Malware Analysis Report

2025-03-15 05:46

Sample ID 240508-1wttxshg5s
Target 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
SHA256 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
Tags
aspackv2 evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c

Threat Level: Known bad

The file 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c was found to be: Known bad.

Malicious Activity Summary

aspackv2 evasion persistence

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with ASPack

Detects executables packed with ASPack

Disables RegEdit via registry modification

Disables use of System Restore points

Disables cmd.exe use via registry modification

Disables Task Manager via registry modification

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

ASPack v2.12-2.42

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Modifies Control Panel

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 22:00

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 22:00

Reported

2024-05-08 22:03

Platform

win7-20240508-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\babon.exe N/A
File opened (read-only) \??\O: C:\Windows\babon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Windows\babon.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\S: C:\Windows\babon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Windows\babon.exe N/A
File opened (read-only) \??\X: C:\Windows\babon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\E: C:\Windows\babon.exe N/A
File opened (read-only) \??\J: C:\Windows\babon.exe N/A
File opened (read-only) \??\Y: C:\Windows\babon.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\babon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\W: C:\Windows\babon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\babon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Windows\babon.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Windows\babon.exe N/A
File opened for modification F:\autorun.inf C:\Windows\babon.exe N/A
File created C:\autorun.inf C:\Windows\babon.exe N/A
File opened for modification C:\autorun.inf C:\Windows\babon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\babon.exe
PID 2280 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\babon.exe
PID 2280 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\babon.exe
PID 2280 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\babon.exe
PID 2280 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2280 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2280 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2280 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2280 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2280 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2280 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2280 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2280 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2280 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2280 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2280 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2280 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2280 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2280 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2280 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1504 wrote to memory of 2804 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1504 wrote to memory of 2804 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1504 wrote to memory of 2804 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1504 wrote to memory of 2804 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1504 wrote to memory of 536 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1504 wrote to memory of 536 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1504 wrote to memory of 536 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1504 wrote to memory of 536 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2740 wrote to memory of 824 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2740 wrote to memory of 824 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2740 wrote to memory of 824 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2740 wrote to memory of 824 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 1504 wrote to memory of 300 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1504 wrote to memory of 300 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1504 wrote to memory of 300 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1504 wrote to memory of 300 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1464 wrote to memory of 1456 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1464 wrote to memory of 1456 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1464 wrote to memory of 1456 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1464 wrote to memory of 1456 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1464 wrote to memory of 1284 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1464 wrote to memory of 1284 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1464 wrote to memory of 1284 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1464 wrote to memory of 1284 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1504 wrote to memory of 1176 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1504 wrote to memory of 1176 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1504 wrote to memory of 1176 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1504 wrote to memory of 1176 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1464 wrote to memory of 896 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1464 wrote to memory of 896 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1464 wrote to memory of 896 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1464 wrote to memory of 896 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1504 wrote to memory of 2852 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1504 wrote to memory of 2852 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1504 wrote to memory of 2852 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1504 wrote to memory of 2852 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1464 wrote to memory of 3012 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1464 wrote to memory of 3012 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1464 wrote to memory of 3012 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1464 wrote to memory of 3012 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 988 wrote to memory of 880 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 988 wrote to memory of 880 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 988 wrote to memory of 880 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 988 wrote to memory of 880 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe

"C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

Network

N/A

Files

memory/2280-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 b1d40ed23f434400f1332a468bdd75d0
SHA1 1b02aafa08536bceea27f8fe633beffbe6f3c478
SHA256 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
SHA512 bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec

memory/2280-100-0x0000000002560000-0x0000000002583000-memory.dmp

C:\Windows\babon.exe

MD5 ea62df7d718eb7a68ac477dcb2dcec2b
SHA1 df12b3889b8924fe24e1360bb98804b3ac11802c
SHA256 8a3745125a76f06acd09d9b1ab3d1c280fc830f6ef32c4d88f7b72ff74f463a4
SHA512 5cb39da3a6760e89063e208e193b97a140e4ba1fd2df81653269db18c1b6aea1eb171c9545e330c39df591480fd84f97da3ae285d3020856080d3c7a0a21a5bb

