Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
03/11/2023, 13:12
General
-
Target
NEAS.4f757249c3f22bf847cc809d4590e880.exe
-
Size
147KB
-
MD5
4f757249c3f22bf847cc809d4590e880
-
SHA1
f6d7d9f61811b7550c3ad9269e33ce322b61f97d
-
SHA256
eef35320a71d05a76daec9c0622bd7d431d67cd8052eb4aa5afc7655db721f55
-
SHA512
66dfb09386da57cf2933e66003669f73ed45bba21023c244a711f61b39990c1b40422c6d34e38a1b7047b6fc0fadd30092f83e6307a63479c119322dcbbccde5
-
SSDEEP
1536:oWwaMcKOER0m9mwWt/TAggupnhycpDnq+5h/tDSZ15WwdGB:pzKR0xwWWWnhFpDRzSZaCGB
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 64 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 64 IoCs
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Program crash 64 IoCs
-
Modifies Control Panel 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies Internet Explorer start page 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.4f757249c3f22bf847cc809d4590e880.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.4f757249c3f22bf847cc809d4590e880.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 7763⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 7843⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 7763⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 6723⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 7923⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 8282⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 7646⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 7206⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 940 -s 7607⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 7969⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 7889⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 7366⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 6727⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 7406⤵
- Executes dropped EXE
- Loads dropped DLL
- Program crash
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 7925⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 8164⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"3⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe4⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"4⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
- Disables RegEdit via registry modification
- Enumerates connected drives
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe11⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Modifies Control Panel
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe14⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe14⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe15⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"15⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 64415⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"14⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 76014⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 64413⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
- Modifies visibility of file extensions in Explorer
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe15⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"15⤵
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 72016⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 70419⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 74019⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 70419⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 68827⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 73630⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer start page
- System policy modification
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 76031⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 74030⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 70429⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies Control Panel
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
- Enumerates connected drives
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 75629⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Enumerates connected drives
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Modifies registry class
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 70432⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 77631⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 76032⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 75232⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 76834⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 76434⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 69232⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 67238⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 77637⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 73637⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 72437⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 78836⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 74838⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 71239⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 65641⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
-
C:\Windows\babon.exeC:\Windows\babon.exe42⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe43⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe43⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe44⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"44⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 76444⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"45⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"43⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe44⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"44⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 67644⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"45⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"45⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"43⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"43⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 76443⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"44⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe45⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe45⤵
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"42⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 75242⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe42⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"42⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe43⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe43⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"43⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"43⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe44⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe44⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"43⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 68843⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"44⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"44⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 74042⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 72841⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
- Disables RegEdit via registry modification
- Enumerates connected drives
- Modifies WinLogon
- Modifies Control Panel
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe42⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"42⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 73642⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe44⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"44⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"44⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 79244⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"45⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"45⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe42⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"42⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 68842⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"43⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 76841⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 72441⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"40⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 75640⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 74039⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 72439⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 73639⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 72038⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3356 -s 74035⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 74035⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 76035⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 73634⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 62833⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 73632⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 77631⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 74028⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies WinLogon
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 72427⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 76426⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 74429⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 78828⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 80028⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 75627⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 77626⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 68825⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 77224⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 74025⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 76824⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 72423⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 71222⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 69623⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 74822⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 71624⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 79624⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 72021⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 75220⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 78422⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 74021⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 76020⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 74419⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 68418⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 73619⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 76818⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"15⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 73616⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 80015⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 71212⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"11⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 64811⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 68810⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 74810⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 7609⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 7208⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 81610⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe11⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"11⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 75211⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 78410⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 7447⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 6487⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 7406⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 6885⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"4⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 7844⤵
- Executes dropped EXE
- Loads dropped DLL
- Program crash
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"5⤵
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3576 -ip 35761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2540 -ip 25401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3084 -ip 30841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2076 -ip 20761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4128 -ip 41281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4844 -ip 48441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4204 -ip 42041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3284 -ip 32841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 628 -ip 6281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2416 -ip 24161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1276 -ip 12761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4716 -ip 47161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3560 -ip 35601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 940 -ip 9401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4040 -ip 40401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3460 -ip 34601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4312 -ip 43121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4436 -ip 44361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2512 -ip 25121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4332 -ip 43321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 316 -ip 3161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3860 -ip 38601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2416 -ip 24161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5036 -ip 50361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1956 -ip 19561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3336 -ip 33361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1808 -ip 18081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2200 -ip 22001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1624 -ip 16241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 628 -ip 6281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2376 -ip 