Malware Analysis Report

2025-01-22 12:25

Sample ID 240516-hqpc5sgh7z
Target b6959f13299705953061b1985cd61720_NeikiAnalytics
SHA256 9f16094205aa191fbe0048445a35c8f6a0552f40479f836ba6409fe4ee351f7f
Tags
aspackv2 evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f16094205aa191fbe0048445a35c8f6a0552f40479f836ba6409fe4ee351f7f

Threat Level: Known bad

The file b6959f13299705953061b1985cd61720_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

aspackv2 evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Disables use of System Restore points

Disables cmd.exe use via registry modification

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

ASPack v2.12-2.42

Enumerates connected drives

Modifies WinLogon

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System policy modification

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 06:56

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 06:56

Reported

2024-05-16 06:59

Platform

win7-20240508-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\J: C:\Windows\babon.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\H: C:\Windows\babon.exe N/A
File opened (read-only) \??\S: C:\Windows\babon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\L: C:\Windows\babon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\P: C:\Windows\babon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\B: C:\Windows\babon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Windows\babon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\U: C:\Windows\babon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\babon.exe N/A
File opened for modification C:\autorun.inf C:\Windows\babon.exe N/A
File created F:\autorun.inf C:\Windows\babon.exe N/A
File opened for modification F:\autorun.inf C:\Windows\babon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\babon.exe
PID 2252 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\babon.exe
PID 2252 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\babon.exe
PID 2252 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\babon.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2252 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2252 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2252 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2252 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2252 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2252 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2252 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2252 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2252 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2252 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1252 wrote to memory of 2308 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1252 wrote to memory of 2308 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1252 wrote to memory of 2308 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1252 wrote to memory of 2308 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1252 wrote to memory of 572 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1252 wrote to memory of 572 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1252 wrote to memory of 572 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1252 wrote to memory of 572 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2532 wrote to memory of 1008 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2532 wrote to memory of 1008 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2532 wrote to memory of 1008 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2532 wrote to memory of 1008 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 1252 wrote to memory of 2356 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1252 wrote to memory of 2356 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1252 wrote to memory of 2356 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1252 wrote to memory of 2356 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1252 wrote to memory of 3008 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1252 wrote to memory of 3008 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1252 wrote to memory of 3008 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1252 wrote to memory of 3008 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2168 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 2168 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 2168 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 2168 wrote to memory of 900 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 2532 wrote to memory of 1496 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2532 wrote to memory of 1496 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2532 wrote to memory of 1496 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2532 wrote to memory of 1496 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 340 wrote to memory of 1876 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 340 wrote to memory of 1876 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 340 wrote to memory of 1876 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 340 wrote to memory of 1876 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 1252 wrote to memory of 892 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1252 wrote to memory of 892 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1252 wrote to memory of 892 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1252 wrote to memory of 892 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2168 wrote to memory of 2960 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2168 wrote to memory of 2960 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2168 wrote to memory of 2960 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2168 wrote to memory of 2960 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 340 wrote to memory of 2848 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 340 wrote to memory of 2848 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 340 wrote to memory of 2848 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 340 wrote to memory of 2848 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

Network

N/A

Files

memory/2252-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\lsass.exe

MD5 b6959f13299705953061b1985cd61720
SHA1 84d3789ce1e46d649a1b3b242cea9413a1512d8e
SHA256 9f16094205aa191fbe0048445a35c8f6a0552f40479f836ba6409fe4ee351f7f
SHA512 1d1ca9a3e40b21feac3d1bada310ac1af1537d14ddabb00a8d6c10316fbae4bc8140ec1e6980ee73a8502338019a1ed96b93bd233d6c8775b944614b2b23930f