memory/1504-106-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2280-105-0x0000000002560000-0x0000000002583000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 36fac6cd982640eb7e21e09264d047d7
SHA1 dc987cb5115efd988d3e4fad26b7a3c617fd3340
SHA256 556b7d20710add59a4fb36076a8a33e2672fb3f4b77474f3bcef7b042189f6d0
SHA512 2ceaac2e3e82f0f28855d42035ca1755d0382f6f12b8e11c588fa99146148ff8e389c077bc397f7cec0716d46adfea3fa5e73ca8060d6483ff8a7cda1087b3b0

memory/2280-110-0x0000000002560000-0x0000000002583000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 677bf37d5d18fb32d81567a411c8075b
SHA1 727c967c652e43ae479460c99f7c6b28923efe90
SHA256 a9f64353454d5d4a6686a57f8b06dbab4fdb17da2b40dcb103c99a347258721e
SHA512 d73631ee50591efd709cf4d12aef67154f63cb63948db2cb98cc8887733cdc0ce94550e46d5ccbf656571ce96f25b58ca26f6e440a3aa83f4924503be39875e7

memory/2280-124-0x0000000002560000-0x0000000002583000-memory.dmp

memory/1464-131-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\csrss.exe

MD5 62ebac52f4e0e132a905dc854605a892
SHA1 c62bcf2236fe2e9edd3f2c2b27b93f6b2cfb68bb
SHA256 2edfba3bc8ae4b72c5638190006daedf290d4e59f2587c9fcbab28d59bbfb196
SHA512 342b9263a98bc719efe06d367409458ab939d89fb31175f89f6b84937864f4d7921dc505e49ee5a15cb5c8f238d795dd466a60917841d22884b0f5f5a351bfa4

memory/2280-134-0x0000000002560000-0x0000000002583000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 c556c2398297e80ca3fd3862569694a2
SHA1 a91b986ce905e0c2647b0cf3fddfda1cc5426f35
SHA256 b5bf1f58724159a56011c48e9ce496782a84fdf93a0e0613054a1ee66c85a33a
SHA512 4fb93f7b503f23539e357f7c208cf7cbbde236a76d9f20420702774c556ac2a05659d2619f25bd4a3123fe79ebcb891ba2bb385356284522de6e601d66042e76

memory/1660-150-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2280-148-0x0000000002560000-0x0000000002583000-memory.dmp

memory/2280-154-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2804-189-0x0000000000400000-0x0000000000423000-memory.dmp

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 be4edf18ba6e1925dc6aec78669c193b
SHA1 008cc0f18e05294bb89f15a7c284071f8d7aa23c
SHA256 8bf9e32284de09c930de70fe760bbe7d7f8e55558f92f10f7cb9f7a00800cf86
SHA512 5da7dab78d3225fa433a65130edba41eb618a46d5e71a04586366e2caacbb9955aa19adde5740fd6a2726fa7c906af742a904580a87d79cc58158923eb9f2c80

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 bb495374fcd212b84e2215d218b35f8d
SHA1 bba2e1e4dfdae51dcb924dbaabffe78508ebd218
SHA256 64f4d187d74afe04f40efe85823f9ab290c91a4cce0aa70241efa4eda812c0e2
SHA512 2bf2575f81939f8ccce5d569f2787d9f4092480db45cc06657abffc374ffbb8bb81d3e0d09e4e448c671b30ed74b745db3d57d40b9d4e3b3d0e7cb373f9d5481

memory/1504-256-0x00000000023A0000-0x00000000023C3000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 9db73b51ebe314816e0dc7ad7fda2393
SHA1 42a19801e826bf4c8e30c7ec82ad5417a5e729a4
SHA256 25f9bf8d56e78897478943507e25c8140f4037ab8005de4327fc8b690c56033e
SHA512 930034e135c9ae9e84ff05cfd4cd90efd3a4b9c13b0db1a57b280f5c75fecf88af781a84e76d525745955111c1d9944f1ef61e35c678498d4215bf19f5470439

