Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
25/06/2024, 04:04
General
-
Target
2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
-
Size
147KB
-
MD5
5064222fe180b7105f2c889d422dd6d0
-
SHA1
67f0e38e2f66c6decc71a3adb7f652847ea0963a
-
SHA256
2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8
-
SHA512
862f104f8d08e1049216d187acb6b5bcdc7f007fb403327b7ded55ced39186dd4ead274b94beb840e74ef31ec11373eede035293f907c41bb47823dc738a2c39
-
SSDEEP
1536:nWwaMcKOER0m9mwWAAggupnhycpDnq+5h/tDSZ15WwdAy:WzKR0xwWpWnhFpDRzSZaCAy
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
-
Disables RegEdit via registry modification 64 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 64 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 64 IoCs
-
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Program crash 64 IoCs
-
Modifies Control Panel 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies Internet Explorer start page 1 TTPs 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 7003⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 5603⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies WinLogon
- Drops file in Windows directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 7449⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Modifies WinLogon
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe11⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"11⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
- Modifies visibility of file extensions in Explorer
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 76413⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
- Modifies system executable filetype association
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 74413⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
- Modifies WinLogon for persistence
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe15⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe15⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"15⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
- Disables RegEdit via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 73618⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 73617⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
- Modifies WinLogon for persistence
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 75217⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 68816⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"15⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 75216⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"15⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 68415⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"16⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 72412⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"11⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 64412⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"11⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 74011⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe11⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"11⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"11⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 73611⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"12⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 70810⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Modifies WinLogon
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 78412⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe12⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe12⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"12⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
- Modifies WinLogon for persistence
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe14⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"14⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 76814⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe14⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"14⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"14⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 76014⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
- Disables cmd.exe use via registry modification
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Control Panel
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 73619⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 73618⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Adds Run key to start application
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
- Adds Run key to start application
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 71224⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
- Disables RegEdit via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
- Modifies visibility of file extensions in Explorer
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
- Modifies visibility of file extensions in Explorer
- Modifies WinLogon
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
- Modifies visiblity of hidden/system files in Explorer
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
- Modifies visibility of file extensions in Explorer
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe29⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"29⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"29⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 68831⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
- Drops file in Windows directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
- Drops file in System32 directory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 76034⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Modifies WinLogon
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe35⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
- Disables RegEdit via registry modification
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
- Adds Run key to start application
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 69239⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 704 -s 75238⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 74038⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"40⤵
- Modifies system executable filetype association
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe42⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"42⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"42⤵
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 75641⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"40⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe41⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"41⤵
- Modifies Internet Explorer settings
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"41⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"41⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 75241⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"42⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 72040⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe40⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"40⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"40⤵
- Modifies Control Panel
- System policy modification
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"40⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 72040⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"41⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 71237⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 78037⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 70436⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe35⤵
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe36⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"36⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"36⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 67236⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"37⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"35⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"35⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 74035⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 72037⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"36⤵
- Modifies WinLogon
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe37⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"37⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"37⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
-
C:\Windows\babon.exeC:\Windows\babon.exe38⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 70439⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"38⤵
- Modifies system executable filetype association
