68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Size

64KB
MD5

4f9dd562449c7964589a8047e57b7b9e
SHA1

5b9dc26e8bdc0b847f89aaa13c531653c4e082e2
SHA256

68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe
SHA512

6a6183225350be29600768a353755c3cef8c82d34bf0c11d7329376f8ceb7bdce17e4be77e82de81a1c0f81c8cb7d9da9ae3ddcb6bc5a56da56f4d3a3ac6bc56
SSDEEP

1536:9a8jroAbRB+XWCQLZeIdSwkoa8jroAbRB+XWCQLw:LFRBLJSOFRBLw

Score

10^/10

aspackv2 evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	babon.exe

Detects executables packed with ASPack 64 IoCs

resource	yara_rule
behavioral1/memory/2196-0-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0007000000014aa2-8.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-99-0x0000000002500000-0x0000000002523000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2776-105-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0007000000014b63-103.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0006000000015ceb-109.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-110-0x0000000002500000-0x0000000002523000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0006000000015d28-121.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-123-0x0000000002500000-0x0000000002523000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1484-130-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0006000000015d4a-133.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-135-0x0000000002500000-0x0000000002523000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2660-143-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0006000000015d56-144.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-146-0x0000000002500000-0x0000000002523000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2772-152-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2196-155-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0006000000015d5e-159.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0006000000015d07-167.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0008000000015ce1-165.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0007000000014baa-162.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000c000000014857-161.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2776-189-0x00000000025E0000-0x0000000002603000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1568-190-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1568-198-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2632-200-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000c000000014857-203.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0007000000014baa-204.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2632-234-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/652-235-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0006000000015d07-209.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0008000000015ce1-207.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000c000000014857-240.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0007000000014baa-274.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2776-247-0x00000000025E0000-0x0000000002603000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1084-303-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2200-333-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/652-320-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1468-301-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2864-327-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2200-338-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1596-396-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1484-395-0x0000000002630000-0x0000000002653000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1596-401-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2260-407-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2488-392-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2076-408-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2788-405-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2076-422-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2380-432-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2652-433-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2736-452-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2040-456-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2736-450-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2652-445-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1540-443-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2916-442-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2916-434-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1540-447-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2824-430-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2380-428-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2824-425-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2572-418-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2260-416-0x0000000000400000-0x0000000000423000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

ASPack v2.12-2.42 23 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000014aa2-8.dat	aspack_v212_v242
behavioral1/files/0x0007000000014b63-103.dat	aspack_v212_v242
behavioral1/files/0x0006000000015ceb-109.dat	aspack_v212_v242
behavioral1/files/0x0006000000015d28-121.dat	aspack_v212_v242
behavioral1/files/0x0006000000015d4a-133.dat	aspack_v212_v242
behavioral1/files/0x0006000000015d56-144.dat	aspack_v212_v242
behavioral1/files/0x0006000000015d5e-159.dat	aspack_v212_v242
behavioral1/files/0x0006000000015d07-167.dat	aspack_v212_v242
behavioral1/files/0x0008000000015ce1-165.dat	aspack_v212_v242
behavioral1/files/0x0007000000014baa-162.dat	aspack_v212_v242
behavioral1/files/0x000c000000014857-161.dat	aspack_v212_v242
behavioral1/memory/2776-189-0x00000000025E0000-0x0000000002603000-memory.dmp	aspack_v212_v242
behavioral1/files/0x000c000000014857-203.dat	aspack_v212_v242
behavioral1/files/0x0007000000014baa-204.dat	aspack_v212_v242
behavioral1/files/0x0006000000015d07-209.dat	aspack_v212_v242
behavioral1/files/0x0008000000015ce1-207.dat	aspack_v212_v242
behavioral1/files/0x000c000000014857-240.dat	aspack_v212_v242
behavioral1/files/0x0007000000014baa-274.dat	aspack_v212_v242
behavioral1/memory/2776-247-0x00000000025E0000-0x0000000002603000-memory.dmp	aspack_v212_v242
behavioral1/memory/1084-260-0x0000000000220000-0x0000000000230000-memory.dmp	aspack_v212_v242
behavioral1/files/0x0006000000015d07-249.dat	aspack_v212_v242
behavioral1/files/0x0008000000015ce1-244.dat	aspack_v212_v242
behavioral1/files/0x000c000000014857-273.dat	aspack_v212_v242

Executes dropped EXE 30 IoCs

pid	Process
2776	babon.exe
2956	IExplorer.exe
1484	winlogon.exe
2660	csrss.exe
2772	lsass.exe
1568	babon.exe
2632	IExplorer.exe
652	babon.exe
1084	winlogon.exe
1468	babon.exe
2864	csrss.exe
2220	babon.exe
2200	lsass.exe
2136	IExplorer.exe
2488	IExplorer.exe
2788	babon.exe
2572	IExplorer.exe
1596	winlogon.exe
2260	IExplorer.exe
2076	csrss.exe
2824	winlogon.exe
2380	winlogon.exe
2652	csrss.exe
2916	lsass.exe
1540	csrss.exe
2736	lsass.exe
2040	lsass.exe
1904	winlogon.exe
1384	csrss.exe
1976	lsass.exe

Loads dropped DLL 45 IoCs

pid	Process
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2776	babon.exe
2776	babon.exe
2776	babon.exe
2776	babon.exe
2776	babon.exe
2776	babon.exe
2956	IExplorer.exe
2956	IExplorer.exe
2776	babon.exe
2776	babon.exe
1484	winlogon.exe
1484	winlogon.exe
2660	csrss.exe
2660	csrss.exe
1484	winlogon.exe
1484	winlogon.exe
1484	winlogon.exe
2772	lsass.exe
2772	lsass.exe
2660	csrss.exe
2660	csrss.exe
2772	lsass.exe
2772	lsass.exe
1484	winlogon.exe
1484	winlogon.exe
2772	lsass.exe
2660	csrss.exe
2772	lsass.exe
2772	lsass.exe
2660	csrss.exe
2660	csrss.exe
2956	IExplorer.exe
2956	IExplorer.exe
2956	IExplorer.exe
2956	IExplorer.exe
2956	IExplorer.exe
2956	IExplorer.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\O:	babon.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\J:	babon.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\L:	babon.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\M:	babon.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\V:	babon.exe
File opened (read-only)	\??\Z:	winlogon.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\T:	babon.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\G:	babon.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\I:	babon.exe
File opened (read-only)	\??\X:	babon.exe
File opened (read-only)	\??\N:	babon.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\O:	winlogon.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	babon.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	babon.exe
File opened for modification	C:\autorun.inf	babon.exe
File created	F:\autorun.inf	babon.exe
File opened for modification	F:\autorun.inf	babon.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\babon.scr	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	babon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	babon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\babon.exe	lsass.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
File opened for modification	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	babon.exe
File opened for modification	C:\Windows\babon.exe	IExplorer.exe
File created	C:\Windows\babon.exe	winlogon.exe
File opened for modification	C:\Windows\babon.exe	lsass.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s1159 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s1159 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s2359 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\SwapMouseButtons = "1"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\SwapMouseButtons = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\SwapMouseButtons = "1"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s1159 = "Babon"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\SwapMouseButtons = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s1159 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s2359 = "Babon"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s2359 = "Babon"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s2359 = "Babon"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s1159 = "Babon"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s2359 = "Babon"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\SwapMouseButtons = "1"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s2359 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\s1159 = "Babon"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Mouse\SwapMouseButtons = "1"	lsass.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	babon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3000	Notepad.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2776	babon.exe
2660	csrss.exe
1484	winlogon.exe
2772	lsass.exe
2956	IExplorer.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
2776	babon.exe
2956	IExplorer.exe
1484	winlogon.exe
2660	csrss.exe
2772	lsass.exe
1568	babon.exe
2632	IExplorer.exe
1084	winlogon.exe
652	babon.exe