C:\Windows\babon.exe

MD5 512cbd00e815ade47d2d9a6de3e63a26
SHA1 4807940600e75b26a79dadc2efa70f3919e45187
SHA256 a774052edb168d6aae5409370ee25066bcafe854c9e1158480ced7e798879cdc
SHA512 27f7b04d6a0606bfcc6e1205190e6ecf019f6113b383942014bf47c930539e834bdbd31480827d660a668194e91946b1fe4ba54be4ec8ab4555a81986c19b572

memory/1252-105-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2252-104-0x0000000001E10000-0x0000000001E33000-memory.dmp

memory/2252-103-0x0000000001E10000-0x0000000001E33000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 2b8be4116f910a354ae4084dc63d9c09
SHA1 2351fdcf07240be631c4bfdadee4111925d6e9e7
SHA256 1c39c7e5ac91a2a8d86d6183df49d3d2db1ec62976d5be21191f8f04d78f6c3a
SHA512 4f8eb6fe4e335bf545acc2c46b181611e4e0ed5aef61011dd745eed14cf90d29472a700b7677d1374a9efa3b74ad5379d3c4e3e679100a6302cb31647bf4e977

memory/2252-109-0x0000000001E10000-0x0000000001E33000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 88cf38af022bb30f5c711ad07c33d8b6
SHA1 b57155c82484734ad7aa7290d10550b495702371
SHA256 6d8fd956f6499d6e6b4fb5bcf5d57c8953e42a4948f6d7bd9b1d546a5a1ab415
SHA512 899a9e2d80151b788d7e3ed2757f1f4040e0e1d64ff253572d910d00ca55a4554352a0f4b16487f93681e1e9f1bb3411933629c51a194018437891b5088699e5

memory/2252-122-0x0000000001E10000-0x0000000001E33000-memory.dmp

memory/2168-130-0x0000000000400000-0x0000000000423000-memory.dmp

memory/340-139-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2252-138-0x0000000001E10000-0x0000000001E33000-memory.dmp

memory/2252-144-0x0000000001E10000-0x0000000001E33000-memory.dmp

memory/276-150-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2252-154-0x0000000000400000-0x0000000000423000-memory.dmp

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 cf3cfd500b0c2938d8a52ac8561fe018
SHA1 caa6b8d6c85e7f6a73ae154d4a72edf2ea76bf99
SHA256 b1917d73edaccd32281243879f8645cd640ab4fcbec2ab8d98793832c191b0ae
SHA512 7ee57570841ad2b242822aa0f3d8169f867f450690abeab4ea6e8ebfad7b0e2ff350ee40e705316c26cd5aa5ed720eeef341d3e7cbdbe05d14c599e8ccb0c8be

C:\Windows\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 9417314ff658bef4c1220d7af5caa943
SHA1 e60c3e9d3463c75ec0afe948b9bc5bf381fd290c
SHA256 e22b0de88fd594a3fb5007a1e0bdc694a43383882def11daf7dfd5bea2543d1e
SHA512 126e1269e59c4f0e2c0729cf94535b9797709c9e2a078955866644e2ad89729301059be1bd82d25fab081f85658f6973bdbd940997c120dc73c6a80453e29dac

memory/2308-205-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/572-210-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1252-209-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/1252-208-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2356-239-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1008-238-0x0000000000400000-0x0000000000423000-memory.dmp

memory/572-231-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1252-242-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2308-206-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 0861a3e7491f635ee730d165b804f8dc
SHA1 53ba2467ae2a6b8f7921e970c7106e9ebcd121d2
SHA256 8517047d62b802ceab0dbade14ca24a1dabd5e9024a5b8e38db6a133d8f3d016
SHA512 ca47c674c36eba1def8027eb254743d19cf8a3055b389fe3a12c4542638be6dfc108f3f4404e6be0e948fd9a796c06449c2432b76a6ec5993083789be26c24df

C:\babon.exe

MD5 d9a1bdf0d26964a455538cd150fcf8b9
SHA1 abf25454b3808813352012892b29212743187563
SHA256 3effe94bf15c94ac0883733041c44a1d59e5821610e52c9d5c43f4fc511989a4
SHA512 83655b8f3f970c5f8046fc27c80c76deda41f9e67c42039f3527c1aef83b3588d030559824bb1adf5bf2d54748b85cbd40021ffe4479ee35e442086236f7e953