C:\Windows\SysWOW64\babon.scr

MD5 d73e21e8c4f04a021749fdc10dfac0d9
SHA1 f714159a570d18c1d8c5d9eb247d33a5e8a0a5f9
SHA256 9965ac697c8672240a409e4c56ca04cd26028dfc989b8209358d4ce33e47aa12
SHA512 e142635d4fe79d10d013b2a5c6877d0e62e1ea5f7ba6bc39f80c495c598c0abc43adfeb560f12e70fa6fee2980c11921ae024f6679329e36f6cb516a71802ee6

memory/1176-280-0x0000000000400000-0x0000000000423000-memory.dmp

memory/896-296-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1284-286-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\babon.scr

MD5 157de3b6fdb9b87374fda5edc67872b4
SHA1 8d05ee540a3009e65e892f8921a2176d0785a8f7
SHA256 59fe596fc0b807b410493001e1304a062b4d5bd7237a5953e59150ebdeae3ff1
SHA512 d8c040c44fa27b8505871dbf86c259918340e2b2eb0e2829d44759bd19250b78e1a51060fc79321d91ac10b37e26fe9bff07b55f5c393ae8fc180aad180db868

C:\Windows\SysWOW64\shell.exe

MD5 f50c9eb98c5e50c75e533f39c7f62917
SHA1 311bd875eafcf308303999adef1fe694edbf08ef
SHA256 2afb3f45b525242db6a58f2d2a95720cbd4be92aff1096ea2fb4cabb569d00fa
SHA512 fa27f4bd9efc82a314406489057d0eb55b5f14ddd9d6e5d4b69c3f04b8cfbcdc7cdb897a13b491a99e24642f51cb4b306b29d70741a5040f11a2c56f756abc15

memory/2852-338-0x0000000000400000-0x0000000000423000-memory.dmp

memory/880-332-0x0000000000400000-0x0000000000423000-memory.dmp

C:\babon.exe

MD5 76b4bb0515cca80dd6b0dbf812c7c880
SHA1 3d18bb2d1e91ddbb407fbe5af8b00907ac0f3f93
SHA256 5f2777f146969ac2d6a0523fc15a3859e852836f209e164c5120d3bf0c41444e
SHA512 5349378c732b2a877428f31913b12ca7b695e2dfdc4c644626c68fa24380be81ab52657b44942b88fc05f37a42bec4969e84d5fdced9707dec63507f08a7f9b0

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 ea3020dd40790c7b7d7255a3422ac3f5
SHA1 8cb10d3b5fdbacd8581d8c563bf81dbc9a107243
SHA256 db987d55e361766227e401046963adbf07a272c24a0df59db5f0f7ebed53e9f1
SHA512 9dbce95bc2084985bfe94afc5ab8315e76cc0cd9bc7fb1cb34b5ee95e3f0c1e39ff8a5291ee4602f70204395fe6a81498f1c95e8dc5b1765f7acef5cd633249a

memory/3012-303-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1504-302-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/1176-294-0x0000000000400000-0x0000000000423000-memory.dmp

memory/896-292-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1464-291-0x00000000007A0000-0x00000000007C3000-memory.dmp

memory/1456-276-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1456-275-0x0000000072940000-0x0000000072A93000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 8dcf6cbc58fb587985efd36af6e1cdd2
SHA1 4cb1ece01ab761f714f3e984e8d9941acc5e4e35
SHA256 1c53af601b77fcaafc85717ba2441c0b5534f13ebcd12e09eed65877e56fbb02
SHA512 7320d27151e19c4df826233d14c7814dccf8d2246709cd0cbe097abebd186bc53734e75065a3da43b894f03a9acbc3e282ebc028195773f295c93555c11844ee

C:\babon.exe

MD5 7f6982ec92c236866188de882ea998e6
SHA1 589548be21378f06e163e8f20b92c6a304e10edc
SHA256 6c71053f7fcf17085ddf55a4211a9547521a0d1915a9d4655f08b16353a56be0
SHA512 94877160db836e7ad70eb4643f9166eccc3003e3bc586529ce4de76f4917a92206ac03165118a31078aaf56d68f13cfd214804aaec6d76e973b0577e74298852