23761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3704 -ip 37041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5012 -ip 50121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3484 -ip 34841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1416 -ip 14161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2228 -ip 22281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2200 -ip 22001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3336 -ip 33361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 540 -ip 5401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 536 -ip 5361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3888 -ip 38881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2068 -ip 20681⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3604 -ip 36041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4420 -ip 44201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2256 -ip 22561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4068 -ip 40681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5092 -ip 50921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2996 -ip 29961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3584 -ip 35841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4144 -ip 41441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3856 -ip 38561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2920 -ip 29201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3620 -ip 36201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 552 -ip 5521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3264 -ip 32641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3460 -ip 34601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1780 -ip 17801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2004 -ip 20041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3704 -ip 37041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4532 -ip 45321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 628 -ip 6281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3836 -ip 38361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2540 -ip 25401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 380 -ip 3801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4724 -ip 47241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1428 -ip 14281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4900 -ip 49001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1768 -ip 17681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3004 -ip 30041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1272 -ip 12721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3708 -ip 37081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3480 -ip 34801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3604 -ip 36041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3860 -ip 38601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3392 -ip 33921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4516 -ip 45161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5052 -ip 50521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4924 -ip 49241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 396 -ip 3961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5104 -ip 51041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3604 -ip 36041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1736 -ip 17361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3656 -ip 36561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3360 -ip 33601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3356 -ip 33561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3404 -ip 34041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4592 -ip 45921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1096 -ip 10961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3288 -ip 32881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3416 -ip 34161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4200 -ip 42001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2540 -ip 25401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1360 -ip 13601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4596 -ip 45961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4436 -ip 44361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3296 -ip 32961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5060 -ip 50601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1196 -ip 11961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3880 -ip 38801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2752 -ip 27521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3836 -ip 