C:\Windows\SysWOW64\shell.exe

MD5 98db7f4f22e3caf219e16b522885b46a
SHA1 0504d2a52c1db08885ebb4cb8877f1af02290da5
SHA256 9d7cc1ebaa475c9ba441d9cfc1f0286902ecb010bf14dbd668f49cb89e9c7de4
SHA512 9961f74f18f7d9494505088110d82c479066bb380451973c06f9ba17ebe8b4959d9db8738bacf29b8cd93a656679772bdefa0ca40638585d658b42b7938679e9

memory/1252-255-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2168-277-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/1008-313-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 211724ce2bbec4d903b5b3dd6102ae24
SHA1 99adaa75a8d7072ae27d2e9988db642f2c414732
SHA256 2f6e5cdae4957ba8ee46a22fc2d68b781b1a1eb3f8d63f4d03f5a172d7bfd10b
SHA512 c62cfb5de250c85df34a22c57b44eeacde47585add92d41d3cff25b17977dc91171b23c11ed4e9a62344a519c6d23675420cda0734019a47f61f4878839f305f

C:\Windows\SysWOW64\babon.scr

MD5 81902e3a04dd10545ab7244696f5c295
SHA1 e40dff9b6c40b47448656a28d40332ead2d362b1
SHA256 62332e26d8c8848fd62457bb0e651e6927bec2cc6d2f1a0290b0d8d5fa6f2681
SHA512 4e4826ee70b806111c648dda435b0a74ad2edcf68b8b863762de8e619076537c9510054b08b7d2eb39def81b64e436e1bdc71aaf2dd69dbe52366cc26754a386

memory/3008-330-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2960-336-0x0000000000400000-0x0000000000423000-memory.dmp

memory/900-335-0x0000000000400000-0x0000000000423000-memory.dmp

memory/900-334-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/892-326-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1252-325-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/1252-324-0x0000000002480000-0x00000000024A3000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 12f190419152beacad315a4ce76eca34
SHA1 d7e112906116f5af7c12a6c97480b6bb31eb753e
SHA256 823ce3ff2f01bd34d16a6db9d41874d4aa1fd9f95853e151075b0fd94350b3e4
SHA512 55100c7466fae5b2d67bfe666a7760627eb9b6bbd3cb7aad8a8b4e63a7501a8c744f46f61c6a3fb2643436e6f20b0755c0ac396f18132e038570443b637677e5

C:\babon.exe

MD5 288dac76b867a97241d8e8627f2d191b
SHA1 9c791d33a6cc5d289eadc3ad2ee2476034cda1cc
SHA256 985d3efbe178cefe8e5c1c3700fce5522d1d5a46bb9645bc99856917fbc3e2d6
SHA512 4e3cf5b12b3c82359bb3abf63c82b6bfe91db96f09c313c42861263a3d84bb8072e045b857fc799dadfdd886a08cd3abeda33b8a85094366093ff9d105687b73

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 7493e6aa2069153fb8bc121da5684dfa
SHA1 0f75834016ea1cc7a778b48f06d7f3b6cb5591e3
SHA256 3d3e81929760a811f31f0f766063fd3ec63f64ae5caf7d656df6ab2632a3c3e0
SHA512 a2ba15d3ad4ac1a2c856f9b4608e68057fb98d23dba5e34a139e3e1df5bea20cefbffb1969f060e58d6e5ab21029577b12685284af2ab2d6069fbd493d01d600

memory/2532-279-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/2532-278-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/1876-314-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1008-310-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2168-359-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2848-361-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2696-360-0x0000000000400000-0x0000000000423000-memory.dmp

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

memory/2168-381-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/892-394-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2168-380-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/1876-351-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2960-356-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1876-352-0x0000000000400000-0x0000000000423000-memory.dmp

memory/340-404-0x0000000002560000-0x0000000002583000-memory.dmp

memory/2500-403-0x0000000000400000-0x0000000000423000-memory.dmp

memory/276-400-0x0000000002640000-0x0000000002663000-memory.dmp

memory/2848-399-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1572-409-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1572-408-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2500-406-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/2500-405-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/1740-417-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2500-415-0x0000000000400000-0x0000000000423000-memory.dmp

memory/340-416-0x0000000002560000-0x0000000002583000-memory.dmp

memory/1572-413-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2628-419-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2844-427-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2760-438-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2928-440-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2444-435-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2444-444-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1144-432-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1740-430-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2844-428-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-446-0x0000000000400000-0x0000000000423000-memory.dmp

memory/276-451-0x0000000002640000-0x0000000002663000-memory.dmp

memory/348-453-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1188-452-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1188-455-0x0000000000400000-0x0000000000423000-memory.dmp

memory/276-450-0x0000000002640000-0x0000000002663000-memory.dmp

memory/348-459-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1036-462-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1036-464-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2532-466-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1252-465-0x0000000000400000-0x0000000000423000-memory.dmp

memory/340-468-0x0000000000400000-0x0000000000423000-memory.dmp

memory/276-469-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2168-467-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1252-531-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/1252-530-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/1252-533-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2532-534-0x00000000003D0000-0x00000000003F3000-memory.dmp

memory/1252-539-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2168-540-0x0000000002480000-0x00000000024A3000-memory.dmp

memory/2532-541-0x00000000003D0000-0x00000000003F3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 06:56

