Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 00:44
Behavioral task
behavioral1
Sample
66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
Resource
win10v2004-20240426-en
General
-
Target
66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
-
Size
45KB
-
MD5
66caf603baa5fcce64131292a13afe30
-
SHA1
7b8710d4c2a373f354d6b4dc1ad83422b3181ea1
-
SHA256
0621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3
-
SHA512
b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f
-
SSDEEP
768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEwe:/a8jroAbRB+XWCQLZeIdSwk9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
resource yara_rule behavioral1/files/0x0007000000016d16-8.dat aspack_v212_v242 behavioral1/files/0x0008000000016d36-103.dat aspack_v212_v242 behavioral1/files/0x00050000000186d3-109.dat aspack_v212_v242 behavioral1/files/0x000500000001874a-129.dat aspack_v212_v242 behavioral1/files/0x000500000001874c-135.dat aspack_v212_v242 behavioral1/files/0x0006000000018bba-145.dat aspack_v212_v242 behavioral1/memory/2892-152-0x0000000001F50000-0x0000000001F73000-memory.dmp aspack_v212_v242 behavioral1/files/0x00050000000191eb-161.dat aspack_v212_v242 behavioral1/memory/2708-223-0x0000000002640000-0x0000000002663000-memory.dmp aspack_v212_v242 behavioral1/files/0x00050000000191eb-193.dat aspack_v212_v242 behavioral1/files/0x0005000000018700-301.dat aspack_v212_v242 behavioral1/memory/2456-406-0x00000000024D0000-0x00000000024F3000-memory.dmp aspack_v212_v242 behavioral1/files/0x00050000000186c1-299.dat aspack_v212_v242 behavioral1/files/0x000500000001865a-296.dat aspack_v212_v242 behavioral1/files/0x0008000000016d3a-295.dat aspack_v212_v242 behavioral1/files/0x00050000000191eb-294.dat aspack_v212_v242 behavioral1/files/0x0005000000018700-254.dat aspack_v212_v242 behavioral1/files/0x00050000000186c1-252.dat aspack_v212_v242 behavioral1/files/0x000500000001865a-249.dat aspack_v212_v242 behavioral1/files/0x0008000000016d3a-248.dat aspack_v212_v242 -
Executes dropped EXE 30 IoCs
pid Process 2456 babon.exe 2708 IExplorer.exe 1452 winlogon.exe 1568 csrss.exe 2280 lsass.exe 1916 babon.exe 1780 babon.exe 1704 IExplorer.exe 944 IExplorer.exe 1552 babon.exe 3044 winlogon.exe 1544 winlogon.exe 304 csrss.exe 908 IExplorer.exe 2192 lsass.exe 1308 babon.exe 2800 IExplorer.exe 3052 csrss.exe 2868 winlogon.exe 2684 babon.exe 2504 winlogon.exe 2560 csrss.exe 2440 lsass.exe 2884 csrss.exe 2148 lsass.exe 1788 IExplorer.exe 1572 lsass.exe 1240 winlogon.exe 1796 csrss.exe 1564 lsass.exe -
Loads dropped DLL 45 IoCs
pid Process 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2456 babon.exe 2456 babon.exe 2708 IExplorer.exe 2708 IExplorer.exe 2708 IExplorer.exe 2708 IExplorer.exe 2456 babon.exe 2456 babon.exe 1452 winlogon.exe 1452 winlogon.exe 2708 IExplorer.exe 2708 IExplorer.exe 2708 IExplorer.exe 2708 IExplorer.exe 2456 babon.exe 2456 babon.exe 1568 csrss.exe 1568 csrss.exe 1568 csrss.exe 1568 csrss.exe 1568 csrss.exe 1452 winlogon.exe 2456 babon.exe 2456 babon.exe 1452 winlogon.exe 1568 csrss.exe 1568 csrss.exe 1452 winlogon.exe 2280 lsass.exe 2280 lsass.exe 2280 lsass.exe 2280 lsass.exe 1452 winlogon.exe 1452 winlogon.exe 2280 lsass.exe 2280 lsass.exe 2280 lsass.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: babon.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\N: babon.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\P: babon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\G: babon.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\Q: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\Y: babon.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\Q: babon.exe File opened (read-only) \??\U: babon.exe File opened (read-only) \??\X: babon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\W: babon.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\L: babon.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\E: babon.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\M: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf IExplorer.exe File opened for modification C:\autorun.inf IExplorer.exe File created F:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf IExplorer.