Malware Analysis Report

2025-01-22 12:22

Sample ID 240517-z5t1lsbf38
Target 4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30
SHA256 4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30
Tags
aspackv2 evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30

Threat Level: Known bad

The file 4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30 was found to be: Known bad.

Malicious Activity Summary

aspackv2 evasion persistence

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Detects executables packed with ASPack

Detects executables packed with ASPack

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Disables use of System Restore points

Disables cmd.exe use via registry modification

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

ASPack v2.12-2.42

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies Control Panel

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies Internet Explorer start page

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-17 21:18

Signatures

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 21:18

Reported

2024-05-17 21:21

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\N: C:\Windows\babon.exe N/A
File opened (read-only) \??\O: C:\Windows\babon.exe N/A
File opened (read-only) \??\T: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\babon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\M: C:\Windows\babon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\W: C:\Windows\babon.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\P: C:\Windows\babon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\J: C:\Windows\babon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\I: C:\Windows\babon.exe N/A
File opened (read-only) \??\K: C:\Windows\babon.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Windows\babon.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 2112 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 2112 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 2112 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2112 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2112 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2112 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2112 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2112 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4792 wrote to memory of 4532 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 4792 wrote to memory of 4532 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 4792 wrote to memory of 4532 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 2112 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 2112 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 2112 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 2112 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2112 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2112 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2112 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2112 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2112 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2112 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2112 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2112 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2112 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2112 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2112 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1096 wrote to memory of 3472 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1096 wrote to memory of 3472 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1096 wrote to memory of 3472 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 5056 wrote to memory of 4328 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 5056 wrote to memory of 4328 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 5056 wrote to memory of 4328 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 1096 wrote to memory of 2760 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1096 wrote to memory of 2760 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1096 wrote to memory of 2760 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5056 wrote to memory of 4228 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5056 wrote to memory of 4228 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5056 wrote to memory of 4228 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1096 wrote to memory of 3400 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1096 wrote to memory of 3400 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1096 wrote to memory of 3400 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 5056 wrote to memory of 2036 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 5056 wrote to memory of 2036 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 5056 wrote to memory of 2036 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1096 wrote to memory of 1968 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1096 wrote to memory of 1968 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1096 wrote to memory of 1968 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 5056 wrote to memory of 4996 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 5056 wrote to memory of 4996 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 5056 wrote to memory of 4996 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1096 wrote to memory of 1484 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1096 wrote to memory of 1484 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1096 wrote to memory of 1484 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1032 wrote to memory of 2028 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1032 wrote to memory of 2028 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1032 wrote to memory of 2028 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 792 wrote to memory of 1780 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 792 wrote to memory of 1780 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 792 wrote to memory of 1780 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 3212 wrote to memory of 1640 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 3212 wrote to memory of 1640 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 3212 wrote to memory of 1640 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 1032 wrote to memory of 688 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe

"C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/2112-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 b5e2af14d8007f52b2509be41bf7a6be
SHA1 e5b3f57b582b658a7cb5d42a791ab785491ab0cc
SHA256 4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30
SHA512 245110ca663b8d9a973a03bb29b81a27633867487bebd407db9d9af4e2916f138c9b51f5778a054dc7f6eb7f07d5f1c3109a72faebc6f1205c3f1a78e65e56a1

C:\Windows\babon.exe

MD5 113702e65060ac85e93780602bbb6cf6
SHA1 9ab1f560f07c7dfea174442e225cfd4869bf023b
SHA256 a556de71fbd1e479d77d7756b00748b00b98fa8b991009e6db0da41c1739e769
SHA512 7118a7540277f5bc11483b2efcb2b12cad2f5e52502b03b686f9aff04fe21a4b5b2f6fb9a73743dd70820b156ddc003d59a6c9f7e137d60c5bd8c9ba97b05452

memory/4792-46-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 90377cc9be2b49015de9159524ed9b6a
SHA1 4a6b2ace5dcd551da47cd19b7719c8f78c241263
SHA256 c5066b754cff6fd7251423f43da2718766142610558cac2585b5bb1c48007720
SHA512 1ef38f05829646434c427110d78dedeb054662a1126725c55140b801e1d9c04c587b394b8c7b372a0779676ca1725515cf54d863a620f91e3418307e520780e0