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe39⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"39⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"39⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 76439⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"40⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"38⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"38⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 75238⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"39⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"37⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 80037⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"38⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 74034⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 76833⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 79634⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 71633⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies WinLogon
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
- Modifies WinLogon
- Modifies registry class
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 75232⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 73631⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 76430⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"29⤵
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 79230⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 74029⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"30⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 75628⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
- Disables cmd.exe use via registry modification
- Adds Run key to start application
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 76830⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe30⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"30⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"30⤵
- Modifies visibility of file extensions in Explorer
- Enumerates connected drives
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
- Disables RegEdit via registry modification
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe32⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe32⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe33⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"33⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"33⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe34⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"34⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"34⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 68834⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"35⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 73633⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"34⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"32⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"32⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 74032⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"33⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 70431⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"30⤵
- Modifies visiblity of hidden/system files in Explorer
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe31⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"31⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"31⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 74831⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"32⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 76430⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"31⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 70427⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 68827⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 72026⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 73625⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
- Modifies system executable filetype association
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 78427⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 71627⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 72424⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 73223⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 73622⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
- Modifies visiblity of hidden/system files in Explorer
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 76424⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
- Enumerates connected drives
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 74025⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 72024⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 76421⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 79220⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 74021⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 72820⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies WinLogon
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe19⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"19⤵
- Enumerates connected drives
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe20⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"20⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"20⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Drops file in System32 directory
-
C:\Windows\babon.exeC:\Windows\babon.exe21⤵
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe22⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"22⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables cmd.exe use via registry modification
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe23⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"23⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"23⤵
- Modifies visibility of file extensions in Explorer
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe24⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe24⤵
- Drops file in System32 directory
- Modifies Control Panel
-
C:\Windows\babon.exeC:\Windows\babon.exe25⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"25⤵
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe26⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"26⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"26⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer settings
-
C:\Windows\babon.exeC:\Windows\babon.exe28⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"28⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"28⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 74028⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"29⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 64427⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"26⤵
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\babon.exeC:\Windows\babon.exe27⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"27⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"27⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 73627⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"28⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 68826⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"27⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"25⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"25⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 75625⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"26⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"24⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"24⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 73624⤵
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"25⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"23⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 69223⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"24⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"22⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"22⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 73622⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"23⤵
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"21⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"21⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 74021⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"22⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 72020⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"21⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"19⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"19⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 73619⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"20⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 68818⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 73617⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 71616⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"15⤵