1468	babon.exe
2864	csrss.exe
2200	lsass.exe
2220	babon.exe
2488	IExplorer.exe
1596	winlogon.exe
2788	babon.exe
2136	IExplorer.exe
2572	IExplorer.exe
2260	IExplorer.exe
2076	csrss.exe
2824	winlogon.exe
2380	winlogon.exe
2916	lsass.exe
2652	csrss.exe
1540	csrss.exe
2736	lsass.exe
2040	lsass.exe
1904	winlogon.exe
1384	csrss.exe
1976	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2776	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	28
PID 2196 wrote to memory of 2776	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	28
PID 2196 wrote to memory of 2776	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	28
PID 2196 wrote to memory of 2776	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	28
PID 2776 wrote to memory of 3000	2776	babon.exe	29
PID 2776 wrote to memory of 3000	2776	babon.exe	29
PID 2776 wrote to memory of 3000	2776	babon.exe	29
PID 2776 wrote to memory of 3000	2776	babon.exe	29
PID 2196 wrote to memory of 2956	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	30
PID 2196 wrote to memory of 2956	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	30
PID 2196 wrote to memory of 2956	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	30
PID 2196 wrote to memory of 2956	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	30
PID 2196 wrote to memory of 1484	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	31
PID 2196 wrote to memory of 1484	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	31
PID 2196 wrote to memory of 1484	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	31
PID 2196 wrote to memory of 1484	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	31
PID 2196 wrote to memory of 2660	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	32
PID 2196 wrote to memory of 2660	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	32
PID 2196 wrote to memory of 2660	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	32
PID 2196 wrote to memory of 2660	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	32
PID 2196 wrote to memory of 2772	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	33
PID 2196 wrote to memory of 2772	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	33
PID 2196 wrote to memory of 2772	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	33
PID 2196 wrote to memory of 2772	2196	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe	33
PID 2776 wrote to memory of 1568	2776	babon.exe	34
PID 2776 wrote to memory of 1568	2776	babon.exe	34
PID 2776 wrote to memory of 1568	2776	babon.exe	34
PID 2776 wrote to memory of 1568	2776	babon.exe	34
PID 2776 wrote to memory of 2632	2776	babon.exe	35
PID 2776 wrote to memory of 2632	2776	babon.exe	35
PID 2776 wrote to memory of 2632	2776	babon.exe	35
PID 2776 wrote to memory of 2632	2776	babon.exe	35
PID 2956 wrote to memory of 652	2956	IExplorer.exe	36
PID 2956 wrote to memory of 652	2956	IExplorer.exe	36
PID 2956 wrote to memory of 652	2956	IExplorer.exe	36
PID 2956 wrote to memory of 652	2956	IExplorer.exe	36
PID 2776 wrote to memory of 1084	2776	babon.exe	37
PID 2776 wrote to memory of 1084	2776	babon.exe	37
PID 2776 wrote to memory of 1084	2776	babon.exe	37
PID 2776 wrote to memory of 1084	2776	babon.exe	37
PID 1484 wrote to memory of 1468	1484	winlogon.exe	38
PID 1484 wrote to memory of 1468	1484	winlogon.exe	38
PID 1484 wrote to memory of 1468	1484	winlogon.exe	38
PID 1484 wrote to memory of 1468	1484	winlogon.exe	38
PID 2776 wrote to memory of 2864	2776	babon.exe	40
PID 2776 wrote to memory of 2864	2776	babon.exe	40
PID 2776 wrote to memory of 2864	2776	babon.exe	40
PID 2776 wrote to memory of 2864	2776	babon.exe	40
PID 2660 wrote to memory of 2220	2660	csrss.exe	39
PID 2660 wrote to memory of 2220	2660	csrss.exe	39
PID 2660 wrote to memory of 2220	2660	csrss.exe	39
PID 2660 wrote to memory of 2220	2660	csrss.exe	39
PID 2956 wrote to memory of 2136	2956	IExplorer.exe	41
PID 2956 wrote to memory of 2136	2956	IExplorer.exe	41
PID 2956 wrote to memory of 2136	2956	IExplorer.exe	41
PID 2956 wrote to memory of 2136	2956	IExplorer.exe	41
PID 2776 wrote to memory of 2200	2776	babon.exe	42
PID 2776 wrote to memory of 2200	2776	babon.exe	42
PID 2776 wrote to memory of 2200	2776	babon.exe	42
PID 2776 wrote to memory of 2200	2776	babon.exe	42
PID 1484 wrote to memory of 2488	1484	winlogon.exe	43
PID 1484 wrote to memory of 2488	1484	winlogon.exe	43
PID 1484 wrote to memory of 2488	1484	winlogon.exe	43
PID 1484 wrote to memory of 2488	1484	winlogon.exe	43