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 f943aff0f8f42f8aaa8046700c72a791
SHA1 75008314f650c5f6c577b530d3e42cdd45969edf
SHA256 77a30173ccfb5056e68d89fe6736b624ca531682c116c57a4b28068bbb282148
SHA512 1ea61354e8e1be2a41b9254688987cb605e07a6678201a3ca3c622b6f4e6e1f0fcde14457c1bfd51cc1f17c58308b45290de74c7bc697e8bdc1309c0562126ef

memory/536-231-0x0000000000400000-0x0000000000423000-memory.dmp

memory/300-238-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1504-237-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/536-209-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1504-208-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/880-353-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2804-207-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2804-206-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2672-396-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1660-394-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

memory/2672-370-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1712-369-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1712-365-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2508-417-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1712-362-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1712-361-0x0000000000220000-0x0000000000230000-memory.dmp

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

memory/988-400-0x0000000001DE0000-0x0000000001E03000-memory.dmp

memory/2956-403-0x0000000000400000-0x0000000000423000-memory.dmp

memory/988-399-0x0000000001DE0000-0x0000000001E03000-memory.dmp

memory/2920-420-0x0000000000400000-0x0000000000423000-memory.dmp

memory/880-352-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3012-348-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1464-354-0x00000000007A0000-0x00000000007C3000-memory.dmp

memory/2740-409-0x00000000005C0000-0x00000000005E3000-memory.dmp

memory/1660-411-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

memory/2300-414-0x0000000000400000-0x0000000000423000-memory.dmp

memory/824-408-0x0000000000400000-0x0000000000423000-memory.dmp

memory/824-407-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1660-410-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

memory/2956-416-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2508-426-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2740-424-0x00000000005C0000-0x00000000005E3000-memory.dmp

memory/2740-423-0x00000000005C0000-0x00000000005E3000-memory.dmp

memory/2740-439-0x00000000005C0000-0x00000000005E3000-memory.dmp

memory/2920-428-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1600-443-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2820-445-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2300-413-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2524-438-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1352-435-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2936-453-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1660-454-0x0000000001CB0000-0x0000000001CD3000-memory.dmp

memory/1604-455-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2480-451-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1604-459-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1772-461-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1772-464-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1504-465-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2740-466-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1464-467-0x0000000000400000-0x0000000000423000-memory.dmp

memory/988-468-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1660-469-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1504-520-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/1504-531-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/1464-532-0x00000000007A0000-0x00000000007C3000-memory.dmp

memory/988-538-0x0000000001DE0000-0x0000000001E03000-memory.dmp

memory/1464-539-0x00000000007A0000-0x00000000007C3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 22:00

