Analysis
-
max time kernel
123s -
max time network
114s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
11/05/2024, 06:33
General
-
Target
93f091443ea97743a32ce9829959dfc0_NeikiAnalytics.exe
-
Size
147KB
-
MD5
93f091443ea97743a32ce9829959dfc0
-
SHA1
32aef5eaa9cb5bba38ab70583ad28e91c07dbfff
-
SHA256
cb0f59f8dd3d40500222e7af69b28932cda6161fdac3515b66c2e817fd996e26
-
SHA512
c3fe6c5b140671e3a8ea3f91083450f54f259a41df846f4e56f54477c5c6bba51024e9b191b3d1b15980c4773b6fb2720a4c1b70162ebd8f7d3589354ced1c2e
-
SSDEEP
1536:oWwaMcKOER0m9mwWnAggupnhycpDnq+5h/tDSZ15WwdAO:pzKR0xwWAWnhFpDRzSZaCAO
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 64 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 64 IoCs
-
Drops autorun.inf file 1 TTPs 20 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Program crash 64 IoCs
-
Modifies Control Panel 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies Internet Explorer start page 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\93f091443ea97743a32ce9829959dfc0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\93f091443ea97743a32ce9829959dfc0_NeikiAnalytics.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 7803⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 7366⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 6286⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 7646⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 7526⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 6685⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Modifies visibility of file extensions in Explorer
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 7248⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 7528⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 6447⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 7087⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 6446⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Modifies Control Panel
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
- Modifies WinLogon for persistence
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
- Disables RegEdit via registry modification
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 69210⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
- Disables cmd.exe use via registry modification
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 74013⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Modifies Control Panel
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
- Modifies WinLogon for persistence
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe14⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe14⤵
- Disables RegEdit via registry modification
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe15⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 64417⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 72017⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
- Modifies visiblity of hidden/system files in Explorer
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
- Enumerates connected drives
- Modifies WinLogon
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Control Panel
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 64423⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 70822⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 74021⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 75220⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 72021⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 64420⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 76420⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 68419⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 77216⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"15⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 74816⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"15⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 75215⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"14⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe15⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"15⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 73615⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"14⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 74014⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 77216⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
- Disables RegEdit via registry modification
- Modifies WinLogon
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 75218⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
- Enumerates connected drives
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
- Disables RegEdit via registry modification
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
- Disables cmd.exe use via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 73625⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies WinLogon
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 76429⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 78029⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 64428⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 72028⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 76827⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 72024⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 75223⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 67225⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 73624⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 74423⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 76422⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 78424⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