Reported

2024-05-16 06:59

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Windows\babon.exe N/A
File opened (read-only) \??\O: C:\Windows\babon.exe N/A
File opened (read-only) \??\V: C:\Windows\babon.exe N/A
File opened (read-only) \??\Q: C:\Windows\babon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Windows\babon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\babon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\babon.exe N/A
File opened (read-only) \??\R: C:\Windows\babon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\babon.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\babon.exe N/A
File opened (read-only) \??\J: C:\Windows\babon.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\babon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File created F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4140 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4140 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4140 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4140 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4140 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4140 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4140 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4140 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4140 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4140 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 4140 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 4140 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1988 wrote to memory of 2712 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1988 wrote to memory of 2712 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1988 wrote to memory of 2712 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 1988 wrote to memory of 3896 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1988 wrote to memory of 3896 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1988 wrote to memory of 3896 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 4168 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 4172 wrote to memory of 4168 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 4172 wrote to memory of 4168 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 4172 wrote to memory of 1912 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 1912 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4172 wrote to memory of 1912 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1988 wrote to memory of 1644 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1988 wrote to memory of 1644 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1988 wrote to memory of 1644 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4172 wrote to memory of 2672 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4172 wrote to memory of 2672 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4172 wrote to memory of 2672 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 1212 wrote to memory of 3096 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1212 wrote to memory of 3096 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 1212 wrote to memory of 3096 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 2692 wrote to memory of 1100 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 2692 wrote to memory of 1100 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 2692 wrote to memory of 1100 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 940 wrote to memory of 4524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 940 wrote to memory of 4524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 940 wrote to memory of 4524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 1988 wrote to memory of 2212 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1988 wrote to memory of 2212 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 1988 wrote to memory of 2212 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4172 wrote to memory of 2364 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4172 wrote to memory of 2364 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4172 wrote to memory of 2364 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2692 wrote to memory of 4812 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2692 wrote to memory of 4812 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2692 wrote to memory of 4812 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1212 wrote to memory of 3588 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1212 wrote to memory of 3588 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1212 wrote to memory of 3588 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 940 wrote to memory of 3760 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 940 wrote to memory of 3760 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 940 wrote to memory of 3760 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2692 wrote to memory of 552 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2692 wrote to memory of 552 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4172 wrote to memory of 3060 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2692 wrote to memory of 552 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4172 wrote to memory of 3060 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 4172 wrote to memory of 3060 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 1212 wrote to memory of 4740 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 35.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4140-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 b6959f13299705953061b1985cd61720
SHA1 84d3789ce1e46d649a1b3b242cea9413a1512d8e
SHA256 9f16094205aa191fbe0048445a35c8f6a0552f40479f836ba6409fe4ee351f7f
SHA512 1d1ca9a3e40b21feac3d1bada310ac1af1537d14ddabb00a8d6c10316fbae4bc8140ec1e6980ee73a8502338019a1ed96b93bd233d6c8775b944614b2b23930f

C:\Windows\babon.exe

MD5 69998f68da9cc7f0821e472840a59dd1
SHA1 9e10da6adc68da4f819dd9d5c9a4bf09ef4cce1a
SHA256 1a693d7047686196ae602f6b73c9f70b1c093f9cdc936317b5616e0f7e129079
SHA512 61ca6f15f9b2ffc3a6bd3b162ec37794d596e532c27e267a3622a754770bb274055b75e80422f11dd6633315dff91795cb35171135fc561efa493bc0e7f8a2d5

memory/1988-102-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 76513f6923809023e272e1a50109a117
SHA1 7567bfed677ebc7f67cf10ce796421dcdaaff3ac
SHA256 572f410127454b80cd67e73d83e6ebedd9e47bf9cce18e64e7b68673f9bc7750
SHA512 651287848b2bb020a8f76df93f763339441d1c5fe08a4e0207a8acc69db1eb2dd625b98695157c81bdbc960330e4d18707bdb002fb9f59754cdb4202dc92fdfb

memory/4172-107-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 189163c8ad3dc01b0dfb3291c156c536
SHA1 da872cf97d45716ae5b0bb192781cf09e758f508
SHA256 9897bd7ff419d56831e9ef5f9fd23168d46c0c3d5497144e6f81f78330d22d1d
SHA512 c55c445a2d667055d480acce87cc253e05595dc69019f99be14969739d4e8b1635c171048439bda9b2ea3c8be88935c353e7dbd6d3001ac70e10bf188515b076

memory/1212-116-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

MD5 ef45fd843d69afb6153e052d90cd58b6
SHA1 89d267eea43b10b0b8102e0a2255e2468819be5f
SHA256 e2277c20e0630c8bbe8b07c07081d1ff7beeeae8c01901aa4935f2b4e56e35c2
SHA512 8207c5e047f523b40c55f4560669aca8fe598c55a20af66173f53830d5fad664b4f011fb2bce63d8dfe9934acb03fc947014c769ff3b0a4f2a5c42ddf1a05ab4

memory/940-122-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 4829f0f8cbd32ae39fd6e0210f1925da
SHA1 23328757babfe269d632b586c0d50f3c85dd9ebd
SHA256 36309c337206b6c43e9087886dcabbcd2e68d21b754cd8511d12cd8a7677282c
SHA512 bed9fa0b72b0023770132bbbacc5c6f224620a71cb354f5e94179118bb2b7ff3990b80960e01801e59eb060f7b93111628678b069e677a2cfb4950ed97d53d35

memory/2692-128-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4140-132-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 79d874e08ac0cf572ae8d454eb5b3732
SHA1 10ebd5b352d54f96b6c01ee4757728d90753db60
SHA256 1cee494308fec9ad8943b753b0095a313bcc6e94e9a0fcb3dedb98d641ba4214
SHA512 cce40818a4c02f4866ece68ac1cbb25abf4f951d7d520a800becdd5625ff0f32d9729415e03b5d75258c1beb9f5b380e5ac201c12f37e52cefc19a9b087437f4

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 fa54f1fc054264e0c0900c4d7d1fbf07
SHA1 735487ee0d90b9725da3b4ea28f502fc3236dbac
SHA256 fa1b82ca7cc1dd6d392db350625e7a4a2a9e34b4f27949ac767cc2d1b307c8f2
SHA512 e4c758f763c6f1761e2a3108fac0c479bf7f07152c2a9054f197ad5a3f62e62429428b9491c6dd5cf891cd99b4e7e5e080981b3c4fcc673651d75abeb6ad4597

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

C:\Windows\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/2712-162-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 58b162edf991484544b61b9b5d2a540c
SHA1 efc4a0adc8d42f1b05d08da789774b30eab8a6d2
SHA256 5f8985c32926b02f72ff26929fe4ba00fa83e1a068d3323c5f8cde630e674ea6
SHA512 f849f0f3062607fcf3e9656364e8d06992d8f714bd3e1192265b95e5c79314fd3a5f24200b318d49313890fb9429126bc7cb6d701d208037696a585d678ad5d3

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 4aef22a1bd8b5d349aefe6205ecb7d9d
SHA1 7d8086cd824b214e902258896498eda23babed78
SHA256 08c30fdc31d6770d8fc5203fb55f53a717f2b93855e4441c63058856c4ea0a39
SHA512 fe6ba891c290c43fcf24e90a890fa77868c0bfd9ff8fa91ddd38fb68cde924f39bdc6f938729ace0c907226fc144da2218e73ed401c8c6099f6e0105d5351a7e

memory/1912-247-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1644-276-0x0000000000400000-0x0000000000423000-memory.dmp

C:\babon.exe

MD5 2e87a571ea5d8c8b219f7979be91d524
SHA1 a9521b95e1f8194dfa4761160893d2715b7e2801
SHA256 729ee340b735110f230584aa762304f03568cf11da6650b9ae19a7dda08f1e54
SHA512 6dfb822627a6cb1da5214424bc089c1bb4a103bf615edf2a74e385aee343342eb283f280b10f9c12bb58c0a7bb4e0e8d4b828d7aea0aafe4585a3c8405a3b861

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 749b5ee9a155a085cd65c1386052344c
SHA1 883fe7547497d1477933f8e7b2f1eca28079d24d
SHA256 820352e4e6aa1219a56faaf8ab099d3802c58453b0c4a2c1a25011140f8462d3
SHA512 58faa85d4a050f463a60959eeba19b1a4d7e560073c9c97ba9bbdf24e11fb2d8a2841a40b6032272b384f0f590c96996d9553b510defabe0876b05d88bd62315

memory/2672-285-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2672-293-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1644-290-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4524-288-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1100-287-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1912-244-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2212-299-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1100-302-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4524-313-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3588-311-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3760-310-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4812-300-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3096-304-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3896-242-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4168-234-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 1e799c79f752172a82f623ba1888204e
SHA1 ff65a74bb0280c4b7c910bdd246c59386083170e
SHA256 e784d1815e97c65c57f5b0e509a675d5259800e30bc15c873aa3be85d0020b13
SHA512 c281e909ee632ad5d8142c19f21df33f6585fa96cc95a4f2eb445d53510580e1d6ed04f594ea9dedc2cb21b67fb6d286389d92525a5e0af19a8097249054ff5c

C:\Windows\SysWOW64\babon.scr

MD5 4c7e01472a1fa6922abe66f1cdb58b73
SHA1 b4645ae19d762247eac90c8fb212ca5783707903
SHA256 59b3e3a19108ff2ecef78c5caf1103acd1b09792db29a0f5b3f0c6d1f7c0d07e
SHA512 6eb29c6e480374d6ba2aacb7ab77cf3af40caa60eb44e419360f2548682768190bbc60cb359a46f78e342d43e4ffeaf281581dcefef88a15b6dc7af6ae770bc1

C:\Windows\SysWOW64\shell.exe

MD5 a7241f475f543afa0772cb4b9d8b9d69
SHA1 b04787f0bb76904837e9c0f89884d9f82f47c830
SHA256 d0648ae0946c840ec58eb2e1be8d86fd95a63dacab53cdd3dc845595f9c189fb
SHA512 052e9dff3e2dd2be98df2cfa898ec81015dba574eebd82a4ac1a918e7f91d45b2ab752591e50b40eebf281df1da67dba34e9c6ed74074c870d18afee63e039ad

C:\babon.exe

MD5 f5075df2fe01809a46d1411d10565cea
SHA1 b16d791c995fcdccf009019c50453b681b3529eb
SHA256 24fb70eea70732ba7e2dcd4cad76ef07e76296f9185796c167f85ce2fcc1e857
SHA512 59099591da982ae13970da1595dae79c5aa9031cb963fa53143ecba1a380023dfc60c56790b1516184fe8ad30c007ae3b1ede7060670d4635f392041067d7355

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 bed75d0c3edd2358f0a0c56feddd11bd
SHA1 5111b27816a7b45d0a6242dceae3f9b07cca08c9
SHA256 5e9cf8175aea9c08ca5d8396f3ca74d7dc51e69678bfc75a7c6f576809c10c85
SHA512 f1e23e316b6e812751f015c26127c58fdc121d1089742aeb56b94b452c0d95e86bb125de7b982939e31e9db16280bec99077ed0f2eccefec4b7d40354cb7f6aa

memory/4812-318-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2364-322-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3588-324-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3760-326-0x0000000000400000-0x0000000000423000-memory.dmp

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

memory/3060-330-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2712-194-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3896-184-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3060-354-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4740-355-0x0000000000400000-0x0000000000423000-memory.dmp

memory/552-357-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1432-362-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1356-366-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4740-368-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3424-371-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1432-370-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1388-381-0x0000000000400000-0x0000000000423000-memory.dmp

memory/688-384-0x0000000000400000-0x0000000000423000-memory.dmp

memory/688-389-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2236-393-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1988-394-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4172-395-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2692-398-0x0000000000400000-0x0000000000423000-memory.dmp

memory/940-397-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1212-396-0x0000000000400000-0x0000000000423000-memory.dmp