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe

C:\Users\Admin\AppData\Local\Temp\68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe
"C:\Users\Admin\AppData\Local\Temp\68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2776
- - C:\Windows\Notepad.exe
    Notepad.exe C:\wangsit.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3000
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1568
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1084
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2200
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2956
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:652
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2136
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1904
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1384
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1976
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1484
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1468
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2076
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2916
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2660
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2572
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2380
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2040
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2772
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2788
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2824
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lsass.exe

Filesize
64KB

MD5
4f9dd562449c7964589a8047e57b7b9e

SHA1
5b9dc26e8bdc0b847f89aaa13c531653c4e082e2

SHA256
68f371a2212916672baa4d535d19620a6abf5ec7afc6ea400c854d34481bb4fe

SHA512
6a6183225350be29600768a353755c3cef8c82d34bf0c11d7329376f8ceb7bdce17e4be77e82de81a1c0f81c8cb7d9da9ae3ddcb6bc5a56da56f4d3a3ac6bc56

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
64KB

MD5
277cf40e8e71f2101ab3620017f2f33e

SHA1
b3e4ce63aa540c11675539dcc0aae5b9ccc38351

SHA256
89bffcfb3fe1ad6d59d2722fc74d539d3a215b629a9fb4343e7ff36872ad65b7

SHA512
9f5f0d94a7b29b98dd627b89572162e62cbe75be61309c2592d426dc6472ce11ef8b6fe11711e853b5ec1c03f60e0c22b9d3df8d7ed6096f3454de1a6077c571

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
64KB

MD5
6473ad18010b9b6c1126696b39d3d430

SHA1
c4a63ba06d9c236bb83071c762a1fc231b51785c

SHA256
923badad8257132c51c82fb06fb26a8afd21ec389f1e8978f0b405faf2b3905f

SHA512
1664b574d8eece7bcb6808016244d81d405b78fee67749e4ddcf5c0f1fd0b6b6f2023184e2069c281257e28be1644cf4dfd0ed5623e25e7f1359ec351976380e

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
64KB

MD5
d25ccd2fdf77eb3fa1068ad69e780bcc

SHA1
3d339ddcae0cc25952293a698dc64e94f97cee74

SHA256
ccd45d1b28d8eaee8835f301e8438fe7de8e18494f6f2e6d41711b65f8492391

SHA512
0c9a715318b29cc0fd211a23cc7a34c13f9fe8253289feac8cccf0989747e34369192b6aef1939ef915694a1ba405bf454f8480ca0b52d2d69b3a03e1bb0e202

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
64KB

MD5
19ab56036e71060f4afe159d951b59de

SHA1
fcb242c254c4cfcbc53794c0e811f485ba17a7a3

SHA256
96baabbb62440d0c2d37e6e70b19955ca8b67abc6dc6541a1adf2e5f34097073

SHA512
1a20ec2cffa1bf1954e9d6a48fe85ac6b766a5ea1dde7a68736d1c3d979e789a33e3096b07f7f6cf758bbac45a2d6cb41e067f8e2d3b7401ef9719b9a0750c3f

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
64KB

MD5
d0b31f32ae5cd182b565df4df4c3b84b

SHA1
059997a29a67a2f28aae8e2a4537332632a82679

SHA256
73f15b7983c6518b7e3af4a92213b9dd3217df0283183e72df627649a6794f0c

SHA512
7d9f194ee995979d5ebf39bf45b14e326180b6c5d2e6b848080d52609d0414fb52ea31da2a38cbda03e4c6d93842fc4c23b2999a7ec522b1c6e1be2345cb1ce9

