Analysis
-
max time kernel
110s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-06-2024 02:54
General
-
Target
d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe
-
Size
147KB
-
MD5
c5a3588560d77a3db1da483df905b7d1
-
SHA1
212fa66e44e2997552e88b492323d38f2f3f7ec6
-
SHA256
d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12
-
SHA512
046cf927424efb05a54160fe7de46faf81f5f153186a15148a8241cc06de946f138d90cf884b7145a1e64787b9f5429ce7231de3299770edab4bcf41946ae212
-
SSDEEP
1536:oWwaMcKOER0m9mwWjAggupnhycpDnq+5h/tDSZ15WwdAx:pzKR0xwW0WnhFpDRzSZaCAx
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
-
Detects executables packed with MEW 22 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 64 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 64 IoCs
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Program crash 64 IoCs
-
Modifies Control Panel 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies Internet Explorer start page 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe"C:\Users\Admin\AppData\Local\Temp\d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 7843⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops autorun.inf file
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 7363⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Modifies WinLogon
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 7046⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 7366⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 7566⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
- Modifies visiblity of hidden/system files in Explorer
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe11⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 70812⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe11⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe14⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"14⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 74414⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 70413⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 73612⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"11⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 76011⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe14⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"14⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe15⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe15⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 70416⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"15⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
- Disables cmd.exe use via registry modification
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 62821⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
- Modifies system executable filetype association
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 72821⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
- Modifies WinLogon for persistence
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 70831⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
- Disables cmd.exe use via registry modification
- Enumerates connected drives
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"40⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 64440⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 74039⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 73639⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 77638⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 42437⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 71236⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 70436⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 77236⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 74035⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
- Modifies system executable filetype association
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
- Disables RegEdit via registry modification
- Modifies WinLogon
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
-
C:\Windows\babon.exeC:\Windows\babon.exe42⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"42⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer start page
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"42⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 76841⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"40⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 67241⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"40⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 74040⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 73639⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
- Modifies visibility of file extensions in Explorer
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 68441⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
- Modifies visiblity of hidden/system files in Explorer
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 65641⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 75238⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 74038⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 71637⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
- Modifies WinLogon
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 78437⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
- Disables cmd.exe use via registry modification
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 68835⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 76434⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 64434⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 74433⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 64432⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 72431⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies WinLogon
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 78033⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 78433⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 75230⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 63230⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 73629⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 68828⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 80430⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 62827⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 76426⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 74025⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 74028⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 68427⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