38361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3312 -ip 33121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1588 -ip 15881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2408 -ip 24081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 760 -ip 7601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2532 -ip 25321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 428 -ip 4281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1652 -ip 16521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3336 -ip 33361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2372 -ip 23721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4656 -ip 46561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4532 -ip 45321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4452 -ip 44521⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5419da2f7c3fcea637d53e32a5a833eec
SHA1fdbff595ace2d2cb54d93031a77641c2c5d98376
SHA2560a980a5ab7a20975dfc64fb9e8b067c7bb6a689e0c6e97ec1a28339a47ca4f22
SHA5127e3d815e439e1a0e9ad8d08bad73bb17e14e52ec53ddd10005387c576943b02a0adcadd8295754110102eb6817b6eb37b3c09eae9ae1f6552e291cf4b15ff600
-
Filesize
147KB
MD5419da2f7c3fcea637d53e32a5a833eec
SHA1fdbff595ace2d2cb54d93031a77641c2c5d98376
SHA2560a980a5ab7a20975dfc64fb9e8b067c7bb6a689e0c6e97ec1a28339a47ca4f22
SHA5127e3d815e439e1a0e9ad8d08bad73bb17e14e52ec53ddd10005387c576943b02a0adcadd8295754110102eb6817b6eb37b3c09eae9ae1f6552e291cf4b15ff600
-
Filesize
147KB
MD5419da2f7c3fcea637d53e32a5a833eec
SHA1fdbff595ace2d2cb54d93031a77641c2c5d98376
SHA2560a980a5ab7a20975dfc64fb9e8b067c7bb6a689e0c6e97ec1a28339a47ca4f22
SHA5127e3d815e439e1a0e9ad8d08bad73bb17e14e52ec53ddd10005387c576943b02a0adcadd8295754110102eb6817b6eb37b3c09eae9ae1f6552e291cf4b15ff600
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD551e58a31ad979b2501fb7364bada77c2
SHA118c465c355056b878372a52ddc44eaebd2d88df8
SHA256cb52d3ea8a903f88a22f7d726fddb3333acf04510397a01cabd7d7d259d28def
SHA512ebc13dc6d93ad7e8e65f4fd2bc73e3aac04418b0381707262f9992052cb9c6d3d0bb752b462a7f390beb5015c473803970b37f1d288b56a37a208507d85f4720
-
Filesize
147KB
MD551e58a31ad979b2501fb7364bada77c2
SHA118c465c355056b878372a52ddc44eaebd2d88df8
SHA256cb52d3ea8a903f88a22f7d726fddb3333acf04510397a01cabd7d7d259d28def
SHA512ebc13dc6d93ad7e8e65f4fd2bc73e3aac04418b0381707262f9992052cb9c6d3d0bb752b462a7f390beb5015c473803970b37f1d288b56a37a208507d85f4720
-
Filesize
147KB
MD551e58a31ad979b2501fb7364bada77c2
SHA118c465c355056b878372a52ddc44eaebd2d88df8
SHA256cb52d3ea8a903f88a22f7d726fddb3333acf04510397a01cabd7d7d259d28def
SHA512ebc13dc6d93ad7e8e65f4fd2bc73e3aac04418b0381707262f9992052cb9c6d3d0bb752b462a7f390beb5015c473803970b37f1d288b56a37a208507d85f4720
-
Filesize
147KB
MD54f757249c3f22bf847cc809d4590e880
SHA1f6d7d9f61811b7550c3ad9269e33ce322b61f97d
SHA256eef35320a71d05a76daec9c0622bd7d431d67cd8052eb4aa5afc7655db721f55
SHA51266dfb09386da57cf2933e66003669f73ed45bba21023c244a711f61b39990c1b40422c6d34e38a1b7047b6fc0fadd30092f83e6307a63479c119322dcbbccde5
-
Filesize
147KB
MD5419da2f7c3fcea637d53e32a5a833eec
SHA1fdbff595ace2d2cb54d93031a77641c2c5d98376
SHA2560a980a5ab7a20975dfc64fb9e8b067c7bb6a689e0c6e97ec1a28339a47ca4f22
SHA5127e3d815e439e1a0e9ad8d08bad73bb17e14e52ec53ddd10005387c576943b02a0adcadd8295754110102eb6817b6eb37b3c09eae9ae1f6552e291cf4b15ff600
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD53639f8c6b1d12807ebdc4e80c7b3f1e4
SHA131ca111811fdf37c2e07477648c1532266bdc6ee
SHA25646211c123c4980cdd5cf6d4efbb98d5bbb3782449b2404d2bedd094c15aceed4
SHA512d3791696008f35eeb510aa994251b9d6839396a97c655857d0a1c8e925079acc363923e2ee186d52c6722bcd0e14973d8fbb0fce2c39bb931c344a597c61ff2b
-
Filesize
147KB
MD5843694fe0b069ee586171efdf2aef269
SHA1d54b178188ff1388df983bfb69186106b91a6194
SHA256d45a9288ac34a7c910c98684be19fe937a6c2cd2b02295e7ff69cfc38e3208e1
SHA5125ef4faad5708ad599bf405bf01aa703eaaec6e74aa74f6ef6f4463feae425c0f00ef4b08be65cc5c993de5cad69b7849d580393bc22c96e2a88070a55eb066af
-
Filesize
147KB
MD59b08e3773b36d4c566a205afdb9647f8
SHA1ce7518a13a23ad231163728ccd5ca53b37ae73fa
SHA2567ba85a38f25064afe08d5bfcc01cd338bba0706786cd527bc09d91d75830d874
SHA5120a096757bf805e7289881fcf5377c14fc084a3eec3b4b2dd14bc4921c2ba4fb3708088a25a5e17a4e69bd60a19a30b608280b14b1d48d698ca703c852f9016ff
-
Filesize
147KB
MD5419da2f7c3fcea637d53e32a5a833eec
SHA1fdbff595ace2d2cb54d93031a77641c2c5d98376
SHA2560a980a5ab7a20975dfc64fb9e8b067c7bb6a689e0c6e97ec1a28339a47ca4f22
SHA5127e3d815e439e1a0e9ad8d08bad73bb17e14e52ec53ddd10005387c576943b02a0adcadd8295754110102eb6817b6eb37b3c09eae9ae1f6552e291cf4b15ff600
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD505fff86eb6ce418a26cf962f195b241c
SHA11d49e16afd11cbbc828300f8c2b8408f767d08ec
SHA256e0b96bbd04cdb919f1bb062f230de486223bde586f2e6b1a462f1b44fa327c39
SHA51246f5563a96222c438b64eaeca2e268cd93f3d573c404d394a523870aa450432edb3e75693a8394716edd44e12ca96efe7ea51933b4e4b9375326268a0ee6d019
-
Filesize
147KB
MD54a2b147e5a441482bea6943e658ef3e1
SHA16b41f248205d7f03ad5f79a845a501fc1332afc5
SHA25642b34d3e737b515fcfb762f05c1f7919c62701dc43607bdbd63e89351a0b6502
SHA51211c0de1d4020981f8beaeede479698705c89e30b5cb283be965f7b526e30d3a26602211874fd8de1814e14941b506593d9b35f6f20a6a28c4785cdcd08d0e8f1
-
Filesize
147KB
MD54a2b147e5a441482bea6943e658ef3e1
SHA16b41f248205d7f03ad5f79a845a501fc1332afc5
SHA25642b34d3e737b515fcfb762f05c1f7919c62701dc43607bdbd63e89351a0b6502
SHA51211c0de1d4020981f8beaeede479698705c89e30b5cb283be965f7b526e30d3a26602211874fd8de1814e14941b506593d9b35f6f20a6a28c4785cdcd08d0e8f1
-
Filesize
147KB
MD551e58a31ad979b2501fb7364bada77c2
SHA118c465c355056b878372a52ddc44eaebd2d88df8
SHA256cb52d3ea8a903f88a22f7d726fddb3333acf04510397a01cabd7d7d259d28def
SHA512ebc13dc6d93ad7e8e65f4fd2bc73e3aac04418b0381707262f9992052cb9c6d3d0bb752b462a7f390beb5015c473803970b37f1d288b56a37a208507d85f4720
-
Filesize
147KB
MD598d304bc5c870a12f6a2b81044fdde85
SHA163ff1900721d1607d27cf31edf930de725d280a3
SHA2563092532a0121760394038161d258a495fe185a980247e7e937fb19b9721ec887
SHA512655c9ae16ef934614b3a82c11f60f5b7a9e3d4e87531fde529325335129d5769704bbbd4adefed377f5f4ed707f8df90dfb76cfeb893c0632d4ad8d97b7df559
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD551e58a31ad979b2501fb7364bada77c2
SHA118c465c355056b878372a52ddc44eaebd2d88df8
SHA256cb52d3ea8a903f88a22f7d726fddb3333acf04510397a01cabd7d7d259d28def
SHA512ebc13dc6d93ad7e8e65f4fd2bc73e3aac04418b0381707262f9992052cb9c6d3d0bb752b462a7f390beb5015c473803970b37f1d288b56a37a208507d85f4720
-
Filesize
147KB
MD5419da2f7c3fcea637d53e32a5a833eec
SHA1fdbff595ace2d2cb54d93031a77641c2c5d98376
SHA2560a980a5ab7a20975dfc64fb9e8b067c7bb6a689e0c6e97ec1a28339a47ca4f22
SHA5127e3d815e439e1a0e9ad8d08bad73bb17e14e52ec53ddd10005387c576943b02a0adcadd8295754110102eb6817b6eb37b3c09eae9ae1f6552e291cf4b15ff600
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD5cbe1eb23d02fdefce9fff1ed745cb003
SHA1d70b56140b08679e48e4f0805e3263c9d1400eaa
SHA256c43af49af1b35d27d4959f346aa1946c78f76e3fc03fabd261ffb41e9342055e
SHA512e1a9fcaa8ff14543380ee55a0cf1abf217271eac29ce221924b8559ec7aae58f6ee49eca1cea3020df52f9cbd25f3c0f9b9647d2dd0f3e004f92ecf1bd840d9b
-
Filesize
147KB
MD55b663fbbca4956a28663023858378f9e
SHA10cfa85a79adfe74e700a3c05215c8fa9da8ceec8
SHA25638f5d3a10f7cc6104d4213b3432306bb76c5c7d4d0ef601c5258198b448cdb85
SHA5123ff5650550cb951b0ba4d8bf4f9b3ecab38a362282a51ea9f43b9152ea2bb8313fe8e73ef2171916dc31c687d5b0a84349598dfa17c4dba11ebc47cf41b86f36
-
Filesize
147KB
MD54de6bdc879d4d7ebc6b9ad678a4f11df
SHA1391028c9a95ea04faa200e2894679c176a033f73
SHA25617768c9679fdffc0ccc3a12f0d64a796fecce7cd08c2ddbf35854b3862375935
SHA512b44b6ff496e2c6d176dbd108b6988abe258c41da706879286065e5a46e3dec7034109055ccea910bb6467a450b7b284e3f995545f876ca3bc1cad06a563f23d8
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD53e3355ca0963cb1935c23d0701e55f07
SHA172a449e9c0bfc00a33cc5076a48be8256ce5b83a
SHA256905f49c96949292ffd2a56c2cb6fbd099bf16910b6800de30d8103b1fd764047
SHA512024008afe430f102444a198a58b2f36b2664974470c8491cf2eb1c2e46bf45b255fa61c8f68bc990926d704a2651f091b4d56da4fcb7dcc0eb5d52a8764db5b4
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD551e58a31ad979b2501fb7364bada77c2
SHA118c465c355056b878372a52ddc44eaebd2d88df8
SHA256cb52d3ea8a903f88a22f7d726fddb3333acf04510397a01cabd7d7d259d28def
SHA512ebc13dc6d93ad7e8e65f4fd2bc73e3aac04418b0381707262f9992052cb9c6d3d0bb752b462a7f390beb5015c473803970b37f1d288b56a37a208507d85f4720
-
Filesize
147KB
MD5419da2f7c3fcea637d53e32a5a833eec
SHA1fdbff595ace2d2cb54d93031a77641c2c5d98376
SHA2560a980a5ab7a20975dfc64fb9e8b067c7bb6a689e0c6e97ec1a28339a47ca4f22
SHA5127e3d815e439e1a0e9ad8d08bad73bb17e14e52ec53ddd10005387c576943b02a0adcadd8295754110102eb6817b6eb37b3c09eae9ae1f6552e291cf4b15ff600
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD5ad9d7168fde607dac4f1e1983674f526
SHA1bced41288b53469b8f39faf3f9697553c05fe7e6
SHA25658d188bafb6a110b56b53e706bf1d35c482936eda4008bd7075ea42ee284b378
SHA5123053f0679ed1b518a93bb464b92fd6f3465074fe92025d7da158f5c3cc0533ef83602d934e321277eb1b5fad0f1d38cca41b42d0b02538fc9c086cb2561185f6
-
Filesize
147KB
MD550eb004bde39e2e568632061b844b305
SHA170d122e127a1b3734e282bf6a804aba472e910bf
SHA2566dc660d391868c564d570b6fd75a3ef8f70118e15196c662dd4467b0abac39ee
SHA512ff0de4b08658a9bb78c1410aa69d4f1d19437bbad7fbe1db0549f299b5ec43d7e401a9fc9202e9de9654282ab49a387c2eb33c776accd0bd5cca0d750d9c128a
-
Filesize
147KB
MD5d8d0aace91835746e906c7a1b7041d04