memory/1384-52-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 ccc9d4100b3ab0bc05fd282dd6bbc6bf
SHA1 a1d5d5b5272db8a1147339aebe5384edd6126091
SHA256 822081e481369c6fdd879bbcc185a6e34c3aed798de509f3691200d8e28765b8
SHA512 e576029ede41edd86c72f50ca126a34f1aba73b0b4e016a0a411ba09fbd3806c1e63c85507b88e88d8cf5a3999a99d613005a3485a7e2b7d4ec2611ee7fd2699

memory/3452-60-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 01ee38587612a2a18150a8192608efca
SHA1 7128ecbda703ce7e3ce596988e3239e75e5e59b8
SHA256 27c4615287ee6c630f66a7123b3fde0ed518755df4d86871955103a946478a04
SHA512 14994258203101d488ba5df6bc78fd884988a98d9ab74c9532416b408ab05cf972e7a0a1175bb727481be019c9932995815b4b89a6d88e4535f03e983c752ed7

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

MD5 cbce6b681470332c5ad648b447b32008
SHA1 97bb0332f40b1733bbc18a60300e9d592cacc774
SHA256 3d0c318ae263453e269a1e36620168d0594594a628bdee42278f8f26dfb92071
SHA512 67dd34e41bfe9d482f995d51571bbca741952d6c76ee8d1180fc21365a90b272149888f5f4af557581b0576c31baf8d9a9187ee6523c33b3fa657fb92b911fe1

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 13b6306a42f52244c4fcde9a4f2814d0
SHA1 b94a0415697d252759af1f56512cd177c744ad32
SHA256 419d63ebcaa85f9feaa8fc821536d3d05dbe0b490c7a0f536b8e7ebe48217b72
SHA512 d97eeb2e903a59e3af15a2cb07b48fac742fb8a3eebd0f770c56ded72ce2a4ca72e53b5a60880fd89377852f16d0bd4446cee0c0f50381673d3cc17198dc36eb

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

C:\Windows\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\babon.exe

MD5 0041bf7998697f4a841857295377a145
SHA1 bff5c49a34536086157b5ad38786a2604b5e28b4
SHA256 6da6ba38242312fad195e3d834c5d3af0a71b112fc6908ace647252503244f72
SHA512 9cbc8667e88d4e18f055f0d61c3f54c0fc41e04b6138cf75943e9aff8e422a19fe908faa0ad0291f86a7f7ee2fec9e3c40b77d29826c72b3233e9a65db770060

memory/4792-135-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1384-152-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3452-173-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

MD5 32d44a4f4d92934d2c489b0b5978d15e
SHA1 9556385203a2e0547fe18e7209f6a126a69ef04c
SHA256 e4e09d32a69e78866a38388b40fbe884445fe6c72ac50cfc765589e91dda8aad
SHA512 bdb37ac163737daab83947059b9d8e8f5e7a34ff8efcdb9d0f9389fb3dd8dd8cacfd272d7635c681b9641648928d7164bcc120ca95972c139d5ee071d52d1bb6

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 2cb7289f63a9c2a8644270535385f1fd
SHA1 729816b95c424beefc2e6e3eb38d5ea46a9e39f7
SHA256 5e9ca21ae6fbab8e99397ab54eed5a180bbb0c33b9889d0ff261e04bf6b7fd1c
SHA512 0a7fd508485e85dd0073d0e7b9dec8e55a532c3fe249a6974ff81573e45fa681486b64a5540b596e1aa9c1448758c1f17c927c555e5fbc726ab46cf7781aeec4

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

MD5 4016d39018e2b8bc04dc1d9bf4c03197
SHA1 b5bd0c9a2b9511bef5b31805542e4c0d5e49626c
SHA256 8edf950e73bd48c022c1edfd4294fc958912341d0de4c78b485880859d077ec0
SHA512 0ebb9da2178cd35ba92f82d84c2147fdfbd16546413fa78a69d9b1a8c56ca0e94f7e77972c35291ef71dbf6991427e801c3d4fe75b8be042eadb829f44ddcb8e

memory/4532-195-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\babon.exe

MD5 9912d282a9733c2928eb0f2298dce4dd
SHA1 f609e662b814aaac87a2eddf7ba056a8f535ef98
SHA256 95a454405df125b374c0bbc302c391831eca68a6ca85cec4cdd228b41d55cd6c
SHA512 6a4115e0eb2f58b858b0c6e63f29e6414e0de93df0ef83364b6bc6d0519a65ff2f64c7aa30f5256ad54f3a52181b096f74eb83d50e71ba90754a8deef8cf2419

memory/1096-297-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 5c93c2c7ac3632a0f5d566d3bf2dddd1
SHA1 419387b4eb15284933bb753f93c42290c29dbcc0
SHA256 36fe633096020117e2c862bf226931b8c1b864e111e7d431e8c2c678a3b2fb69
SHA512 6e2e45d24c098d57381a03e8236b155415fc5f2c5713ba3361e192baa034dc1ab65ed5581a437667def8f006c68be38048803bb98b77cfec28acfb8a337f6835

memory/5056-303-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 982c35f48c44b8e7aa4f3e521110c72a
SHA1 afec6e2a2c3f7913db85da85a13eb1146a8bdf0b
SHA256 1889d63de8e3e03fef7c6cc10f9f66b9ba936e57d6d2e2cba50fca1ae2e3b706
SHA512 fc4e108af96c5a3063af42a161c29224a99fd1163fdf33f42b6600b73ab51c1e5f1936ca97c00c5f2627a0c03d6f352c8c6bbd23805defe631e00ee6eb8bfbd6

memory/1032-310-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

MD5 b7e85e607719265d8fab51af6c8b6c8e
SHA1 7c5fbdbb2735aae3d72a6a214ddce67e4d9b62ae
SHA256 8685f37f65bd3f754b14b56be130b8bd5c52eebc5aca4e0e4d8d3a7e48ae4ddd
SHA512 7e1862b74eed233b861b32e9215490130e2bcbf53260bb13b53d92d961240689773e77478bca5c8367b154345ca58172b72c05cf23381fe72f52aacc77c347db

memory/792-315-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 722d345ee8ffe372a74fb6fcbe013bfd
SHA1 fe02a1972ddfb029e23353302b250af05c936f62
SHA256 8502efc8d2f2f16ec67815d852143a0b00278d5df3d0c605d28c769f8e3baaa5
SHA512 ba542431477c878ba0e360fe19b62c0c0dd58637c87d665f682e82b1babdc910821b513e0b41af2735f4cfe043f72512503795cfc68e73689737723f0853d455

memory/3212-322-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 7a3a09294aeab9e18aed4232ae69e4a8
SHA1 fbcde9f8045f4a3405d4d1d06eb375a6595ddc07
SHA256 1173ea3352d0c7abb2210a66ddc8a86f31439e20ce61c4bfec6ce25c9191d07e
SHA512 e749b2364b4c95dfbcfde4b14251a8b306a2e2394c3bb65b99eb3fb8007f1691e39c3b708154393ee33cc297026fd25a8a4bc1e8f46483395f1438cff5170de7

memory/2112-350-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3472-357-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 abe017738207ca2d92f89da1c2fd02be
SHA1 1278398ce6db4c11fb2d8a15751729c2edeeafd5
SHA256 05c32a7353c551101454e62de74221741e70aa96b175c2601afa1f88bbe6f857
SHA512 40dc6432eda71e0d14881fe3d934804f7f7a4b4f1af09c448a8f2ed349e20e8e3d658c5c1a41374ae6a41a83506ac0301eca1dd568aaf9bb0f530621432f1843

memory/4328-389-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-393-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 61cc25a51408ca8b77b75b28779e618e
SHA1 cd3acf67774bd1c7d094e59a71721dfb4d7cb91d
SHA256 aebabeed323d575d33978bb551f55c5249998bdd0d49472e8600d570cdb880a2
SHA512 1d06ac7981aaaed9b17da1d39f72e2afbb830c032927c8ae40e837709636f1ac6d66b917797d44ff5601e251962ba30f9ec86fd91af941fd6472bb6b09042863

memory/3472-392-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4228-419-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4328-418-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3400-421-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-417-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4228-430-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3400-429-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2036-439-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1968-443-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1484-446-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1640-479-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2028-482-0x0000000000400000-0x0000000000423000-memory.dmp

memory/688-487-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1168-486-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1780-485-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1640-492-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1484-497-0x0000000000400000-0x0000000000423000-memory.dmp

memory/688-501-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4996-499-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4796-505-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2056-506-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4796-513-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2056-510-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1168-515-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3816-511-0x0000000000400000-0x0000000000423000-memory.dmp

memory/984-522-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3672-520-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5088-519-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3672-526-0x0000000000400000-0x0000000000423000-memory.dmp

memory/984-528-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5088-530-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2688-531-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4384-541-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2068-546-0x0000000000400000-0x0000000000423000-memory.dmp

memory/220-548-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2068-549-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1096-550-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1032-552-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5056-551-0x0000000000400000-0x0000000000423000-memory.dmp

memory/792-553-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3212-554-0x0000000000400000-0x0000000000423000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 21:18