- Modifies visiblity of hidden/system files in Explorer
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 74828⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 78027⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 78424⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
- Modifies WinLogon for persistence
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
- Modifies WinLogon for persistence
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 76429⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
- Adds Run key to start application
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 65634⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 74433⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 64432⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 72032⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 71231⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 68828⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 76427⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 69226⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 74825⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 70424⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 78823⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
- Disables RegEdit via registry modification
- Drops file in System32 directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 75624⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 78423⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 67220⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 64419⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 73218⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 73617⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 72416⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"15⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 62816⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 64415⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 532 -s 75218⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 76020⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
- Adds Run key to start application
- Modifies Control Panel
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 73621⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 69220⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 74819⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
- Drops file in Windows directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 68421⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
- Modifies WinLogon
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 73623⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 65623⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 74022⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 73622⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 65221⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 65618⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 72017⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
- Modifies WinLogon for persistence
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 78017⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"14⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 74014⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 76413⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
- Modifies visibility of file extensions in Explorer
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe14⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"14⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 73614⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 68013⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 74010⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 74010⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 7409⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 7689⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 7528⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 6288⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 7767⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 7489⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Enumerates connected drives
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe11⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 76412⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"11⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 75611⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 76810⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 7529⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 7487⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 7366⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 7565⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Enumerates connected drives
- Modifies Control Panel
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 6486⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 7565⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Loads dropped DLL
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 8003⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 7763⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2424 -ip 24241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3700 -ip 37001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2956 -ip 29561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2964 -ip 29641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 8 -ip 81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3648 -ip 36481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3604 -ip 36041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4228 -ip 42281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1680 -ip 16801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1900 -ip 19001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3188 -ip 31881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2992 -ip 29921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1616 -ip 16161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4760 -ip 47601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1308 -ip 13081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1068 -ip 10681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3700 -ip 37001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4112 -ip 41121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 232 -ip 2321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4188 -ip 41881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2300 -ip 23001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1908 -ip 19081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1364 -ip 13641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4852 -ip 48521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2656 -ip 26561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3136 -ip 31361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2948 -ip 29481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4984 -ip 49841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 628 -ip 6281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1600 -ip 16001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3152 -ip 31521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3984 -ip 39841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1056 -ip 10561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4876 -ip 48761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2268 -ip 22681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1808 -ip 18081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3680 -ip 36801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4852 -ip 48521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 532 -ip 5321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2328 -ip 23281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1704 -ip 17041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3660 -ip 36601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4640 -ip 46401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1376 -ip 13761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4100 -ip 41001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3464 -ip 34641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1364 -ip 13641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1372 -ip 13721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 628 -ip 6281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1048 -ip 10481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1556 -ip 15561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4724 -ip 47241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4164 -ip 41641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4644 -ip 46441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1232 -ip 12321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3388 -ip 33881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4176 -ip 41761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1748 -ip 17481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2860 -ip 28601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2160 -ip 21601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3748 -ip 37481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4572 -ip 45721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 532 -ip 5321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4536 -ip 45361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3164 -ip 31641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3804 -ip 38041⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv bkVwsuwnOEOdZkLetuEHwQ.0.21⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2364 -ip 23641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1516 -ip 15161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1728 -ip 17281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1088 -ip 10881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3152 -ip 31521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1056 -ip 10561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2500 -ip 25001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1412 -ip 14121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3656 -ip 36561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1048 -ip 10481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3324 -ip 33241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1604 -ip 16041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1356 -ip 13561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3724 -ip 37241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2712 -ip 27121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4884 -ip 48841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2452 -ip 24521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4284 -ip 42841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3528 -ip 35281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2576 -ip 25761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3796 -ip 37961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3004 -ip 30041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1100 -ip 11001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2768 -ip 27681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1484 -ip 14841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4536 -ip 45361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4152 -ip 41521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3244 -ip 32441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4808 -ip 48081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2284 -ip 22841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1660 -ip 16601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3804 -ip 38041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2192 -ip 21921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4956 -ip 49561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2300 -ip 23001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3096 -ip 30961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4152 -ip 41521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3296 -ip 32961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4820 -ip 48201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2888 -ip 28881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 756 -ip 7561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2784 -ip 27841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3244 -ip 32441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2396 -ip 23961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4784 -ip 47841⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5d1c284c5086f4e59f99fb0d7d19f9e7e
SHA1d045d5e08cf2fe445affb185cf4bd9445b1da247
SHA2568f2e6a1f6cdef9f24dda0b307cd2527ed5a9ac90116243c712d72ab30d7d3a2e
SHA51299ab0623de0407df69e708365f754d8cd23f5c9566cab7efa69daa7b7dd7d097c721c156029de018c33ed5e719e32c723bf6ccabd9cb97d128acd53265963f93
-
Filesize
147KB
MD5579b7f4b0c761c6169e37a897494c3bd
SHA12f4832fe068541857526883bb10c13191db172bd
SHA25696fc86678b8acd6272b878dea78d1f5265524aa3ab926118aa3f26c472275a7a
SHA51251caf6f691a80fb3da666d7d2728892b4c321107328befdbb5ba4ae423e0ffa0af2be2eefecf554b0170e93ca18dd0997306761e36b1ab2af039ae3201cc3f60
-
Filesize
147KB
MD5f95bb072daa8f593eae30a793e0d46d6
SHA198d4a83d59f11cf4de92f8bff7b58241e3154172
SHA25665023c572bd71eef9ad313854d03ba39490e77cabbadb888705eb1b6323d3b00
SHA512f3dc36e80227664087877e32ec8ea25f3bcb83a8dba075c296aaa81b256c6673057b61e87f35b914eed03fd95b89f37cb14680de1ee9c5f503d5749578ca7f45
-
Filesize
147KB
MD5c5a3588560d77a3db1da483df905b7d1
SHA1212fa66e44e2997552e88b492323d38f2f3f7ec6
SHA256d8c2a82c7d77e8b1dd9b831cc461d075d900153daa9682a5ffc480130f96dc12
SHA512046cf927424efb05a54160fe7de46faf81f5f153186a15148a8241cc06de946f138d90cf884b7145a1e64787b9f5429ce7231de3299770edab4bcf41946ae212
-
Filesize
147KB
MD5806817db4eb5ad7bc9796bf786c63fc1
SHA1b7dd798affd9cd1c04e0ccea5c72d81d075ae4af
SHA256561f5c1344ee603568834c8941e6b2053340207158fcda200144e6bf1481145e
SHA5123ff5d45fa464b32443696e4afa0ffda1d97848e5c319530e8f6b58f846b2d2cd40918617c0a8ba590a9fd24dba61cf3cfa95a05f688fbdb2f55fc338c5a036c2
-
Filesize
147KB
MD59b926f7a73687fcb1e795d17733e096c
SHA1b78830cbe5b1dea9108aa71871701d5c12f36913
SHA2562781bd28fa776e7f50691ceec30331ea743d3c482ef34e5fe8a7ce4402bbf157
SHA5125f192d136b51e2bc0756704556e8369fe4f85c59319ddd98e2cbe8b8bfae572e0b847974df7621fa001478beffd6e11deadcd1e8d8db99cb1cf03b643df4ef4f
-
Filesize
147KB
MD580dd8a124378f872a3c1d175c680e55f
SHA192d559c916684dc1d2d6fb4de297752d28aa6226
SHA25631fcf811118db46ad44ccf4a86ec01eff9191df3538f6637a11ba71fd7e10a37
SHA512a4835b4aa605806cddc05d5571a455d4f68f3dab5830a608cc084b531ff2c99eae53b556310b325e900141a63a4b47b45e1da650a7db2bd5e6a6be1a347607c5
-
Filesize
147KB
MD5c0253d626e1c3902efe75087dc8c51b3
SHA1ff8e6684ec13ade6f16e8f541698846308a7bb88
SHA2560148da5bded5e9bf6c20939928e24bf00b4fab14b59f7de2da0aa3f2fcca74b5
SHA51239083fba05d53a1f87ce981f3bd378324b7bb557dc276fa88f07b6a7f088922cde6908cd29c9567db8d82bc386008aca2c3c8bd66a5041425fd3fdf706dcb129
-
Filesize
147KB
MD5394883dda37ce7702b0f83bd6befce96
SHA1b9a98d6d2460f03ede395ed307d741a0ec811ae8
SHA2561b6f0dde8b1f51206849efa4901f01fbd6365c8df23f1cb85e0c8536ac2a534b
SHA512d00f1df15f834fcfbe146fa4afe5aae7e24e78f2683aedf6686ffc5a34ef031b895d24058d2fba3e2b9b8a074b4ab208df61e931df990bfe78ecb1e78b85b1ce
-
Filesize
147KB
MD5221c8e7690d0deb199558d8b09c512f8
SHA1272c96660e917abf9ebec8c43e6cae7b710f77b5
SHA256f7137ca7fcdd86de50475d2ca01f3c33db2bba68a1fcb924097c1c6ce628a547
SHA5122b9ec77847f92f1d6aa7562c891b5ca63f4459f193a78cc072bf56a5ae83fa02e61540599deb52cb8fd453db37d53af4f686e951253b6be6233de23af0f2bb1e
-
Filesize
147KB
MD54376d8815e1eaf3a705d369894319a03
SHA1f23216cc5a44a93498b6c6d7813eab50fed8aaaa
SHA256fe37cac8a00d1d33c4e94799ef2e3c4e5c296458cb68d135f5dea4b8b698029a
SHA512bae0551dcb1308dab284058a69cc3c4c4b6a495a303b53364346c2d9e4d727591491a2395a995f31112eb701a11d67e1b70a91bdbb3e25819b89171f3f07df77
-
Filesize
147KB
MD549a83521c01f747fb44cd1ca3f84abc9
SHA195e6538e7d367803d5728470c19449030bdbede4
SHA2561771dddfb9bdd8ef5e6b04f706b0cf2c51d551c2312d4635f8c24ef8aa168e97
SHA5127534c62e8ba6c86837a63d6604f20bebf63eeef903fdec5e785babdafabbfcdf34e3c209f6549faef146d55ec2e084f91e38563b138ebfbf0727bccee0c79de9
-
Filesize
147KB
MD5fe94441ae7fac1334d7438cb9103a72a
SHA1f2247ce3ba3d57ad369065b9349128b27f78e8c5
SHA2562c21ba7e3fad396eaa58d59b591b882bf5111e269e78840e881149a34f390d83
SHA51215f60a4de721d50ab5c6e15dc417a4c0c9e3ef0276842fa0dc7638a8a9db460b6602cffb1575378920b3e6a68db6af442317c8969db0472f8d510ea5bfc073d4
-
Filesize
147KB
MD55cdfe4e4a72e6bdd492638af6d2da4a1
SHA1fa4640ccf0246c1b870b03e1105e0142f09522ee
SHA256e40b0315210ae06f7d9d06138d285f5683c0c16b2baee91601d32b538f789ab3
SHA512da624ca0be03c9d9277d1824b52ce21a6b48b6588e596f7282973f024f47e7282fa31c77ce50661d06fb8c396d9ce1fd3c5d4c5bffba6586345b2a31af6d83ca
-
Filesize
147KB
MD56d02f219c6ecb5ae77a0a6a092dd8cf3
SHA11babf613af143d1b7a558c3ffb72c6cbfdf91b3e
SHA256fa0db5a9ace08a58986c4cf8917f6a0f36a8c23e1398851a03b15146b5ba8622
SHA512bbf2ad6373ed1d80f61a88dffecb02a704a55a8c700742cb52a719678bf0454a28b538bb99178687f28c96226b5746b6b89f5359c33a95e1502e1bfb1c730ca9
-
Filesize
147KB
MD5d0ddd583d3702394dda6a0301b7a47ff
SHA19f3377d095139fc3b9e33650a6e3066946037d74
SHA256b1a13fe57f30a97f5b6a90d2031cae5231bc840ad7ab8e4130ee7bc695fc082d
SHA512b845d31953234b5c6538b8717f635bcdb1f2151189caea98a6cc94390605d90d31b1830a637977def9321def411a98201cf5df5e5c14089048dd57414ae42f1b
-
Filesize
147KB
MD51bc6f9557742c7c72a37ab705ef83c07
SHA1b5264c50202403ab1311466a260ae3ad9c139445
SHA2564cfcd10c0e763e96f5d11392b3ec6168b71ba14eecdce2da64c591d412d6b5bb
SHA512f55c9aa6e14d021b6f371caf8608d40925a5046dfbc4dea8dbcc2c79c8915539354008786149d38cd91e248ed9c4e1d757e422f219d2c68a95f64976e72c57d1
-
Filesize
147KB
MD54ab1ab6f525ad23fcc6354bf5249d9e8
SHA1c222b6149abc720d33c9729ee4fff63e02597860
SHA256c02c374f9562c51a3f3c2580393f6bf7b6e617901bed32deca32d178de396be2
SHA512f1ef720b732708605875d6757580fed0f3e8b303f5cf03c3242c6a53ecd3d961bbbf0640a0df8b67b54b9a4e81c981b7ee4a6b56b61477596318b06998fb80d9
-
Filesize
147KB
MD5a68840f6187b475e0357a225cb2d7b87
SHA1a5f9a6ed6d856764015e2b072f1f7a237682131d
SHA256b90694067dd4e72d4c7347c1eff3ce627598f4fff78ebb738a63f5820131fa5e
SHA5128204dc38f95e14749e0c00949e338c0843c50bbf38995acdcfe67eb4629800433cf2dd9593e8618d76f6bc74f08f6b1c8809e6e9176706764f3f9b94bd904706
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
147KB
MD5671bd71bc0fc4e7fddd33f5f949e243c
SHA141a4fdd29e7a99680750b5ebee9edab5d60db0c6
SHA256fdbee6755e254cb4b6c2783f264f0343ab3abcd5929cb61f1ee5d48f2d441c8f
SHA512e298d8dc16b6daf9f0bd7365003c1cab9989c0a7554ef7ffdbb2b9ecaec0ae1c4d9f5c8b2283e554bfd0e4aa6185f4e71c31e0e88eef317528cc16d7b6114349
-
Filesize
147KB
MD5a3e05ab5591e75bd908cbd3a1d3404fe
SHA16251cf8a7727e4a1010bbacc95d8c4c99eca2a06
SHA2568d712b770467386cb473d506e61f6d9fdf87595209ffeca8c2302b13603a24fb
SHA5122cd95fd1ab303a77c205e6e44c4f086ac73e0d8330e2b9925d1f1869c6d106af4c2a15cc1f025bf129e6f39c4a71bbd2dc888574923a1cff1ff600f2ed4f3dd0
-
Filesize
147KB
MD542a36901f6fe8e5f98abf34270261609
SHA1f092e7dd319eac4be1e1562af87daafa3af3e12b
SHA256f501f1ce3c364e610fb3b43eccd0b5074d0b6ce2c371ff0e16d0c41a632ef712
SHA512f4cb6c10f604e5d9252d6d43386a2ec1bdce615d3f5686ebadd09bf5ae512d1b9ff0e5f8faad6670121ba65898e984d4d640a4dc9705321deb736d09ca6834ec
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e