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File opened for modification C:\Windows\SysWOW64\babon.scr 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File created C:\Windows\SysWOW64\IExplorer.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\babon.scr 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\babon.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File created C:\Windows\babon.exe babon.exe File created C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\babon.exe csrss.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe babon.exe File created C:\Windows\babon.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe csrss.exe File opened for modification C:\Windows\babon.exe 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe winlogon.exe File created C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s1159 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\SwapMouseButtons = "1" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s2359 = "Babon" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s1159 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s2359 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\ csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\SwapMouseButtons = "1" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s1159 = "Babon" babon.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s2359 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s1159 = "Babon" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\SwapMouseButtons = "1" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s2359 = "Babon" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\SwapMouseButtons = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ IExplorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" lsass.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 1568 csrss.exe 2456 babon.exe 1452 winlogon.exe 2708 IExplorer.exe 2280 lsass.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 2456 babon.exe 2708 IExplorer.exe 1452 winlogon.exe 1568 csrss.exe 2280 lsass.exe 1916 babon.exe 1780 babon.exe 1704 IExplorer.exe 944 IExplorer.exe 1552 babon.exe 3044 winlogon.exe 1544 winlogon.exe 304 csrss.exe 2192 lsass.exe 908 IExplorer.exe 1308 babon.exe 2800 IExplorer.exe 2868 winlogon.exe 2504 winlogon.exe 2684 babon.exe 2560 csrss.exe 2440 lsass.exe 2148 lsass.exe 2884 csrss.exe 1788 IExplorer.exe 1572 lsass.exe 1240 winlogon.exe 1796 csrss.exe 1564 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2456 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 28 PID 2892 wrote to memory of 2456 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 28 PID 2892 wrote to memory of 2456 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 28 PID 2892 wrote to memory of 2456 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 28 PID 2892 wrote to memory of 2708 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 29 PID 2892 wrote to memory of 2708 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 29 PID 2892 wrote to memory of 2708 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 29 PID 2892 wrote to memory of 2708 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 29 PID 2892 wrote to memory of 1452 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 30 PID 2892 wrote to memory of 1452 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 30 PID 2892 wrote to memory of 1452 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 30 PID 2892 wrote to memory of 1452 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 30 PID 2892 wrote to memory of 1568 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 31 PID 2892 wrote to memory of 1568 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 31 PID 2892 wrote to memory of 1568 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 31 PID 2892 wrote to memory of 1568 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 31 PID 2892 wrote to memory of 2280 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 32 PID 2892 wrote to memory of 2280 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 32 PID 2892 wrote to memory of 2280 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 32 PID 2892 wrote to memory of 2280 2892 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe 32 PID 2456 wrote to memory of 1916 2456 babon.exe 33 PID 2456 wrote to memory of 1916 2456 babon.exe 33 PID 2456 wrote to memory of 1916 2456 babon.exe 33 PID 2456 wrote to memory of 1916 2456 babon.exe 33 PID 2708 wrote to memory of 1780 2708 IExplorer.exe 34 PID 2708 wrote to memory of 1780 2708 IExplorer.exe 34 PID 2708 wrote to memory of 1780 2708 IExplorer.exe 34 PID 2708 wrote to memory of 1780 2708 IExplorer.exe 34 PID 2456 wrote to memory of 1704 2456 babon.exe 35 PID 2456 wrote to memory of 1704 2456 babon.exe 35 PID 2456 wrote to memory of 1704 2456 babon.exe 35 PID 2456 wrote to memory of 1704 2456 babon.exe 35 PID 2708 wrote to memory of 944 2708 IExplorer.exe 36 PID 2708 wrote to memory of 944 2708 IExplorer.exe 36 PID 2708 wrote to memory of 944 2708 IExplorer.exe 36 PID 2708 wrote to memory of 944 2708 IExplorer.exe 36 PID 1452 wrote to memory of 1552 1452 winlogon.exe 37 PID 1452 wrote to memory of 1552 1452 winlogon.exe 37 PID 1452 wrote to memory of 1552 1452 winlogon.exe 37 PID 1452 wrote to memory of 1552 1452 winlogon.exe 37 PID 2708 wrote to memory of 1544 2708 IExplorer.exe 38 PID 2708 wrote to memory of 1544 2708 IExplorer.exe 38 PID 2708 wrote to memory of 1544 2708 IExplorer.exe 38 PID 2708 wrote to memory of 1544 2708 IExplorer.exe 38 PID 2456 wrote to memory of 3044 2456 babon.exe 39 PID 2456 wrote to memory of 3044 2456 babon.exe 39 PID 2456 wrote to memory of 3044 2456 babon.exe 39 PID 2456 wrote to memory of 3044 2456 babon.exe 39 PID 1452 wrote to memory of 908 1452 winlogon.exe 40 PID 1452 wrote to memory of 908 1452 winlogon.exe 40 PID 1452 wrote to memory of 908 1452 winlogon.exe 40 PID 1452 wrote to memory of 908 1452 winlogon.exe 40 PID 2708 wrote to memory of 304 2708 IExplorer.exe 41 PID 2708 wrote to memory of 304 2708 IExplorer.exe 41 PID 2708 wrote to memory of 304 2708 IExplorer.exe 41 PID 2708 wrote to memory of 304 2708 IExplorer.exe 41 PID 1568 wrote to memory of 1308 1568 csrss.exe 42 PID 1568 wrote to memory of 1308 1568 csrss.exe 42 PID 1568 wrote to memory of 1308 1568 csrss.exe 42 PID 1568 wrote to memory of 1308 1568 csrss.exe 42 PID 2708 wrote to memory of 2192 2708 IExplorer.exe 43 PID 2708 wrote to memory of 2192 2708 IExplorer.exe 43 PID 2708 wrote to memory of 2192 2708 IExplorer.exe 43 PID 2708 wrote to memory of 2192 2708 IExplorer.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\66caf603baa5fcce64131292a13afe30_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2892 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
PID:3052
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2708 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:944
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:304
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1452 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:908
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1568 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1308
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2280 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1240
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD571ec029fba6f14ab88800dd68c9968a2
SHA1c839d264f0cf11218789af167105e5df93d1b93a
SHA256b5b70f6056167a5e19d618e9b84c8af40db7bfe16a50dc9f5a43f161ef6cfe22
SHA5126802f1ec287944aa3bb634c9d5ff6dcdab3c5e4e8c62f438a5e39335c975bef795bb190c5ef8a86e054f327c4fbd7d28e6e428f92fcc1a57d1c9b70977042e68
-
Filesize
45KB
MD566caf603baa5fcce64131292a13afe30
SHA17b8710d4c2a373f354d6b4dc1ad83422b3181ea1
SHA2560621355ac15ceecdedc4a2eb62db26b08643b3d52bed0275895abb3956cae3f3
SHA512b5185aa320fe3c65444520291a9cd9471ed3d5ce0828fb6ea709a65f3d0adf4adf0e04503049378d0807638f8eafd733e0aed8156cd3e1beff458f7f86230c7f
-
Filesize
45KB
MD5be3e355fe771f3db22f9af774afc53f3
SHA1d5f3232c74e39199ac77ab78a41fa9f5aaf06227
SHA2569efc32ebe95bdacd4d58eacfa1d5e0120eab655e3e7832074edb9a0d2d9e3f8a
SHA512b34b246e3ab48e82267faedc77a8e087b95c99bb18fed779f01e3e8358643eeb69145f91e884588bc02af2dcd0b8ba3231af4a3dee88e92968eed7255648a033
-
Filesize
45KB
MD5e2c45ee0f2f2e9bb44d3ccb64676f5e2
SHA104075517d2de4869ecf204ed563d589fb8a96731
SHA256a758c7e9ff2db67190b2b39f1543efd334240527a0fd5eb6cebf57a30eef989a