Reported

2024-05-17 21:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\W: C:\Windows\babon.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\G: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Windows\babon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\P: C:\Windows\babon.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Windows\babon.exe N/A
File opened (read-only) \??\S: C:\Windows\babon.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\babon.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\babon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\U: C:\Windows\babon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\E: C:\Windows\babon.exe N/A
File opened (read-only) \??\Z: C:\Windows\babon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\babon.exe N/A
File opened for modification C:\autorun.inf C:\Windows\babon.exe N/A
File created F:\autorun.inf C:\Windows\babon.exe N/A
File opened for modification F:\autorun.inf C:\Windows\babon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 1760 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 1760 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 1760 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\babon.exe
PID 1760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1760 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1760 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1760 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1760 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1760 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1760 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1760 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1760 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1760 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 860 wrote to memory of 1040 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 860 wrote to memory of 1040 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 860 wrote to memory of 1040 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 860 wrote to memory of 1040 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 588 wrote to memory of 528 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 588 wrote to memory of 528 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 588 wrote to memory of 528 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 588 wrote to memory of 528 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 860 wrote to memory of 656 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 860 wrote to memory of 656 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 860 wrote to memory of 656 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 860 wrote to memory of 656 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 588 wrote to memory of 436 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 588 wrote to memory of 436 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 588 wrote to memory of 436 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 588 wrote to memory of 436 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1684 wrote to memory of 1916 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 860 wrote to memory of 880 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 860 wrote to memory of 880 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 860 wrote to memory of 880 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 860 wrote to memory of 880 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 860 wrote to memory of 1752 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 860 wrote to memory of 1752 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 860 wrote to memory of 1752 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 860 wrote to memory of 1752 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1684 wrote to memory of 2768 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1684 wrote to memory of 2768 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1684 wrote to memory of 2768 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1684 wrote to memory of 2768 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2648 wrote to memory of 868 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 2648 wrote to memory of 868 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 2648 wrote to memory of 868 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 2648 wrote to memory of 868 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 588 wrote to memory of 1964 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 588 wrote to memory of 1964 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 588 wrote to memory of 1964 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 588 wrote to memory of 1964 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1684 wrote to memory of 2316 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1684 wrote to memory of 2316 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1684 wrote to memory of 2316 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1684 wrote to memory of 2316 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe

"C:\Users\Admin\AppData\Local\Temp\4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

Network

N/A

Files

memory/1760-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 b5e2af14d8007f52b2509be41bf7a6be
SHA1 e5b3f57b582b658a7cb5d42a791ab785491ab0cc
SHA256 4800ebc1c35312b06f3e962f4aa715c9852b77415f495fb1d6b5ceb04658cc30
SHA512 245110ca663b8d9a973a03bb29b81a27633867487bebd407db9d9af4e2916f138c9b51f5778a054dc7f6eb7f07d5f1c3109a72faebc6f1205c3f1a78e65e56a1

memory/1760-105-0x0000000000740000-0x0000000000763000-memory.dmp

C:\Windows\babon.exe

MD5 28f3b0186eb65bd4d973b2b8fd410bed
SHA1 7719544c4c81cb7fb8836baa1daf76db64d46e18
SHA256 dc06af3354699cdfa8210d38436737fe15c71152907e9c4da561ef195666d290
SHA512 ee9ff1a0ee14c8b5bc0a8510ca318c6b75eeee030d55adc782d8e10e7b509f16e75b462e817d7ee34c948d8925ad6417fda093ecc7e333fe4709b35ffedadb14

memory/1760-103-0x0000000000740000-0x0000000000763000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 f054e41daa078bd1a6350b49e06b0ba1
SHA1 af11a5a8949fe24ab2617d39431b592c27a2813b
SHA256 67e460a5db773d0461f63d7c3f4bfdd39f967edf5b4c513bad4ee1aa3348f369
SHA512 49daf6ec4b1bd5e3f8d3de904c77c6185e9da37c8164a5b64bc4405d84fe3ed7ca32c958d64e44091e80a7ee2e0c945b5d918d8bc5e02e2f576683e1b636e6ff

memory/1760-109-0x0000000000740000-0x0000000000763000-memory.dmp

memory/1760-116-0x0000000000740000-0x0000000000763000-memory.dmp

memory/1760-123-0x0000000000740000-0x0000000000763000-memory.dmp

memory/1684-130-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1760-129-0x0000000000740000-0x0000000000763000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 a28bb509b8a1afdc6cfc40bf18936c28
SHA1 535874577027cde9e7bd476f6f73d31ff87cf9ac
SHA256 2d23922456e4234a44efea3df537cd9ea8b41d7ab0ffed0fe82df6b598d4a6a5
SHA512 0434f7394ec9d0a617b54d7580fc4f5bfa9a68b2352975def5e9c0a3cd29d985cc28682f4e1b11ddf92e5b6108eb317df018a502e8fca8a65e3050911bbef929

memory/1760-135-0x0000000000740000-0x0000000000763000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