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
64KB

MD5
e125119f5b916302f857c0685be6b510

SHA1
6e4382ff27180f01d9f639e01f09951f5c48a3cc

SHA256
11816fc5024afef78f6a6ad120bd18b383a8b233ab5d28611a4c71a17a2a0d0e

SHA512
3807801a0085642b13a3c5d0399639261d9e968734dc05756ee72bf3c6c026cc006fd0ef1e1e6432776d603a3c3ff9ea7286f7a120749f12c894cc89efa0200f

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
64KB

MD5
2bb7553a25015b59926796d020ffad5e

SHA1
9c309ea7e3af8749aa9b0fcfa308d280cdf95421

SHA256
338b6a3d9645b20881102c52b1dbaa3d1bf97d5fcb7d8c05f64ec1b0f5b5b6a6

SHA512
facf7cb55404f0b330e112087fb3296967b0d37a4734874c0dc8f671505694b01764e3bf46b1ecd6d66b61541c0fb52a381bf4a10ad6c217935884b8101ae8c8

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
64KB

MD5
4051225cb7e67520a95e3506f2185250

SHA1
6e7642bf77e990a1656559551baa577da7e036a6

SHA256
e101a65982f161987061281d1dad28a951215c2ab2ff24912af337bc87d71541

SHA512
1094720cd25479182992d83e7e18423378bd3bbc5a8eb6d08797b690aef454c53ed9d50578e4f045710d047f49a7aabaf6377d16f1a9d6ed3c5f622f0c7d4d92

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
64KB

MD5
505f934504c5e3ff9091f60076c8ed22

SHA1
103e924a89e7fdb02f6fdfbfc36bee627c47fb55

SHA256
38ec95267e366c148b65e8d792d316d82c7a99b31dbbd573a82f95a2341a0d11

SHA512
55a7c30ad3697f487d6a00e4e5858ae0a789d9c40a36916a7d06b7c7ec888fb1ec9d742d4d89a6619821a733bf2c9cffbc71bc6fcd71d53b4819d4784a101345

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
64KB

MD5
a70cc9d6444ed8e134ebd5fb88fce7d8

SHA1
042a0cc56147a580c8cce4f454d31edddea4c009

SHA256
25bcaa91a58c9027cf8afba8ef303be177579c18a1944f9660afeeade5465c16

SHA512
730ee252a4325b714d6d45291a9aadeb78ccd41245b92aba14e58839e78db14aa07daaa982fbec3f492e67efbe17531f9279ee5d3fdd20320164043d88b3cc85

Download Submit
C:\Windows\babon.exe

Filesize
64KB

MD5
2deb902a33afbcf4952d3118abb7ec18

SHA1
58069684979b0435a6d4cd3b282304dec13dfc7f

SHA256
801febaa097520489f2b81140f6d93b9f0b2a7b28f35860f2ac271d72db4398e

SHA512
8dde6893b8f49c8a750f50e5cf08befa370123afdafe6220e83744b79fcb96c3de28a834324e92477cd1e48a38cb40df0c54eb9339834b51bf1cee1403d213ae

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\babon.exe

Filesize
64KB

MD5
1c07b738b226b750c8fc4000676f403d

SHA1
fc171feb819020c368dad1eeb31ead6802423697

SHA256
bc1cee4bd4560df858221403f4debe0f05f614790320671d6aafcd6bd76c7f09

SHA512
9644d48736046fb48e476d275ade00798d7cfe2b37ed33dde2240a37347fbb90bd2f9152918cf39edffebb0792a89300ea1616398a168b570b01ef4b19599e3c