SHA512c079eace12ee2b5ff90595e6f818302e299119c35ae4805ee1ca275cf2fde60e868981e50585fcd2206512041462067b2656df0eef8dbb0a048a3f73e846c174
-
Filesize
45KB
MD5f20867020f5be84267177e69c711f699
SHA189dfc84bb4f7073519bd40d0d5972fd88ae6ac61
SHA25696f1c46eb1d0d448f1eb4a4ef596898ff290438aa1e7675fc13d04b23337d529
SHA512c5e0da83cb17522bfccd298bbc15ee04f810d19f50fe7757bdde276fa955fa08dacca20a6c6385632ee8417c4d2d39a56e00e7e4d404b570f37267f8c8252f6d
-
Filesize
45KB
MD509336b13f5cb090875d7fdca8d1fc56f
SHA19b4f7c35f415a02cf0cc1b81fc14218f8f8beb04
SHA256f6e66fdf154e1a80029698b589120b79ef40eb117b9aa6737c09822309e6fa94
SHA512de8733e54ffaaf5799ddb6be3950025afbd3ae228d1334945704183a77f67b41ab7c629490fe4dd56cd78adfc2ac77ba96f0116f8c1a869518e1adc2ae4aacdc
-
Filesize
45KB
MD5d35eba2194c17da1e2b5b8c69099ab3f
SHA1cbc586b394e3a7013009c092cf446c136f535930
SHA2562517714b2925eb83f029ad61d83697f12e8d644bbfaec02700d30bec0d983788
SHA5126889b07f0f7abcb1e3237c1833a8617c68571a298dfaa13c9ec04b54d36c251fe24742671288d0ed90b8549ed91d4ec602199df74edd46c8538712717483fefb
-
Filesize
45KB
MD5ae4dd6588c5bd43d7f4ae12a3e0dcb58
SHA1f317b5fad75adc2351342aa63c75283880bddceb
SHA25626cac18c65b89bb95595d194ca52e4589be680e3a7c7d48119e6ff22a0f4d007
SHA5127b77fa8934cfc76e83575b0ca67a7b1ea41e2a937265a5d374035f32a2c5722db07eebf77175d87f292a2ba737019e1448038b4b1a2f670e701c55668ce709bd
-
Filesize
45KB
MD5df9e6a58adb06b3ecb1272faf54d67d1
SHA10bb414a863cb0cfe0431b41220b83b564d920cbb
SHA256ee5e4bad22d880d900db543137f363684d5f8cd563e507f5ce2e9ee676beabc9
SHA512da92ed2a88d504a2494246ae4d60cc6aa2b7c6246908e8a8bb4946d55dfe14dc3daf5b7bb15333e9254575254959c044118140c646ec7c7b5ea4f0aa27871d54
-
Filesize
45KB
MD5c3a1c8450179586138ec48488c9ead84
SHA197018c82409849604c3649362525895bfe2b8ccb
SHA25655f7aadeee5c8932fbebddc1859b8f7286a9ba85f809334cf26aa1890ee2df16
SHA512d3a64e3f8326203d06df0d18ea014005b97dcc884774a230659fc3c8de8777643dbbc6c9573ce49e54ac61f177501d324de632437ecb48cb85a60beb245ad59b
-
Filesize
45KB
MD5f066590deb760a5c731ac0d1b900eaae
SHA1f6c886a65ee981ea76145c868c2972cc01602a82
SHA256aa55ba24c5ffc5839c48dcfe1691afc74459d2d7b2cc818cea154038f8e066c3
SHA512c075d757edae6aadc035dfc92655cd151a4f1be29f05310d229635e28d9d749490653a70d7a183b6c3b561fe988bf13bf963c74838903c517d39ddc035772b77
-
Filesize
45KB
MD560e5a30dcda5f60ef24b93336249b4ec
SHA1eda7c7738f5181c24ac3fa538526ed90394a5003
SHA256c4406cffb91b773a664aee35e2176e364f6071d2777f7ff32cdde18419c70b76
SHA5127275ccf01b616db43a96c62a9b5d068102985f08fb8dc5abd27e7e4069a8630b34508da393961fda16ac3cb8a27b24ce08402430f8b4bbb55a593ac8d7478f6a
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
45KB
MD55cbd20ed1f30408497ab072a3ce2e4d5
SHA108f9ceccaa42d687595553cd98d54829c517017e
SHA256265fa290c5151adafa1e1673d09c6a2e54eaaa9bdc69900d97b5c8e9558187c4
SHA512f9e1cbaf6706808bf1a4a72f8889d303d897ba85c40c13a9bc5d2565303acafe287b20692ab82c1821c91e57658d9d86849619e00eec9b078b2f42dca0e13d8e
-
Filesize
45KB
MD55cd4bcda4a7bb946a75a6600b8e635f3
SHA196eccd596480ce448b5f399b9864c94eaa5fb71e
SHA2562160b17d656762a795eb36074bc0d4b975b43e6fb6ce66f2c0216f56fb17b68c
SHA512f5202e2bed8640ec87f90b9b202c0cbee9fd4390f9712fbe3a2a7e1695a748043cdbbf09031b38f723f44b910ee851eea0287d7e77f3ba01b524926b5e3de0e0
-
Filesize
416B
MD58c460e27a1949370d14f20942ef964c3
SHA1fb1f75839903c83911b45b49956792d27db56185
SHA2562c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e
-
Filesize
45KB
MD54d43371ee6ffd6a008ac914468423a60
SHA121c8f0a4155faa42da2909d9a9018908d86f87fa
SHA25608366ca71a1e66ab88a47350372ee04f4d37fef3cdd89d21c5da74e239b6b110
SHA51261fa73b1c0d31ae64d56c55b681c0a2d3dfc90916095b5d342b0b9293bb1884a25a060fd3196bf2ca57556fbc82c92cc200b407e26ddcf63568b3b1661ca00ec
-
Filesize
45KB
MD5c1d54ac9765463d55cbaf3b8e333e760
SHA10f892d1b9e8f19a654067d1afc13fba64188c0e6
SHA256173397d503c3d3f5b7049b3c6d18884b213421c709797dbced6815b4e0234868
SHA512bfc4f07cbe2cdc2e6a5f227b363eac42c390e1e3eb88a34e1dc8b9d829ca26e3d8b82afda35f56ee336a2ec231687f0a4604d7a16d4073470e93a91c22065118
-
Filesize
45KB
MD58aa6abc612498a95ec3525786f339472
SHA1ef14ab90a926bb4436790e06b4ecd1c511931838
SHA2564c9e34123d622794a967da4486b37dd96bda6e673db728539226be79ef6df97f
SHA5128606ecc690d35b38cf99f3273955863614f9ad08014f9208f73857225f9478ddb284bdfb063cb57dbc253a11c720bb546a2ddecfd9b61c2f8524c381ecb7c992