Reported

2024-05-08 22:03

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\H: C:\Windows\babon.exe N/A
File opened (read-only) \??\V: C:\Windows\babon.exe N/A
File opened (read-only) \??\Z: C:\Windows\babon.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\J: C:\Windows\babon.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Y: C:\Windows\babon.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\babon.exe N/A
File opened (read-only) \??\T: C:\Windows\babon.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Windows\babon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Windows\babon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\P: C:\Windows\babon.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created F:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File created F:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\babon.exe
PID 1396 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\babon.exe
PID 1396 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\babon.exe
PID 1396 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1396 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1396 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1396 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1396 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1396 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1396 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1396 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1396 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1396 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1396 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1396 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2308 wrote to memory of 4512 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 2308 wrote to memory of 4512 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 2308 wrote to memory of 4512 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 2308 wrote to memory of 2156 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2308 wrote to memory of 2156 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2308 wrote to memory of 2156 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1212 wrote to memory of 4940 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 1212 wrote to memory of 4940 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 1212 wrote to memory of 4940 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 1212 wrote to memory of 4040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1212 wrote to memory of 4040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1212 wrote to memory of 4040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4476 wrote to memory of 920 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 4476 wrote to memory of 920 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 4476 wrote to memory of 920 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 4476 wrote to memory of 4636 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4476 wrote to memory of 4636 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4476 wrote to memory of 4636 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4564 wrote to memory of 3160 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 4564 wrote to memory of 3160 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 4564 wrote to memory of 3160 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 4564 wrote to memory of 3116 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4564 wrote to memory of 3116 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4564 wrote to memory of 3116 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4060 wrote to memory of 740 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 4060 wrote to memory of 740 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 4060 wrote to memory of 740 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 2308 wrote to memory of 624 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2308 wrote to memory of 624 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2308 wrote to memory of 624 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4060 wrote to memory of 2636 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4060 wrote to memory of 2636 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4060 wrote to memory of 2636 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4476 wrote to memory of 4572 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4476 wrote to memory of 4572 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4476 wrote to memory of 4572 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1212 wrote to memory of 1484 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1212 wrote to memory of 1484 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1212 wrote to memory of 1484 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4564 wrote to memory of 3480 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4564 wrote to memory of 3480 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4564 wrote to memory of 3480 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4476 wrote to memory of 4640 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4476 wrote to memory of 4640 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4476 wrote to memory of 4640 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1212 wrote to memory of 3048 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1212 wrote to memory of 3048 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1212 wrote to memory of 3048 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4060 wrote to memory of 1464 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe

"C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/1396-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 b1d40ed23f434400f1332a468bdd75d0
SHA1 1b02aafa08536bceea27f8fe633beffbe6f3c478
SHA256 468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c
SHA512 bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec

C:\Windows\babon.exe

MD5 88332c4cbfa8dbc0d030f49f21be6776
SHA1 756f2729847405baf2352322a3b15cdd440ad6ae
SHA256 e5a1ba13c6627690c87f0d4fcd31da17178650560a9fc3e0f4adf30f3cd0ccf5
SHA512 9d61001a0cd41e13734158c8cec1ba6a9b45ee09cd844b74e12f7bedaadcffe31112ce2529d2d4d2d317b354b2f2faa90020b0a0cd1d00bcd9de571abc553ad1

memory/2308-102-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 0e31e3515b8196573ffd06b69bf87aed
SHA1 0af6a4adca8b207fcbacfa3eb645cdb8567bab76
SHA256 d9c361dcfb17bedb963956808a0f3d329adf6693b660dc310e4b1e06092cf532
SHA512 aaab26e946195efcceac31a04e112480bc26e2a7383d01d65967e0ef652938b88904c9a2c0759ae72d134fced3286569a3ef9c99e9b982e820f4ade6b108fa54

memory/1212-109-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 770113bbd293c60ef68455a43370ffa9
SHA1 ca7a3582c89b0f7042001791fbf22b16fa2f721b
SHA256 5183130392172eabb1a56f93f1f66c63faaaa6043570462c821c93c80686c2b1
SHA512 669115500042b710d179aa30cddf6563f0dd0aae773c040593dc1935481ba891641ad805b020d4bc9b987ebe91c92180c445ef649f627f5c66cca5491ce9c77f

memory/4476-116-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

MD5 122372ce2028bcec969d6f4039149e51
SHA1 f7e8ac5c7334da4ae2f91b367e318b5df5bbbe12
SHA256 ef8b6d0a9450d024b358a7a49d261665987d72c7c40e42002add23af07ff42bf
SHA512 00c1f6a1ffd0d6af94d78371956b16461696eb7d8fc59257dc87bef52ec5055be92de9beca0caac7f7d18b447949cbf7324b83e49003f5460a5900faf99fd656

memory/4564-121-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 637d2c6224867fa0f37d2f09f2186857
SHA1 a34057dfb3692929ebd45d2aac02ff4389b95443
SHA256 84f5d2220901b6b089e35a4de581ac9c38f752fa1f6cf2f6778dd5b5b1118ff6
SHA512 f294a199914bffdc5767b6dfd32142acd56ff65beb88cd12b4482ca0c8fa2ea8cffb787275741e620d171bb7d2a6f21e9cddfa4a7d6090ca8c099a0716efcc2c

memory/4060-127-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1396-132-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 7fbe141b08ef0a4d20a9f7b2d84713b1
SHA1 76722824bda42d25f0c622679de98b3cb8face6f
SHA256 ab10410aa13ec7f590ab35e5fc3948e6a204d52b32300b889ddcfcfbe5816ace
SHA512 c0a788eba87e69897665044710c7bbc6d0d90280a6def2bce53296094238220a21aad3f7a2dad65eaefe13c16a01fa2a6acdbb50b98ffdb99fd58e4290ef6014