- Enumerates connected drives
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 70826⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 50826⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
- Disables cmd.exe use via registry modification
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 74030⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 76432⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 76033⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 76832⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 74432⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
- Disables RegEdit via registry modification
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
- Modifies visibility of file extensions in Explorer
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
- Disables RegEdit via registry modification
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 70436⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 62835⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 75634⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
- Modifies WinLogon for persistence
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Enumerates connected drives
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"40⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 73640⤵
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 72439⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 72438⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"40⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 68440⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 73637⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 72036⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
- Modifies system executable filetype association
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
- Modifies visibility of file extensions in Explorer
- Enumerates connected drives
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 78438⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- System policy modification
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 76837⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 76836⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 73633⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 74432⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 72031⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 73630⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 74029⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 72429⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 80828⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 75629⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Enumerates connected drives
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
- Drops file in System32 directory
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 76436⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 74835⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 72034⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 63633⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 66832⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 73631⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
- Disables RegEdit via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 74034⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 78033⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 70430⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 72429⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 73228⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 76025⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
- Adds Run key to start application
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 65625⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 65224⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
- Adds Run key to start application
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 72022⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 73621⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 77620⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
- Modifies WinLogon for persistence
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 77620⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 72018⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 75217⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 76017⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 81216⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 70413⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 76412⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 70413⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 76412⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
- Modifies system executable filetype association
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 62810⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 7809⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 7409⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 7648⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 77610⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 7049⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
- Modifies system executable filetype association
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe11⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"11⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 76812⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"11⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 64411⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 73610⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 7609⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 7928⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Loads dropped DLL
- Modifies WinLogon
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 6886⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 7446⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 7485⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Loads dropped DLL
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 7683⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Drops autorun.inf file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Drops autorun.inf file
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 7923⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 6563⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1532 -ip 15321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3568 -ip 35681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2304 -ip 23041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2768 -ip 27681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1436 -ip 14361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4276 -ip 42761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1260 -ip 12601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3232 -ip 32321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3588 -ip 35881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4020 -ip 40201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2712 -ip 27121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2768 -ip 27681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2004 -ip 20041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3924 -ip 39241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4908 -ip 49081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1712 -ip 17121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2660 -ip 26601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2576 -ip 25761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4880 -ip 48801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1652 -ip 16521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2216 -ip 22161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4944 -ip 49441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4576 -ip 45761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4924 -ip 49241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4908 -ip 49081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4572 -ip 45721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3196 -ip 31961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3732 -ip 37321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3892 -ip 38921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1652 -ip 16521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2672 -ip 26721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4040 -ip 40401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3932 -ip 39321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3500 -ip 35001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1528 -ip 15281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 60 -ip 601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3936 -ip 39361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3668 -ip 36681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3712 -ip 37121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2264 -ip 22641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2900 -ip 29001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4104 -ip 41041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4644 -ip 46441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5048 -ip 50481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5020 -ip 50201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 856 -ip 8561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3224 -ip 32241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4364 -ip 43641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4580 -ip 45801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4580 -ip 45801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2240 -ip 22401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4252 -ip 42521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 60 -ip 601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2660 -ip 26601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1304 -ip 13041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4360 -ip 43601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4104 -ip 41041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4900 -ip 49001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2120 -ip 21201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3020 -ip 30201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1664 -ip 16641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2372 -ip 23721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 424 -ip 4241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4880 -ip 48801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4652 -ip 46521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4248 -ip 42481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4068 -ip 40681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1568 -ip 15681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1664 -ip 16641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3328 -ip 33281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5088 -ip 50881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2696 -ip 26961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4364 -ip 43641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2732 -ip 27321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1412 -ip 14121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3712 -ip 37121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1716 -ip 17161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4568 -ip 45681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2372 -ip 23721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4504 -ip 45041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1816 -ip 18161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4608 -ip 46081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3560 -ip 35601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3720 -ip 37201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3416 -ip 34161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4744 -ip 47441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4584 -ip 45841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2884 -ip 28841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1780 -ip 17801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4272 -ip 42721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4276 -ip 42761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2768 -ip 27681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2656 -ip 26561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3888 -ip 38881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3756 -ip 37561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4584 -ip 45841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3512 -ip 35121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4532 -ip 45321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1276 -ip 12761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2232 -ip 22321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2968 -ip 29681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3892 -ip 38921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4264 -ip 42641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3500 -ip 35001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1532 -ip 15321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5064 -ip 50641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2452 -ip 24521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4104 -ip 41041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1836 -ip 18361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1664 -ip 16641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4468 -ip 44681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4672 -ip 46721⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5331ec4010bcfb787551617e792f6bd4d
SHA1d71b090349714177f3d24157e18ae764252f0300
SHA256eaac8591fdf2218f91fa6529c0587dbb2533e59625d5fff97a756f9a1a7050e0
SHA512963c6fcd7ea2dfcbf1cd08bee9ff05ea8d9278da48d766d3d5b545c37e2cde023190a56ca5a93e61fbf0deef784938ad960df153cb558f1621012283bccf6b9e
-
Filesize
147KB
MD56c286eb98d106a900442b58773a3fdc5
SHA1c439a9fb79afe53a0d0da5c9223b98af45fc79d8
SHA2567cd2f9a438b10b8cfa5e660e048c10f5e097db0c11d27376f86de472b8e6b799
SHA512eeed53cc6a1c64fff92c74afbc18cd49958763c4c718a40d6a1767a6611e6d6c4c536f0ec68da61f1a9bd24eecb779685bed14d662aa02d2d34522d3c9b63bea
-
Filesize
147KB
MD549de3587803ed478c6e1276dafc2f3ba
SHA198bacf50de0efa5e4ef50921a9722abc471ca96e
SHA25635c0ba51a1270ad879a10a357de7f8116d7ff3a272431636894012083e240c7e
SHA512978fdd3ec0777ef5a63f9420c5c4590a8dc80100a9a260b5d9456ec333792b314761bf901dc259bcf0f3fbde09cb51cdccef58ba860514bf8b5ae8e647a2fbcf
-
Filesize
147KB
MD593f091443ea97743a32ce9829959dfc0
SHA132aef5eaa9cb5bba38ab70583ad28e91c07dbfff
SHA256cb0f59f8dd3d40500222e7af69b28932cda6161fdac3515b66c2e817fd996e26
SHA512c3fe6c5b140671e3a8ea3f91083450f54f259a41df846f4e56f54477c5c6bba51024e9b191b3d1b15980c4773b6fb2720a4c1b70162ebd8f7d3589354ced1c2e
-
Filesize
147KB
MD55ac4ceb135af453cd3d3c1da12f82344
SHA182f33f5025c083091c60f0d9818d883815c7cbcf
SHA25692d04e41a82736e615ad98b91669512d9b6f449a52ea3578ad6bdfe4da1eaf8f
SHA512e37eda15e339a455e97e77f57db49a3b41399c219e5db0dcd1148ada4d93c60a5ce7c1cd69a88ef0e11c487e3ec27f8828f13609825c62ebfa3e50a473021510
-
Filesize
147KB
MD51042bc9fb3eaedf1c6bb19879554cd8e
SHA147ab18ede3114748b9feb1d69fa20fa1cff0d210
SHA256123f0aad5f25dda7156f7b592f6021aca463425dda33f8fd0a04952bef05defc
SHA51298296893a2ab2fdef09f1a6b9fb5ec59e7f72efb97ade48a057aa7afbef386e430c29d5349d70a73d05c413f2a13b6653b11d94bf3e4d916d2407a3d13f88aaf
-
Filesize
147KB
MD580c97d00348b3213d8a9afda63d5338c
SHA142b64a550ad5a3f4c7fdc45e6b42c3c4e02d2c5c
SHA256d0c4e72c0d4fc25c72f6fd6960a643987219c3fd01d629f5487f7e1c072d80b6