Download Submit
C:\babon.exe

Filesize
64KB

MD5
444a5dcf07a1f84e0454a12dd5906f99

SHA1
806d0f5339fe11ed82d967eb46c727e8b6ed92c6

SHA256
8f5bb5ffa28377d9feb7c73fd33c7c3c5c0349baddc003da432e873f3368e336

SHA512
c0ceeef01ffc43f054d636f43d7145ba42525172efc54441afe8b9bcabf9e5bccf4f1ca56e91a89aaf7bb2bcc30b742546334abbb5d24057b61cd2bfafcedf6c

Download Submit
C:\babon.exe

Filesize
64KB

MD5
2b689189f03aaf18cb8fcd03db8bc47c

SHA1
2fdda333c98272899b16684effeae68f26777bed

SHA256
09ad3bbbd109b5e612edd954488ba13ba56485ad09766c068a516360285e20d8

SHA512
d4b112ae42ed388beea9a035775a3da326ab6cb200719c08a45ab95b20b73c3eeaaa042b3dd04711361a017c2f39b504bab84a8266bdefff829d03a2ccb3ab92

Download Submit
C:\babon.exe

Filesize
64KB

MD5
14defeca640f32cf0a677bebb8d5e199

SHA1
ab1bdee9dac752f03fe27864466e90805a1a0982

SHA256
1197a4d0f319a688b05616440c9afc39179e43468ba6c2549930c11478a9a0e8

SHA512
271a45ba6c791d54fa4bee9cba1ff757a0ff99f3bf6f75751bd03d40c47e3822514092a561ebc3154b54512bbe499a0500e5276365f778cedb92ed3d3d21d769

Download Submit
C:\wangsit.txt

Filesize
416B

MD5
8c460e27a1949370d14f20942ef964c3

SHA1
fb1f75839903c83911b45b49956792d27db56185

SHA256
2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

SHA512
ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

Download Submit
F:\autorun.inf

Filesize
41B

MD5
097661e74e667ec2329bc274acb87b0d

SHA1
91c68a6089af2f61035e2e5f2a8da8c908dc93ed

SHA256
aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

SHA512
e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\csrss.exe

Filesize
64KB

MD5
bada27b1d4209ce7176154f3af3087ec

SHA1
1bee9cde2d152416aca045b332c5188c46d41612

SHA256
b350e277806228284f02379658b0cc9549db9b1036bfb3ddeb746b6a9ebf6add

SHA512
97dcda650cf014827123408fc1b6a0288a40bf2f625e2c5fd4d0f5ee9288074b93848d674df81d3fcbf0818fe099357f08572fff804022f0127c4b6244e469eb

Download Submit
\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
64KB

MD5
c554904055a65999dbb6f16767e933ee

SHA1
3ee4f7034ca3b7a7a5f4d40d7cea0dd86b664a19

SHA256
c2b0e7e006ae8ab5c05398df904af298d6494708c6e4b63c23dc9ef315eb2a8a

SHA512
86c6dacd23f1a59e18e9d161c34cbe695db8de665b147fbd836ce3fd2a336829541391ab9b67bdeafe31cb67aab1e017315b4ec68b8859367b86c5d62f04b3bf

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
64KB

MD5
8292e0f684245c852b4ec6692a8dda09

SHA1
6196231f39874f9f6b2db2ad586acc62dc6ccd88

SHA256
b2cf8bf13adadf4095e362ca5e8ed4428c1916f82a12ad239352fe9651bea292

SHA512
681cfa40c1b648d20a9ee709de2930372a30db4ea973d84e25ca706d933c3d33553cdc8bb801d249a3b9c2d60cb6e98829b2c936a0c71bcdbf6e7913b328d803

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
64KB

MD5
8de23bacf9617bfa434390a6f92954d8

SHA1
c02c2681cf12d7b79266fac634f6ce2bdb90176d

SHA256
def20d37ef00e527e9b745a7ecb68f55002209a243609b3e63a52a521fbc699c

SHA512
b0dce325818ecff73e4e811ad0261e89536e536199f471d935664215aa4809ae37fd90b9317b8f42f285b9706ae6313a5c2ae533f7f0e735210363a30ff11b64