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

memory/4512-162-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2156-178-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4512-176-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2156-182-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 71f06556ad0c8e188ed07db9fa4015ab
SHA1 6cb0b33fdd4bf57e2f8dcbff834bdbc0613751d6
SHA256 27f66e6e8879d6f2698e2ffdf24227da5b695a63ef3a7f3feed8b8e10550946e
SHA512 2891421f8be520e19b4d6d430e0d67d2efaed6328ee7a387ab6b7bee226034895b3955385ac3c83761952919c6653d4abfc7fced261eb202aa8a9225c9f3988c

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 ab47ebed6e55093f78024f3726be3070
SHA1 cc66b2f8b3b08a2b432774c6b2224c10e313ead3
SHA256 4b8166e4df6958d6cc417eee4753fcb8ff8f3b28ecc98fcf7aa25bd4898d3d4f
SHA512 16f535fa10596117dd091ff34ac57f51a833071f776a62aacd41286bd657c57459fdeed3a5acd92127d10374651092705c87c2e094ca988320adfb3ba3048488

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 7f7fb796dad5afa365589476a896c3d6
SHA1 7a26b9dde60bb8ac4fb70d779a5ca425e177b272
SHA256 477b77944458f11c7a22ead5a51f9c41068f4d22f0fba0f57e8ac724c7ce5b15
SHA512 76554d479c4b35024f525490b75329f4952e3bac559d0ef501fd85abc7bad3972d180a6918053e97062d0f5aba695c7b13070c223a90fe45c12436790ce616cf

C:\Windows\SysWOW64\shell.exe

MD5 7b294a1786cb566409516bad3f0a932f
SHA1 595b461bfa6ad5161edcd131b6b62a178f37166b
SHA256 032cf1d6e6d7a31d55ad0eb45541b8a1375c23c1e46022095797049bb47f7fbc
SHA512 e1909565b0c5e159997af94f963bf0907c63b0d5a3cadf5a28ee2c6dc69a45df40c004bc3e724b17e85b6d8a882e993343588b875561be45ed270a129c39e4ef

C:\Windows\SysWOW64\babon.scr

MD5 5b80fc7658e849f5196b330a833a2551
SHA1 626323263f4909bb030e4a45a9a90281b220ca1f
SHA256 4d2a697701335fef91fba39d15b6329dcd29ee7b05612ceeda0895cc42f604ea
SHA512 e42fccd8ab7ffcff1fe1bd735f105c89778ae595b0a3c1de4ba75e7c0e590546e8ce4689087f9f94c98f7136bf294e1cbdc22d9c0e327cc0cf308d1a66935353

memory/3160-282-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3116-286-0x0000000000400000-0x0000000000423000-memory.dmp

memory/740-291-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1484-299-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4572-297-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-295-0x0000000000400000-0x0000000000423000-memory.dmp

C:\babon.exe

MD5 199d9f3dea30210a75ea4ab26e0fa108
SHA1 ed3f0b65c0e433ae72b0b3d738fd3722491bcc24
SHA256 431b6cfa8ab9a4fbda469e428fa8f2d3a96b36ad1fefc4332eed876773b4229c
SHA512 94cf01ae372c6674e14fece9fb4d2cfc1727f41dd546973c2fbf2afb214729ecab293f0516226671bee996fe5befc4930cfd4babc567fc91908cd047dbff3a75

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 c5008a8b2eebb44f6149e4dbbfcc5822
SHA1 309af6b7b400dce91af417b0004ee1d3f6e1f2a6
SHA256 7008a4f7f2baf0b3aa5d39732b14201774ac6405135b05db20722a6b7367587b
SHA512 f901f238f5799d61670e779f87413be5923fbd958f796ebf0a146c9bba9c5c1bfefefa0075932d5286be924f691512e34c6b32dbd4ea52fc7c8d6cdba666fcc9

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 e5405fa99b9b7534ccefaafea5990874
SHA1 6dc55957395403cfe575a6daf47278e3ef958cea
SHA256 53db639439cc340a9106e70c874034e99104b168e5b4ef4a9e64e419a51af492
SHA512 8d8e03ebea08f21065581413655340a7660497592b50e9532f5c5dedd14436607e126d2609d2f6062b44cbd1468c5c656154a4d4431d464aafc52d6032278cd2

memory/4636-252-0x0000000000400000-0x0000000000423000-memory.dmp

memory/920-247-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/1484-306-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4040-230-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 4f417dc08f3911edebdf723d55b6581e
SHA1 f65e1fba07c6735ff243e9aff49c7ea7cd290ae0
SHA256 4075692e943ee0abde529f22d528472e8cf52a0c1c3ba1adde1614f570e89401
SHA512 332353ecdbe9bc8f4f35e1a4f56096c775987e7a03f25aec043accaba6b27c921b908166ccdd3b86c1bd4e7af2dfc44939076537c4e7666bca611a9c1bb163ea

memory/4940-224-0x0000000000400000-0x0000000000423000-memory.dmp

C:\babon.exe

MD5 74491fded5f82b1a63f2c5fd2cfe2b71
SHA1 71aefda4f6deb726d287cacc43514289951cad3a
SHA256 a44126a455ca139c552599a6fc32d743868badb4e2d4290c05fa6d43c3104a66
SHA512 f5c264d3d72968981001d794fc5b19b273cf9d880869de405cac7660cee225ba9875fb4f593a6c1fe52a08ae17e3a7d269a1445fb97ecffe3404209876e2a41b

C:\Windows\SysWOW64\babon.scr

MD5 ca41d0f22295d4991223ef71f124c132
SHA1 2dcab07f63c53052e39dcab774bc50ad5d609c4d
SHA256 34fc8d535888cc89acc5aae27c974341cd81b90aa407abda07706c34e1366107
SHA512 e97be022f2e4f940b33c5274c04109f13da835e6e842df6e6744bf0008864abe04b934aeed023029c8328425f0f8654b8031dace383cf8a671d0e7ff69527fd2

memory/4572-309-0x0000000000400000-0x0000000000423000-memory.dmp

memory/624-316-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3480-314-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2636-312-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4640-310-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4640-322-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1464-324-0x0000000000400000-0x0000000000423000-memory.dmp

memory/640-329-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1464-333-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\babon.scr

MD5 617fbc142165e322a5705011afe2687f
SHA1 fd4d1365a2a52e271a708bf751bd792b9d8b9adf
SHA256 92d8ea792368d53f1cec7e52f9a60362008348c0bc4760a2fe23feffc4ff0633
SHA512 99711f10f2a6106a94e21550f68ffa9bcdffd8150d93e7c3b07cd27ada33eaa5cbd117dca00d3f5f49a7d4f46cc80297de4a9f28084e31f17334661a38506d3a

memory/640-341-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5052-346-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 a97cb8bbf9a43ff425132c1be59979d6
SHA1 d998d2cdf70c275709485b0d82c2c74ff982b97b
SHA256 e3ce99ca7fdd765f42d37477ab28fc9e49a2f6f179d20e8943900740ecb4eb75
SHA512 fbda67c27c4cdbb68d37c64cb791509e13fa0570c89fbcd6dc87ccda610696efaa9bb5afd85bc46b9732ec24fe8589a03dceb0aff611e20cb8eb14370da41814

memory/3104-372-0x0000000000400000-0x0000000000423000-memory.dmp

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

memory/1776-395-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2308-398-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1212-399-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4060-402-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4476-400-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4564-401-0x0000000000400000-0x0000000000423000-memory.dmp