MD5 ddbed1007d2602cb435b2a974229b617
SHA1 b02e9e976cf6d5d86f84995e8473436a494f7a4f
SHA256 1637fae075ac6f31d10886ae5d0cf00e3a5356dac71b49bf9f32f9273ddababf
SHA512 d8b0e7f208ae4e227497a0e9f26621559fa9e1cbe8384046c9007235cceeb603f78b9a65fc7e9726a434b0458200e04c67d3db7621c71fe1d3bec7f76049264e

memory/1760-146-0x0000000000740000-0x0000000000763000-memory.dmp

memory/1036-151-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1760-155-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 34040b8293e5a3a83fa235840a3c4eb3
SHA1 c71555c31a1a6f3ba22951310fa7df9680cd78a1
SHA256 cde7cc9c17a96880a8c97462808fc6a226372c65793a4d974c8c1ce8ee683a75
SHA512 3a97317c397ad4afb03bdc380d74e16f068294c34948e241af63c72a48af41a1ba2d5b4699757a478c40818cd6fc739780aecbd936a4a0749ec978493e42ecb7

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 bf6e09abb3d526f68c45ca749391d0f1
SHA1 0abaf9162f944fca720766be7b1db316274368ca
SHA256 cd95a49ce07e95700ab4296e5f6fa3e51b815c311e6f94f95ab037254b1326f0
SHA512 2ab5241f633d3b196146ae26958712e4fdedf5411a0f79fed70ab12cf89f4f0dbc4f32f0e72e029aacbc66f743f978e13bd3937bbd52855d64d835b94bd47dec

C:\Windows\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/1040-190-0x0000000000400000-0x0000000000423000-memory.dmp

C:\babon.exe

MD5 a8bb78103d89e0dac801adfd777d44de
SHA1 f65b4971cd2d4a966e1a87767f08dd0b64ba4bd0
SHA256 13bf397c1a586db9a08604159456514f7c375fe51a8eb10f2a65c4f873f0ef39
SHA512 350aef7b86dad07cc9b64c6ea1ffc8cb03d2782c79a78d087e9d24a4ee1f070da0b1ed7f39e28bb8b2689e84b108a3beedefe3e745f532d7c5c9b29f2d752c1b

C:\Windows\SysWOW64\shell.exe

MD5 f6b38a90fafcbd93de688df522d86b9a
SHA1 6c7a36fd5a85be9644b5a1c1ee7623a627e13ee6
SHA256 dd86fae410c7550f8a3bd7894c413e06f90d398fdd5f4872bb591a71c82e7071
SHA512 f57be6fa841bfbf7e839ed5f95518f0999b5bde29e073a8872162c9f9dbb928f63b79c91c6b4772c3feb5498f49bbcd0d7d0fa2e882c3628424ac0f8d88d4892

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 5711e586f74840def160e054ea6c1967
SHA1 c67e0939c5345df0b322f588450e1ab58ddfc372
SHA256 62796ae186bdb41e459322290c6b5441a995c60fe10d97ee4bd5344a2db85357
SHA512 224d92da9d9ccc49949e13415d0c87560cf29304caf0057e9e7750ab278d21f489ddf599e6abcb06dc146d29762c7e02477b54de594dd3223a094c7303c55ad8

memory/528-231-0x0000000000230000-0x0000000000240000-memory.dmp

memory/528-236-0x0000000000400000-0x0000000000423000-memory.dmp

memory/436-239-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1684-269-0x0000000000850000-0x0000000000873000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 ab6b6c7d35c980bf586000e8faee9f36
SHA1 c3cc2ca5543a901cb73408b944978ec5cfb3e7c7
SHA256 cf398ea7dae7b945ccdba1ff82e249842d4ada86810142f9dc2208b39bf23755
SHA512 a53c62154b5f9f0cb830e67c297e5b5ae62dbce382e1984de1d0ce793c1ce8c602f03e331f55df7beaaa758484a20c0e7c1a1e339b71c201fc4421bd64d3254f