SHA51266ea3461802a13b1a019aaef59176f4c2e75ef3dfa92016a8ef3c13c5285739f6825b24b519b14e1dff3fae85e7b397f40abf8dc57ba1cec2c2034b3ca88f4db
-
Filesize
147KB
MD5c020936c9ba37cf682913d3588701240
SHA11a40561af153de95ba6c58d4a5918fc25efd0150
SHA256855d06dd73ecf58f9364df5c8dd66076ba53406338a343f979075f47d3b8c287
SHA512f865a0d8ad335ed8e5036615ebc67dd01f3619448aa87ef03482c636d9473cb2f40cf01d2800cd6f8178f366a687c18bb819497876078d5a47f7646cb3ad30d8
-
Filesize
147KB
MD53b4ca8c8e1a90766afc5acbd4c2e1cdd
SHA179ff24a1962a19bd36ce6bd2a9dacae60a70f0b1
SHA256fe613d624b29e5ff1c19ce593776d35548427688273482d6d08ed220c8e4379c
SHA5125b0cd7177790de09cabe15b7e640ca8d2b5583e983898fec830cdc90198712a4925e968b1075d3a902a0002dfd45e6a187916f8ae24deb42320510b7c470cdcd
-
Filesize
147KB
MD5aadeb89411bfcddd16565ebc73d73b3f
SHA13221ff5ca11a69c8d7f52f9c981f3cf3d9dc4b67
SHA256b61bae679fea34c34e8051c4deeb02ed3e1e318e6aed38ce3f3400b7c5a34201
SHA512ed9ed7bcbdc1e3620bcaf704a651000df1bd3b57638e0640019fd7d41b29fbe24a242d4613b11cef826975b276f8a8c9f85873933b6008062f1e2b4f0ff121d1
-
Filesize
147KB
MD5cdcfbc04abe430daa7f378b604c68fda
SHA152d7c27e02ab494981879b48e07c12d8c52fc04d
SHA256dbd21f424c4e8ab036cb818ade569ca0f1993f14d8d4308b1bf783da867a3742
SHA51249ba8c16daa9ca1dd877e18926e8ba18ce2e592d5180ef65ccd13a9bdb5181dac1fcd17ab9d3b1bbbe05ec3d87319c7b5f4975954baa8937e8a936d4c9803e14
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
147KB
MD58efe6f1604114f4da41dd9ef8162b47d
SHA12eb1e29d07a5dbafc2bb3530813c0a18d0588442
SHA25646dff2e18725143b3b58555aa5c784d29227a0fdec64bf60fa279c713f4b7305
SHA512bb3316f12fda5055163a67271aa13d70ab448ca9d13ef13d90c49826c1f45d1c73e42838473513faa4c1033550f00b1100e677f5797477e28fbd767dfec2a3a7
-
Filesize
147KB
MD51450caec4a58f478c0602a20cc8206bc
SHA1ec3f31e5691ef7a7dcfc6bd8e8e47538b66c56bb
SHA256812c2d0f5be340ce7f6b45aa8db42c7c435ed48bd0cdca88d735d29720d4ee0d
SHA5127c311db4f9c560cb94f2f36824939143de17f125f05bd53a3434e35afbacbd61da7d341e226590e79853d0076e4602c6048312ff6d58a3e9f508bf88a18eaacb
-
Filesize
147KB
MD5aef0b47a6b5b2d1e38aacd234cb6be1c
SHA126cd0e561f738c44eae8bbd917663f7ed4610c4a
SHA2562c3f922820255bbfab9330daf1b7a80bdff127aae0888478a7f6726a022fab59
SHA51274582a285df1497717bf910862ba84613a47d741003bec166e54598fd6bd119350bcdb215f5379451124c36c04be15e2e1e5addb1cd84764e42c62e408c6406d
-
Filesize
147KB
MD5d32e9037afe81fddf7f2e27776048553
SHA102b5d12c701a13687f7fff795e0d5ee14c0c9c6c
SHA2563991c91f4b49199cb4cc46f618f69e9f29a7074f86a3042420584ef386b127a7
SHA512289f4e6924920b08caae86b8ce4d6cf975fc87495d48a1023dbc7817844ee12fc01c876e0e77fa625ce2b93009f2efdf10471f14680659ff4d1dc5f8537de59f
-
Filesize
147KB
MD507bcf52ea9d16c91aa3afdc0f6f917df
SHA1168515a0e6ee55f0019980cb239294869e687485
SHA2566135d61cf1528af9dbf20218b2ef3aed5d1e117bebea26ea0f1b8fd9d33839c9
SHA51226d83c408727956bb95b08ba0c3e2cd885390fd09af11c5db3f3db14c1595dec4e301ed0d1be9000f2b0e4fbc88bae86459db299c7330002dbfc2b2ebfea1ef9
-
Filesize
147KB
MD570459a8d76cb6b410add4e669a0a777e
SHA1d7faa03614a17f7870a91eabba7637eb74053223
SHA2563064531a531dcb8c9df883b4425e11d74f3c4cf9c87d3b176d313cb301a8a7cc
SHA51236c6d653203578b4f6ebc4dda666351d92173e3cb5e69b8fc1ed91881bd1bf5eecef2d6d835f104cf1a05fb3999dc44e2d7f9fcb8e6d2a5b8e7cf0bb469b7073
-
Filesize
147KB
MD57af02b44f0b6c65e855af0923928817e
SHA15fd8bb8a022b510634518b770c0a89ebca8924f9
SHA2564e9c6a71942a5b1e0259af8369e14f57dc83e9a820c8c64986e0e593c9bb092d
SHA5123aad17217228fab749278a3d4de03bc23e7ab75bc50a3f3fd0196bc975c77bfec1879a9513a45127b8a49375d5483d87bb070406a71a032b6c534f4720ff8fcc
-
Filesize
147KB
MD5c1b9bda44d7992ea851ebfbec75f3831
SHA1d7df4665180495c8a568b6fa5309b9dee9db012e
SHA2564a2324898142174531bfc2a5b92f4dccce7c0a57ce258aa4da53ae8c64bb44e1
SHA51201880df3664ec82eba7b29d55347ab5aba23c0f634558307d45854eb144e26bf53ed7cc4f42ccb6c31d497bf4bccdc9b1284146039a25f94ea157c8c9e3c1e5c
-
Filesize
147KB
MD5ac4561ff5a8d06b3bb2e48bef334ebc1
SHA190d116c6ad217bd7ed621799c5407e8e43c72193
SHA2567611fc479dee377a5a6cb31c0a6cfc67687862ee4bb544d9db676cf9a1cd866a
SHA5124b4572733ce005123bf83cd38adf0d28a77fe0fce9de939390dd1f752c8cb1bc53421762537fc904e5d39b2c73f2e318470e1861fd9e52ee9268b326fb7fa6d8
-
Filesize
147KB
MD5f52bd5f260be9eda8546f43dd05f3091
SHA11e5e98a6f8bab6cf0a3ee6608af4f7774e412053
SHA256e4b543a4b0ba6a473d5282c26f3cc9d06cc9effd743e194b92b68d7333bc0ab0
SHA512dbdb80227b7fba728072a8e9fc22dbe3d2ecfb162f04cdd12f1d267f4e431bd524a130c4ad39d4ff3b0446b512e0bbbb1baed781b2d283df68e15a0c36d499c1
-
Filesize
147KB
MD561fac135d5bc26ce308b7a4bc55642c8
SHA15642d9abdf209bed80159f4fb4e5fa82023e3ee5
SHA256cc171ef875690e762aa92b863eae591164f4989b27205bb23489aced0fd9b543
SHA512bd0bdde877734139b4d1d9deebb44be39124af202b9930b36ef7ff6c1ce97a4fc23afc34de345dec595925f7d9b011e0506be92f702f2d342a5b2a6ebd7a65e5
-
Filesize
147KB
MD53a7e17598bd28f7fb58a492f121f9998
SHA107ef8d2bad05c52bc4ab88807462706a04c4c2fd
SHA25671cf317b29ad94bf05bfbd322e6b35ce975f8c7542335477fc1bdfe6baf8db8b
SHA51215e42faff3de7bf63dde5c26760d7a33789cf0006ad38e6ac1955b62d8ffdac6d597cc2804c5b2064bc526d735b6a3c00cd8eb59fe7a3bdf86e39cfdba221fd0
-
Filesize
147KB
MD56feddf4b41f791711b14567ace08963d
SHA15ec643cea1840543faf559566630698f394bb11d
SHA25646e3ed7e889e974bbbbdabb98620d34a45361d5178cbcfb32a2a0ca149bda652
SHA5121a921cb9c9a8bac2ac5773596f686e3b13530bea7ae6a1cad420960a68c2000b1e099e1eed46fa3aa0f46fec05f3ae300066246879878196088400bd9ecf1257
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e