SHA1bd419d6f05921e55afb1a452a642cef6f9528c66
SHA25617190c1136697b337945e255e9dd37a9307e75373684bd219c38e79892a469d8
SHA512f9b36cc530e3f13973069b4cc75d0de3be4e76fe03157936ada337448de20bd3d8edbb89373d9ec3001643fe13bb4fe886749b6b7e67a1fe0d16bacf5f5f3080
-
Filesize
147KB
MD5d8d0aace91835746e906c7a1b7041d04
SHA1bd419d6f05921e55afb1a452a642cef6f9528c66
SHA25617190c1136697b337945e255e9dd37a9307e75373684bd219c38e79892a469d8
SHA512f9b36cc530e3f13973069b4cc75d0de3be4e76fe03157936ada337448de20bd3d8edbb89373d9ec3001643fe13bb4fe886749b6b7e67a1fe0d16bacf5f5f3080
-
Filesize
147KB
MD5ecb2caf4ad8a1b6890ca3cec097574cd
SHA1bee8db1a6b83920aee289da8a86e2e07f28d9032
SHA2566078bbd263cea6151c1e769dedb2955b7fcbdf81ddb78b61356424d1295f6b19
SHA5129a573f92953fef362ff858212be4017d75ab83fedf0bc9a0a6e95fbb8f17f6b1dd83b2538ed1568caa23e5320f484f6c10c9941a5df45314725cf6b8593ab28c
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD53e3355ca0963cb1935c23d0701e55f07
SHA172a449e9c0bfc00a33cc5076a48be8256ce5b83a
SHA256905f49c96949292ffd2a56c2cb6fbd099bf16910b6800de30d8103b1fd764047
SHA512024008afe430f102444a198a58b2f36b2664974470c8491cf2eb1c2e46bf45b255fa61c8f68bc990926d704a2651f091b4d56da4fcb7dcc0eb5d52a8764db5b4
-
Filesize
147KB
MD53e3355ca0963cb1935c23d0701e55f07
SHA172a449e9c0bfc00a33cc5076a48be8256ce5b83a
SHA256905f49c96949292ffd2a56c2cb6fbd099bf16910b6800de30d8103b1fd764047
SHA512024008afe430f102444a198a58b2f36b2664974470c8491cf2eb1c2e46bf45b255fa61c8f68bc990926d704a2651f091b4d56da4fcb7dcc0eb5d52a8764db5b4
-
Filesize
147KB
MD598d304bc5c870a12f6a2b81044fdde85
SHA163ff1900721d1607d27cf31edf930de725d280a3
SHA2563092532a0121760394038161d258a495fe185a980247e7e937fb19b9721ec887
SHA512655c9ae16ef934614b3a82c11f60f5b7a9e3d4e87531fde529325335129d5769704bbbd4adefed377f5f4ed707f8df90dfb76cfeb893c0632d4ad8d97b7df559
-
Filesize
147KB
MD598d304bc5c870a12f6a2b81044fdde85
SHA163ff1900721d1607d27cf31edf930de725d280a3
SHA2563092532a0121760394038161d258a495fe185a980247e7e937fb19b9721ec887
SHA512655c9ae16ef934614b3a82c11f60f5b7a9e3d4e87531fde529325335129d5769704bbbd4adefed377f5f4ed707f8df90dfb76cfeb893c0632d4ad8d97b7df559
-
Filesize
147KB
MD598d304bc5c870a12f6a2b81044fdde85
SHA163ff1900721d1607d27cf31edf930de725d280a3
SHA2563092532a0121760394038161d258a495fe185a980247e7e937fb19b9721ec887
SHA512655c9ae16ef934614b3a82c11f60f5b7a9e3d4e87531fde529325335129d5769704bbbd4adefed377f5f4ed707f8df90dfb76cfeb893c0632d4ad8d97b7df559
-
Filesize
147KB
MD598d304bc5c870a12f6a2b81044fdde85
SHA163ff1900721d1607d27cf31edf930de725d280a3
SHA2563092532a0121760394038161d258a495fe185a980247e7e937fb19b9721ec887
SHA512655c9ae16ef934614b3a82c11f60f5b7a9e3d4e87531fde529325335129d5769704bbbd4adefed377f5f4ed707f8df90dfb76cfeb893c0632d4ad8d97b7df559
-
Filesize
147KB
MD598d304bc5c870a12f6a2b81044fdde85
SHA163ff1900721d1607d27cf31edf930de725d280a3
SHA2563092532a0121760394038161d258a495fe185a980247e7e937fb19b9721ec887
SHA512655c9ae16ef934614b3a82c11f60f5b7a9e3d4e87531fde529325335129d5769704bbbd4adefed377f5f4ed707f8df90dfb76cfeb893c0632d4ad8d97b7df559
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
147KB
MD5cb261c5674bbc99661b601dd6d241091
SHA1bb97811df291d2e86215d0264d2e4a330317f33d
SHA256685764e1bf9506cdb4545699fa01ab19750a203a5bce10af1dd5be8a56ff881d
SHA512a6d97df41f818ac880168018c38da0c23041f32c5586bfd350feafab66a35861bbca47eeb3e478add6510c6b337278704c19cdb0200066ba2cd760e96d836653
-
Filesize
147KB
MD5d9248cc964b1a75fc2a898fc511e0078
SHA11534740bd5fa059beca90d0b93dd86e880a172d5
SHA2562770a1cac085fb8a2a425a1758c011a088949ad3084df1e4c50314d4bad9ff11
SHA512e7bbf33d1bcbd588b2534e20226e2b521296a53c5b8640ea42b990945175754f23f3ee52c55a88ebfd7f30693ddf2150cacfb691abd94a6a155a9355b3d4b1b0
-
Filesize
147KB
MD551e58a31ad979b2501fb7364bada77c2
SHA118c465c355056b878372a52ddc44eaebd2d88df8
SHA256cb52d3ea8a903f88a22f7d726fddb3333acf04510397a01cabd7d7d259d28def
SHA512ebc13dc6d93ad7e8e65f4fd2bc73e3aac04418b0381707262f9992052cb9c6d3d0bb752b462a7f390beb5015c473803970b37f1d288b56a37a208507d85f4720
-
Filesize
147KB
MD58cd3d62f5731fe99ff80b6c309ffd17f
SHA1ebfb407665428fe5c1747601faebff55096085cf
SHA256d129d58572ada818c76894003a68c333c6e5bad1c508704139ced1f9070f46b9
SHA51280882066a95cf70ba32b866673b38e701e3310a6f7dc85798613ab736f5ec057e927cf36dd131850b248bc145bf1eb56771bff85e33068e915d1d73d13fbe466
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
147KB
MD52b84886af1af59c8a1aede83bdabf083
SHA15d7681d81ea071b35d1623c303401c9cde0da77d
SHA256ee4b1634c367ea653df050947b9b9d289fe40673fc6a4202afad653094ccde86
SHA512d9970a98ec8c58c740c851f5fc9a53c98c2377e663dfa1b63e3fec368a958eb096ac81c30e519cd4ae65fe909927c10fd914988e34aa1a1d24ca126708f3cd46
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e