Download Submit
memory/652-320-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/652-319-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/652-235-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1084-303-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1084-256-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1084-248-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1084-260-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1384-468-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1384-464-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-301-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-322-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1468-323-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1484-475-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1484-395-0x0000000002630000-0x0000000002653000-memory.dmp

Filesize
140KB

Download
memory/1484-271-0x0000000002630000-0x0000000002653000-memory.dmp

Filesize
140KB

Download
memory/1484-537-0x0000000002630000-0x0000000002653000-memory.dmp

Filesize
140KB

Download
memory/1484-539-0x0000000002630000-0x0000000002653000-memory.dmp

Filesize
140KB

Download
memory/1484-402-0x0000000002630000-0x0000000002653000-memory.dmp

Filesize
140KB

Download
memory/1484-130-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1540-447-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1540-443-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1568-197-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1568-190-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1568-198-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1596-401-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1596-396-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1904-463-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1976-471-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2040-456-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-422-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-408-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2136-458-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-129-0x0000000002500000-0x0000000002523000-memory.dmp

Filesize
140KB

Download
memory/2196-123-0x0000000002500000-0x0000000002523000-memory.dmp

Filesize
140KB

Download
memory/2196-110-0x0000000002500000-0x0000000002523000-memory.dmp

Filesize
140KB

Download
memory/2196-135-0x0000000002500000-0x0000000002523000-memory.dmp

Filesize
140KB

Download
memory/2196-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-146-0x0000000002500000-0x0000000002523000-memory.dmp

Filesize
140KB

Download
memory/2196-99-0x0000000002500000-0x0000000002523000-memory.dmp

Filesize
140KB

Download
memory/2196-155-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2196-104-0x0000000002500000-0x0000000002523000-memory.dmp

Filesize
140KB

Download
memory/2200-333-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2200-338-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2220-386-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2220-387-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2260-407-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2260-416-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2380-432-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2380-427-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2380-428-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2488-392-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2488-388-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2488-389-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2572-390-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2572-418-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2632-200-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2632-234-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-433-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-445-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2660-300-0x0000000002640000-0x0000000002663000-memory.dmp

Filesize
140KB

Download
memory/2660-476-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2660-419-0x0000000002640000-0x0000000002663000-memory.dmp

Filesize
140KB

Download
memory/2660-538-0x0000000002640000-0x0000000002663000-memory.dmp

Filesize
140KB

Download
memory/2660-143-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-450-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-448-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2736-452-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-449-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2772-381-0x0000000001DF0000-0x0000000001E13000-memory.dmp

Filesize
140KB

Download
memory/2772-380-0x0000000001DF0000-0x0000000001E13000-memory.dmp

Filesize
140KB

Download
memory/2772-552-0x0000000001DF0000-0x0000000001E13000-memory.dmp

Filesize
140KB

Download
memory/2772-551-0x0000000001DF0000-0x0000000001E13000-memory.dmp

Filesize
140KB

Download
memory/2772-152-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2772-420-0x0000000001DF0000-0x0000000001E13000-memory.dmp

Filesize
140KB

Download
memory/2772-477-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2772-406-0x0000000001DF0000-0x0000000001E13000-memory.dmp

Filesize
140KB

Download
memory/2776-531-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-105-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2776-307-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-530-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-247-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-237-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-526-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-523-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-201-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-194-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-189-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2776-473-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2776-545-0x00000000025E0000-0x0000000002603000-memory.dmp

Filesize
140KB

Download
memory/2788-405-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-404-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2824-430-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2824-425-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2864-327-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2864-308-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2916-434-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2916-442-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2956-474-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2956-229-0x00000000027B0000-0x00000000027D3000-memory.dmp

Filesize
140KB

Download
memory/2956-459-0x00000000027B0000-0x00000000027D3000-memory.dmp

Filesize
140KB

Download
memory/2956-324-0x00000000027B0000-0x00000000027D3000-memory.dmp

Filesize
140KB

Download
memory/2956-325-0x00000000027B0000-0x00000000027D3000-memory.dmp

Filesize
140KB

Download