memory/2768-325-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1964-328-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1964-342-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2768-351-0x0000000000400000-0x0000000000423000-memory.dmp

memory/868-361-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1916-364-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1916-363-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/868-360-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/860-366-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/2316-368-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1036-372-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2564-375-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1752-358-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2668-378-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2548-381-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2564-377-0x0000000000400000-0x0000000000423000-memory.dmp

memory/588-385-0x0000000001E70000-0x0000000001E93000-memory.dmp

memory/588-384-0x0000000001E70000-0x0000000001E93000-memory.dmp

memory/1684-402-0x0000000000850000-0x0000000000873000-memory.dmp

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

memory/1588-410-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2228-420-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2596-419-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2224-417-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2704-415-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2316-345-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2756-438-0x0000000000400000-0x0000000000423000-memory.dmp

memory/920-442-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1280-446-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2360-430-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2360-429-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1568-428-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1036-427-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/920-437-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1568-425-0x0000000000220000-0x0000000000230000-memory.dmp

memory/1568-426-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2360-434-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2228-424-0x0000000000400000-0x0000000000423000-memory.dmp

memory/868-327-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 fa71ef6dff550401808b919b7028a5b3
SHA1 489c17eaf2775d847c18ad0ea13bf8dedd765a7d
SHA256 aa3fc278ea60186006a9371043778f68881aaf22deb2f8d5fda884441c7c7764
SHA512 f06328c74c0757a4c9d1aa8fc828568a799025238fe09afafcc4123a51b609d840f1d56bd408dd640976c0eeb4c31f8bae5f281360b8ea4f9d2ac8644f65948c

memory/1752-310-0x0000000000400000-0x0000000000423000-memory.dmp

memory/880-305-0x0000000000400000-0x0000000000423000-memory.dmp

memory/436-299-0x0000000000400000-0x0000000000423000-memory.dmp

memory/656-297-0x0000000000400000-0x0000000000423000-memory.dmp

memory/880-296-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 d504477fd8daf93eaf1677780305ed19
SHA1 c90baa0585b9111bebcf7b69a529a2bb49af7bb6
SHA256 253227f3cda714b3b05d6f5d553249baebac532a48f56edc1be759b67674479a
SHA512 51772b845e5965d486a47556fee8806479c792812ea7c08dcfc4278963b0d7fc7388f9d9f13a010cd0f5d99dd2435c9c88720168ef0d399cd5644149aa6d940d

memory/1916-273-0x0000000000400000-0x0000000000423000-memory.dmp

memory/860-226-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/860-225-0x00000000023A0000-0x00000000023C3000-memory.dmp

memory/528-224-0x0000000000400000-0x0000000000423000-memory.dmp

memory/588-223-0x0000000001E70000-0x0000000001E93000-memory.dmp

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

memory/528-235-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1040-228-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1040-229-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\babon.scr

MD5 d8b07e328eb760b07876112dcd168c4e
SHA1 4ab787b0c1997d5015dea084c9800642f887ad6e
SHA256 07c1e1b04e15deb508e899b637511b069a5cf071c90962f3ffebeb7c9ac220c0
SHA512 604ca608dbe8285f82614461167925dcce26881d791a98c00468a4069b22d9a1ef6073279ddcd94fa48fc5c6ad83e25c61c5a6e8cf41c3ac3907877e20602185

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 65d417309883c4476a2754ec63d64589
SHA1 2e8eba4827975ba843621d12a94b0c2828274041
SHA256 c86aaaf4fe6e9dab1f8a7eee466d4799dde9a5ab0236e11e8f4f4bc4ad523e45
SHA512 4149e663bd36c80f78245276e84df89840b9cbd28bc2ed9959a8550cf7b7b30836eb2387f4adfef6df5b8c351a87050b6cb5af5baebb7ab580fe39d626194b3d

C:\Windows\SysWOW64\shell.exe

MD5 6e09d5595b60b18c11b10053988d4efa
SHA1 9ddb6afe1325c5364ae50f8790f6f438dc5d5950
SHA256 250081025633f68d8ab589ed665133924c3c609890d7394812a2707611a1116b
SHA512 a717e5444a09b8e15a2f7c7804e25c1191bbbadadf3c5ad1fef8503e506a11679d731a5d9356aafb2348b25dd833db0b461b65ae330698b5420da649ada5287e

memory/860-447-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2648-450-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1684-449-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1036-451-0x0000000000400000-0x0000000000423000-memory.dmp

memory/588-448-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1684-507-0x0000000000850000-0x0000000000873000-memory.dmp