- Adds Run key to start application
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe16⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"16⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"16⤵
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe17⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"17⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"17⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe18⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"18⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"18⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 73618⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"19⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 73617⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"18⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"16⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 78816⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"17⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 62813⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"12⤵
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe13⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"13⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"13⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 76813⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"14⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"12⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 79612⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"13⤵
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 7529⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 7248⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 7527⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 7809⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Modifies WinLogon
- Drops file in System32 directory
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe9⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe9⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"9⤵
- Modifies Control Panel
- Modifies Internet Explorer settings
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 74810⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"9⤵
- Modifies system executable filetype association
-
C:\Windows\babon.exeC:\Windows\babon.exe10⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"10⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"10⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 74810⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"11⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"9⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 6609⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"10⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 6886⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 6846⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 6286⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 7965⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\babon.exeC:\Windows\babon.exe5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe5⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"5⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Modifies system executable filetype association
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Enumerates connected drives
-
C:\Windows\babon.exeC:\Windows\babon.exe7⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"7⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"7⤵
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies Internet Explorer start page
-
C:\Windows\babon.exeC:\Windows\babon.exe8⤵
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"8⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 7368⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"9⤵
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 7847⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"8⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 7246⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"5⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
-
C:\Windows\babon.exeC:\Windows\babon.exe6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"6⤵
- Loads dropped DLL
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 7646⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"7⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"5⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 7645⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"6⤵
- Loads dropped DLL
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 7203⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Modifies WinLogon
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 7323⤵
- Program crash
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\Shell.exe"C:\Windows\system32\Shell.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Modifies Control Panel
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4892 -ip 48921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2688 -ip 26881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2220 -ip 22201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2836 -ip 28361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4012 -ip 40121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4528 -ip 45281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1108 -ip 11081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4340 -ip 43401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1584 -ip 15841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2120 -ip 21201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4584 -ip 45841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 400 -ip 4001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4948 -ip 49481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4880 -ip 48801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2056 -ip 20561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 624 -ip 6241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3224 -ip 32241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2532 -ip 25321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1400 -ip 14001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4720 -ip 47201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2340 -ip 23401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4696 -ip 46961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1584 -ip 15841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3168 -ip 31681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2752 -ip 27521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3108 -ip 31081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1772 -ip 17721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2860 -ip 28601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4884 -ip 48841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4996 -ip 49961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1912 -ip 19121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3724 -ip 37241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 220 -ip 2201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4588 -ip 45881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2860 -ip 28601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1772 -ip 17721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1040 -ip 10401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4848 -ip 48481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3624 -ip 36241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1912 -ip 19121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3672 -ip 36721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2952 -ip 29521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5100 -ip 51001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2284 -ip 22841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3772 -ip 37721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3948 -ip 39481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3616 -ip 36161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4492 -ip 44921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4692 -ip 46921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5072 -ip 50721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4884 -ip 48841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3804 -ip 38041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4596 -ip 45961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4676 -ip 46761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4848 -ip 48481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2976 -ip 29761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 