\AppData\Local\Temp\82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\82762edbcceecc53d46d76988ae4d134_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\KHATRA.exe
  C:\Windows\system32\KHATRA.exe
  2⤵
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\Xplorer.exe
    "C:\Windows\Xplorer.exe" /Windows
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\System\gHost.exe
      "C:\Windows\System\gHost.exe" /Reproduce
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2300
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:572
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:5092
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:64
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4744
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3788
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:624
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2040
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:960
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1992
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4496
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3044
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3624
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4144
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:964
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1620
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1676
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3916
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1784
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:1060
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3440
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4588
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1680
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1788
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3188
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2288
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2684
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4144
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2432
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3212
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1456
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3828
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:1220
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4172
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:548
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3372
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:2400
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:452
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:3212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:5044
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1948
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1296
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:552
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:2420
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2424
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1680
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2884
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:1228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2896
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4720
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4744
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3152
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2432
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1324
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3608
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3032
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3496
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4068
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:4892
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4048
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:2652
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3524
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:2056
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2308
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1104
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:3172
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:4060
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3104
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1784
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:1828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:5072
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:1324
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:532
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4076
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:468
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:3404
      - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        6⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        
        PID:3304
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3208
  - - C:\Windows\SysWOW64\KHATRA.exe
      C:\Windows\system32\KHATRA.exe
      4⤵
      Adds policy Run key to start application
      Disables RegEdit via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Modifies WinLogon
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:1404
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2532
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        6⤵
        
        PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:2056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:4264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\SysWOW64\regsvr32.exe
      RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      System Location Discovery: System Language Discovery
      PID:944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2988
- C:\Windows\System\gHost.exe
  "C:\Windows\System\gHost.exe" /Reproduce
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:1504
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4952
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:4784
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4316
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3668
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      PID:4252
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      PID:184
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:3712
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1732
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies WinLogon
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT /delete /yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:1092
    - - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        5⤵
        
        PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
      4⤵
      PID:3548
    - - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
        5⤵
        
        PID:3368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
      4⤵
      System Location Discovery: System Language Discovery
      PID:3464
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        RegSvr32 /S C:\Windows\system32\avphost.dll
        5⤵
        
        PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
      4⤵
      PID:4720
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2692
- - C:\Windows\SysWOW64\KHATRA.exe
    C:\Windows\system32\KHATRA.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\KHATRA.exe
    3⤵
    PID:4640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C RegSvr32 /S C:\Windows\system32\avphost.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\regsvr32.exe
    RegSvr32 /S C:\Windows\system32\avphost.dll
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram program=C:\Windows\system32\KHATRA.exe name=System
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
8a0dd547ff2ec41daabce78f1b8c8621

SHA1
193dc7f59773bb6bbd32843479e4b97e0981b131

SHA256
8caceafdc3bc5882cbc5142065a912d33e77b26afa4c08b91d2551844d8f33e6

SHA512
4deeab03064f7ecaa623b98a80abeb0cf3a930acf9866f8539f9fe3f8a7770b6528ed9a26fe28dc751fa9f5d459d66c7b5e1ffe584ee3b2027d60b770a07f6b5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
9b0aad7d2773ec30bbbd711b56217039

SHA1
a0a0ddf4a341fbc2d2aa9b525920b72db0df5884

SHA256
cd7954089d8ec598e47df2916d7ecfc68a1eb9dfddaf448c25d70153661a314f

SHA512
406d059bb4ff52c5ba3040c01ccafef13ac19ff41a04b4f4736a9bfa9c3399bdf490be56012483408ad38456d706be1ef034153db078dadb37c56b2bfe1ada12

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
324e8aff61115f82714185ec1f1aea4a

SHA1
cd18e9e5394c6f69cb818c407904c0e872798400

SHA256
f1952761989e03242778f4faa77126c1e3edfc359d9e04a71ecc64f8bf4f205f

SHA512
363aafb1dc16ee40a83443713527ec7d8a0a88be37eb962b9ae7954b3866ccfb200195e328f2870b175b92e515895c6dfb1cb1f76a51d4040888b108644d1dbd

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
49524ca2d325218d1a6815084124fae4

SHA1
01d2add500d3f636f30208967b33cf84197f167c

SHA256
5d5bf80dc6803991445d95f5d23053771bc2c30472135d4988cda696eeaca6f6

SHA512
cb548d526036d3f85c325b0adbd713a96e0834ac276f8bb551da324303a09cbe946d9160dcfbd8684d61f11cb82ba1d481d4a15ef5fe7fc7a4c5ba5272d563b4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\(Empty).LNK

Filesize
1KB

MD5
0e03f28b71c8c57a5bf6d3fca1f665a7

SHA1
84e1febdd247bf3cf62048335d596c006bda2d58

SHA256
478de259e1f38ff491709594bf1c1e8706512b6d045992a3a60263f80553df2c

SHA512
c2645f00638018e657c6e7075f3664e2fb3391b8caffd8db3fbfb5bfffdd91f6d2a54412c8a4e7b9a34a847bd8c6e42341c2eb1a6550af9837b582113f246c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\autE61A.tmp

Filesize
126KB

MD5
aa0156ff3fab9b0305333fc34a192d2f

SHA1
0faffbff7ec2f550434987457176ce8bd6227808

SHA256
b0107edf0878b8753722fd3439483412bf54b6c1bc1a35639e0a0a0fb635e3d3

SHA512
bdb02a356ebc15f7c63ea2264aa1a55160773336ee2f6f0559d0958406a56874a14ddb96b617a0ce776b2f9bb65f90617bd423effc5287991bb1e3ea21b2f9fd

Download Submit
C:\Windows\INF\Autoplay.inF

Filesize
234B

MD5
7ae2f1a7ce729d91acfef43516e5a84c

SHA1
ebbc99c7e5ac5679de2881813257576ec980fb44

SHA256
43b2fee4fbe5b4a83ae32589d11c3f45ad1988dd5357f790ec708fdfd6709a98

SHA512
915b67d31a7034659360355cb00f9620bf9c64cc06660ea55e5fcba0096f1ac782ac7550f778c4874f63082820c03fbbf4dd05169b0de61a661a202f10a4eff9

Download Submit
C:\Windows\SysWOW64\KHATRA.exe

Filesize
555KB

MD5
82762edbcceecc53d46d76988ae4d134

SHA1
5c170ede2eadf2003bba8c8bd519876e044ee542

SHA256
e10874ab420cb32cef248f4ba9a7074268597316d813d1176580a2677e344588

SHA512
7c61d74a6e25fcb10bc6e51f9417f77a20583115cf6965bd7578b67fa8101db0887e24b3283ba4f74e3d58652b4eafc9e2136c8150696e493ec2735150fa0508

Download Submit
memory/468-459-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1104-590-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1580-617-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/1780-405-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2064-484-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2300-51-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2300-47-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2300-49-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2364-154-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2364-127-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2480-285-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2480-256-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3104-538-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3148-591-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3168-254-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3440-352-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3440-380-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3536-668-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3608-125-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3608-562-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3660-184-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3668-289-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3668-294-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-367-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-48-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-190-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-368-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-420-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-631-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-446-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-605-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-314-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-242-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-113-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-576-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-111-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/3756-498-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-172-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-291-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3756-50-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/3756-526-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4036-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4036-62-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/4036-90-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4036-1-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/4048-432-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4048-407-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4144-187-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4144-192-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4192-589-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4588-287-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4588-295-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4632-196-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4632-224-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4744-511-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/4768-327-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5004-194-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5004-188-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-44-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/5024-112-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-406-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-497-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-445-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-94-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/5024-524-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-365-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-290-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-189-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-575-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-171-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-241-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-43-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-313-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-604-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-366-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5024-630-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5060-26-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/5060-92-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5088-643-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5096-351-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download