884 -ip 8841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3776 -ip 37761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 540 -ip 5401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3128 -ip 31281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1912 -ip 19121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 748 -ip 7481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3952 -ip 39521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1224 -ip 12241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2708 -ip 27081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3576 -ip 35761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2008 -ip 20081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1988 -ip 19881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2956 -ip 29561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3376 -ip 33761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4940 -ip 49401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3404 -ip 34041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2812 -ip 28121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2860 -ip 28601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3884 -ip 38841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5048 -ip 50481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2276 -ip 22761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 748 -ip 7481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3672 -ip 36721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4780 -ip 47801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2104 -ip 21041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1128 -ip 11281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4952 -ip 49521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3132 -ip 31321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4860 -ip 48601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4976 -ip 49761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4564 -ip 45641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1000 -ip 10001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3692 -ip 36921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1828 -ip 18281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1560 -ip 15601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3676 -ip 36761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4736 -ip 47361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4480 -ip 44801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1220 -ip 12201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1828 -ip 18281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4060 -ip 40601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3412 -ip 34121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 704 -ip 7041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3676 -ip 36761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4684 -ip 46841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3408 -ip 34081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4916 -ip 49161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2444 -ip 24441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3700 -ip 37001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3748 -ip 37481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 696 -ip 6961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2560 -ip 25601⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5757705822c0d9aa8b2d68d28175fd0e5
SHA122c5ada0940605ded478b478f892c249053e2113
SHA2560bf817a14a5a03b178b36d11fd1dd038858fb3c5225b34b43f474ee41d9c1c77
SHA51247787fba1bd46c1304a73c46963bdb195bff1f445b816644873de9f9864a3a8e15d0aa42f71a5a498a8ae495b40483997f3156a72f20b604daef959dd448109f
-
Filesize
147KB
MD53fd529af4a65ccacc361dbae9b76a0b5
SHA18b39105c0b172c4bea8c093982919e47ad051486
SHA256601fbd06ba4e6ef9c33b1b5e7021223c865facce07be7b0ba298b795908d05f6
SHA51249db8a85fafbc859dd10f059b185ad4ae9d9e1540f16c2b868c5c9f4ed0289f6fdfc52ea1416b5102e047e02163150bf3e6542cba095fa1345930cf7c1ffd72f
-
Filesize
147KB
MD5c92f420a6acc7cdd6d4b655bb5e3f482
SHA1173635e86ebcba6085cd824f3add71c65294bc60
SHA2561c01b167804a4f7d3d5fe441ede78f89fcb4be04ed034b332b14f602347ba789
SHA512df754d829f449b1616535fc1bbcc33ccfbb18a3e03053496c8ed7e92bff39a640cf078116b6677d5ee71ece5df32947365cd751fc63f5775f73bd0799ec054be
-
Filesize
147KB
MD55064222fe180b7105f2c889d422dd6d0
SHA167f0e38e2f66c6decc71a3adb7f652847ea0963a
SHA2562c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8
SHA512862f104f8d08e1049216d187acb6b5bcdc7f007fb403327b7ded55ced39186dd4ead274b94beb840e74ef31ec11373eede035293f907c41bb47823dc738a2c39
-
Filesize
147KB
MD53498f2d65fcf32505a9a77ae09d63e3f
SHA1612652c8ef5ce35849c90edd96b0292ba3914eaa
SHA2566a3d82ec2d1fff6bcd2a022803878d1ba0a11433ad68d689386c684b093a7794
SHA5127f1ff5e3c33fafde199e95a0febb7906a2edb3b96d6d2ff5919e9e02cfd1d1163f1097938c8695a5798d1307db8aabcf13153ed36764b8d66a4ed2155a275782
-
Filesize
147KB
MD5b2721654dba7aebed6ac139372d633df
SHA11b82d0222837cebf272b031b5b24e49f479b4cc9
SHA2563f8f3ff9aa41499374e5debf8bcc5d5403ffa819de122134bda853d5051723e0
SHA512303c42a7b33c08a605debc6ad4becc0cb9d1ed50da44feb642e1702fe22ae49ee556afe64652d5b60429484749d4659f081303ef99b6bf6c387c420a2e6d0a58
-
Filesize
147KB
MD5fe1ad129e82a658137bf7f7b357161b9
SHA1ca71c7901c4787f09752d53f0b76c72e2af8daff
SHA256ea7504374f4478e92fa6da2619b67aff465454db5ca161cfff8353d71b30d9cb
SHA512b9c8748f56470e614c7a7fba4b39a7739c7913b9e6773fc3d9408fba36adb781ceef4afa77c3afe3603dfa4178985986eeb1ac915fd25feaedf84e30788e9bbe
-
Filesize
147KB
MD52fceaa67ffdb549e1c07a2ad9dafb740
SHA1112e8961efc44ac1192b6e87c2929e6b8a7fea31
SHA256996e4aa3e5bd9b2d2e217c8215553074be7de2a75bfc198bf6eecab1cd7ab1a2
SHA512b469af674610853c1cc5e02845ed327b8d186db2e56678abd6825161c5eaf3fc1798a24bd1d0ef3749b47a90237edbf2137749712a488ff55cef8fe0ef3e8882
-
Filesize
147KB
MD539b2ca8bcf401ca8d25bb4b896f89481
SHA16f5f0f6651a8a1175a4e205dfe50a83d5bc5d2af
SHA256f8dbaafa7cee3859d08fc9fbe7359b9412eb0e4fc18a55de5076bd4f32dfaeee
SHA51216c03b16f9a51174ccc2f7fabe08f6fa87a2b30668fe4eaf4143816537b2f644528b721f2a7d23e14c7b1c78fa38a20be705f09faafe88614970dc2d07a1640d
-
Filesize
147KB
MD5b1a2bc469489fa8d4194ed0c5f3a64d1
SHA1839cc433691711b4b00d2879f636a7c623f28f1a
SHA2566093382c44fd4808f688302660e1e008d2e08f2163af6e52eeb04865ff57c1ad
SHA51239640d64c550c544609c98fcb8688ea166ba55f149ea1ab798761da10ba8eb0e987e44081d02fd11dc605a5fa382e4869622ebf3694fcc911527d623a7c4e741
-
Filesize
147KB
MD5938044d00f02dc18fd0ef23feb336a84
SHA1a8a271360eb295c9a5c158a9d41292c93818c76a
SHA25606eccfc2d4d82f5ff3bcd99b5ee4541b16175b1294d80e7a6656aaaf1058abcd
SHA512b845e4864d0a9cab8934bedaecc0b13c1002626ca8a5618c5dc1ee4a460db057a3b4fa9815da41c9c212a80ea45c425b0ee12a4b621af903ea4870e4a626e627
-
Filesize
147KB
MD5ed8fa1dfafec8d8c5775c9f6ff0bb6e7
SHA1b4f875300b7fad6e8e27dfa97dbf49569254154a
SHA256edc39df15e5731d2187e3ee0cf54d86313cf81b3cbf67ec693ebafd4b00716a2
SHA5121ed2e536e3c8f1a8d44ac795cecb2c3af578978f41115b696830dc83f5ec992c346dcd2c8ba77498852e96ff6a0c73cb9a1d839acba0a4eed21677af4c4f625d
-
Filesize
147KB
MD554928f091cf9bea1fc6a2485270bfe6c
SHA12861e2c68420158fcb10dc2d6263b221f72b9b0a
SHA256cd1cda7c54aeede9a0d3d304f54d621fea4024971378bcc9408a9ccad28c4e7f
SHA512f7e867fd54cee69b38fe290d3dd005a891911369e8d84cc28c6dfd4958c21662bc667b83f07de70055c13748624f58f1db7e4f013c2223b350ab3a5b5567d3d8
-
Filesize
147KB
MD5d289080c54a9671465fae9f7e5861066
SHA112f805f0235e0c714cba9fd3fa83ecfa3b16a82d
SHA2565fed49ca0a75c0dcfa627217b7a0f9fb04c330b116f6b7f00c9e3311b5e6cfeb
SHA512eb59c8faed90a6a3530eb56749777878086b103d117453ad1ff2094ffc07dafed2d519552a659c1de0968f653bc116cc232f74a457ac7eafd0188583eece27e5
-
Filesize
147KB
MD596d5682fc5d401ad2747bc58599be827
SHA1176fb56e99e1085984eff27ba39ee0d22d4690e3
SHA2563c8ffc0a00f57e75ecc21457511df9ebb1f3915df13ef07ec2c529b3f4127307
SHA5123959758c471ca372b406a383c3a63a491f976c811e3dd181a0010e34ace7cb4b5212b05ad297e2b6de82e8c024746fd9579270acd13b9a7fc78029761ef2c1bc
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
147KB
MD511c276fe729f404b6db74197977a978b
SHA1e1e17b2d7b21fd2fe4267f9ed05260705b01ddef
SHA256d1f92ea32e0a1515fbd640925df08ffb2a80dd97d053a3d058116526041da6d9
SHA512afc349d3f281793e2ca5fd9ba891dc43ff6edd18dda72bf666a323b8dd09f68469e5ab3e5774baf31c4d29c5aa44a8cad233c40754587ef013e93d2fa54c3df7
-
Filesize
147KB
MD55bed8d5bd1f59012c6cf9ac249801b36
SHA12ba2acee04432b1dad2de5f15eb247e809ae83bf
SHA256f854c1182c9a2d3cc4717bee7305f96adfa99a9dc1343f4c8f95d681329fcdb1
SHA512666eaf7da22cc4e3cef1aada63cf3eab1a97f0d29810264c26c95e104956dace0d075490ced410694308fcf6e36f650c7ec7d2c1034e5d2d5bd403f603b33e95
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB