Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 08:06
Behavioral task
behavioral1
Sample
c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe
-
Size
45KB
-
MD5
c458461bf6c48e025687b6e7b8138b50
-
SHA1
055059f5fcbdec89225b4ca30133e5356cd99f4e
-
SHA256
ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519
-
SHA512
4edcba0ee1f988f4647fb0da82d8f15985dc6df4e721f7efc3113931d67b1d355cceea9eb1ccdd3c589fd372f7640de946c28f9778ccbea7731b02db803b0159
-
SSDEEP
768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEw2r:/a8jroAbRB+XWCQLZeIdSwkhr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe -
Disables use of System Restore points 1 TTPs
-
resource yara_rule behavioral2/files/0x000700000002344d-8.dat aspack_v212_v242 behavioral2/files/0x0007000000023450-100.dat aspack_v212_v242 behavioral2/files/0x0007000000023454-106.dat aspack_v212_v242 behavioral2/files/0x0007000000023456-114.dat aspack_v212_v242 behavioral2/files/0x0007000000023457-120.dat aspack_v212_v242 behavioral2/files/0x0007000000023458-126.dat aspack_v212_v242 behavioral2/files/0x0007000000023459-132.dat aspack_v212_v242 behavioral2/files/0x0007000000023459-161.dat aspack_v212_v242 behavioral2/files/0x0007000000023453-227.dat aspack_v212_v242 behavioral2/files/0x0007000000023455-237.dat aspack_v212_v242 behavioral2/files/0x0007000000023452-233.dat aspack_v212_v242 behavioral2/files/0x0007000000023451-231.dat aspack_v212_v242 behavioral2/files/0x0007000000023459-222.dat aspack_v212_v242 behavioral2/files/0x0007000000023452-258.dat aspack_v212_v242 behavioral2/files/0x0007000000023455-263.dat aspack_v212_v242 behavioral2/files/0x0007000000023453-269.dat aspack_v212_v242 behavioral2/files/0x0007000000023451-265.dat aspack_v212_v242 behavioral2/files/0x0007000000023459-200.dat aspack_v212_v242 behavioral2/files/0x0007000000023452-294.dat aspack_v212_v242 behavioral2/files/0x0007000000023453-296.dat aspack_v212_v242 behavioral2/files/0x0007000000023451-292.dat aspack_v212_v242 -
Executes dropped EXE 30 IoCs
pid Process 4972 babon.exe 4140 IExplorer.exe 3528 winlogon.exe 2920 csrss.exe 5092 lsass.exe 684 babon.exe 4340 babon.exe 5040 IExplorer.exe 452 winlogon.exe 4992 csrss.exe 1804 IExplorer.exe 4196 babon.exe 4296 babon.exe 2116 lsass.exe 2460 winlogon.exe 3444 babon.exe 1276 IExplorer.exe 5104 IExplorer.exe 3720 csrss.exe 2324 IExplorer.exe 2524 winlogon.exe 2604 winlogon.exe 1880 lsass.exe 4184 winlogon.exe 3664 csrss.exe 3764 csrss.exe 2484 csrss.exe 1972 lsass.exe 1548 lsass.exe 3480 lsass.exe -
Loads dropped DLL 5 IoCs
pid Process 684 babon.exe 4340 babon.exe 4196 babon.exe 4296 babon.exe 3444 babon.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\I: babon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\Y: babon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\Z: babon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\K: lsass.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\K: babon.exe File opened (read-only) \??\N: babon.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\T: babon.exe File opened (read-only) \??\W: babon.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\K: IExplorer.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\Z: lsass.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\L: babon.exe File opened (read-only) \??\O: babon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\R: babon.exe File opened (read-only) \??\S: babon.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\B: lsass.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf IExplorer.exe File created C:\autorun.inf IExplorer.exe File opened for modification C:\autorun.inf IExplorer.exe File created F:\autorun.inf IExplorer.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\babon.scr c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File created C:\Windows\SysWOW64\shell.exe c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File created C:\Windows\SysWOW64\IExplorer.exe c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\babon.scr c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\babon.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe babon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\babon.exe lsass.exe File created C:\Windows\babon.exe lsass.exe File created C:\Windows\babon.exe c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe File opened for modification C:\Windows\babon.exe babon.exe -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" babon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" IExplorer.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 4972 babon.exe 2920 csrss.exe 3528 winlogon.exe 4140 IExplorer.exe 5092 lsass.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 4972 babon.exe 4140 IExplorer.exe 3528 winlogon.exe 2920 csrss.exe 5092 lsass.exe 684 babon.exe 4340 babon.exe 5040 IExplorer.exe 452 winlogon.exe 4992 csrss.exe 1804 IExplorer.exe 4196 babon.exe 4296 babon.exe 2460 winlogon.exe 2116 lsass.exe 1276 IExplorer.exe 3444 babon.exe 5104 IExplorer.exe 3720 csrss.exe 2324 IExplorer.exe 2524 winlogon.exe 2604 winlogon.exe 1880 lsass.exe 4184 winlogon.exe 3664 csrss.exe 3764 csrss.exe 2484 csrss.exe 1972 lsass.exe 1548 lsass.exe 3480 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3196 wrote to memory of 4972 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 82 PID 3196 wrote to memory of 4972 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 82 PID 3196 wrote to memory of 4972 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 82 PID 3196 wrote to memory of 4140 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 83 PID 3196 wrote to memory of 4140 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 83 PID 3196 wrote to memory of 4140 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 83 PID 3196 wrote to memory of 3528 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 84 PID 3196 wrote to memory of 3528 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 84 PID 3196 wrote to memory of 3528 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 84 PID 3196 wrote to memory of 2920 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 85 PID 3196 wrote to memory of 2920 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 85 PID 3196 wrote to memory of 2920 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 85 PID 3196 wrote to memory of 5092 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 86 PID 3196 wrote to memory of 5092 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 86 PID 3196 wrote to memory of 5092 3196 c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe 86 PID 4972 wrote to memory of 684 4972 babon.exe 90 PID 4972 wrote to memory of 684 4972 babon.exe 90 PID 4972 wrote to memory of 684 4972 babon.exe 90 PID 4140 wrote to memory of 4340 4140 IExplorer.exe 91 PID 4140 wrote to memory of 4340 4140 IExplorer.exe 91 PID 4140 wrote to memory of 4340 4140 IExplorer.exe 91 PID 4140 wrote to memory of 5040 4140 IExplorer.exe 92 PID 4140 wrote to memory of 5040 4140 IExplorer.exe 92 PID 4140 wrote to memory of 5040 4140 IExplorer.exe 92 PID 4140 wrote to memory of 452 4140 IExplorer.exe 93 PID 4140 wrote to memory of 452 4140 IExplorer.exe 93 PID 4140 wrote to memory of 452 4140 IExplorer.exe 93 PID 4140 wrote to memory of 4992 4140 IExplorer.exe 94 PID 4140 wrote to memory of 4992 4140 IExplorer.exe 94 PID 4140 wrote to memory of 4992 4140 IExplorer.exe 94 PID 4972 wrote to memory of 1804 4972 babon.exe 95 PID 4972 wrote to memory of 1804 4972 babon.exe 95 PID 4972 wrote to memory of 1804 4972 babon.exe 95 PID 3528 wrote to memory of 4196 3528 winlogon.exe 96 PID 3528 wrote to memory of 4196 3528 winlogon.exe 96 PID 3528 wrote to memory of 4196 3528 winlogon.exe 96 PID 2920 wrote to memory of 4296 2920 csrss.exe 97 PID 2920 wrote to memory of 4296 2920 csrss.exe 97 PID 2920 wrote to memory of 4296 2920 csrss.exe 97 PID 4140 wrote to memory of 2116 4140 IExplorer.exe 98 PID 4140 wrote to memory of 2116 4140 IExplorer.exe 98 PID 4140 wrote to memory of 2116 4140 IExplorer.exe 98 PID 4972 wrote to memory of 2460 4972 babon.exe 99 PID 4972 wrote to memory of 2460 4972 babon.exe 99 PID 4972 wrote to memory of 2460 4972 babon.exe 99 PID 5092 wrote to memory of 3444 5092 lsass.exe 100 PID 5092 wrote to memory of 3444 5092 lsass.exe 100 PID 5092 wrote to memory of 3444 5092 lsass.exe 100 PID 3528 wrote to memory of 1276 3528 winlogon.exe 101 PID 3528 wrote to memory of 1276 3528 winlogon.exe 101 PID 3528 wrote to memory of 1276 3528 winlogon.exe 101 PID 2920 wrote to memory of 5104 2920 csrss.exe 102 PID 2920 wrote to memory of 5104 2920 csrss.exe 102 PID 2920 wrote to memory of 5104 2920 csrss.exe 102 PID 4972 wrote to memory of 3720 4972 babon.exe 103 PID 4972 wrote to memory of 3720 4972 babon.exe 103 PID 4972 wrote to memory of 3720 4972 babon.exe 103 PID 5092 wrote to memory of 2324 5092 lsass.exe 104 PID 5092 wrote to memory of 2324 5092 lsass.exe 104 PID 5092 wrote to memory of 2324 5092 lsass.exe 104 PID 3528 wrote to memory of 2524 3528 winlogon.exe 105 PID 3528 wrote to memory of 2524 3528 winlogon.exe 105 PID 3528 wrote to memory of 2524 3528 winlogon.exe 105 PID 2920 wrote to memory of 2604 2920 csrss.exe 106 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3196 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4972 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:684
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4140 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4340
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:452
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4992
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3528 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1276
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3664
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2920 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4296
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5104
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3764
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5092 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3444
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3480
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD529e64c2e4ae1a9ce51f6e7a34f74bac4
SHA193ec0f121fe5473b6b8ab91d89aaaaaf5d7da6c3
SHA256345ca22084952109aa281f0b95daa35e84b20d41291b9ece8668be3652ed9cf4
SHA51292100dbe890c386ecaee91f511e0374011df818ee0cb2f5beee9e70ccddd3b32891746a82b90b6b7dff20ce16141ca902f589b903c29267fcfe168bb1fd25cc2
-
Filesize
45KB
MD5b8590d95906eca765ce01488a0556694
SHA1948d09585bb93c864d813f4021857698546fbb23
SHA256fd8b33da4f3379784546f2d5c738175fc0f9834601d0b751443b042163bd0c9d
SHA51299d1598c7878ecf598ad02b1976f89c4a129c70751df4d0723fb9b660df3d0af0689fc5867b0bfe2f131b5c89e350dff9dabbb57265e4b566b9123a1a55d6e82
-
Filesize
45KB
MD5880538b07df6cb5e777429f61aa77f2a
SHA1e6f6f80c1a5225d624c3c9bcface192657bbf435
SHA256017735a6484b834b0ed2560507dd9c1d49fee18ec49cac4e52fab5eb3dbdd74a
SHA512cd3a1ec4a31ae4e5e32bc7ea49912e808eb7e95fd62c4af054b57a1663c7330fa5f7daa4261ecc1b70e45b7ec3abdedc11a04c3fba03497698aac7b2bcb97454
-
Filesize
45KB
MD5c458461bf6c48e025687b6e7b8138b50
SHA1055059f5fcbdec89225b4ca30133e5356cd99f4e
SHA256ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519
SHA5124edcba0ee1f988f4647fb0da82d8f15985dc6df4e721f7efc3113931d67b1d355cceea9eb1ccdd3c589fd372f7640de946c28f9778ccbea7731b02db803b0159
-
Filesize
45KB
MD5933649237612e7dd81ef90c7aae258da
SHA10696f1f49a5da1ac3c7f81d16ce7eaf8ad9180d2
SHA256e5783d85b30227667450f497e40385dade538aaaa6fbf1e2ec2f76263bd411cd
SHA5127a817a474e68a59d01db7e37ce09ceeaf73951c2acce0e3c19d82518ed32bdc05257062c92648c5cfc638c7699ecde91582d96cdf5ca801556c9cdc03857b7f1
-
Filesize
45KB
MD56cb2f5ec12e8f69fd42048fbc1093e9b
SHA11b9435c7dedbd30541a7d635dbc1df5fa3d7ae1b
SHA256793e74a9c3274f951d1747b57d58d215741c4accda6aa12ba4abb27401952a74
SHA512621cce3803e8571feaab679a8a6c38214764feb64d9f77fa75521bcfe4a340de1b5f79ba86e727ee47eb0172b6052fff449a0db110f2a2cc5f751031353e449e
-
Filesize
45KB
MD54988789b6ca75ab84063e4939737bfe6
SHA1b64241db750388770e95ed24f7d222222506c2d0
SHA256a94f876201c99fe148f86d2a4d2d626ccb5f0be650d2af80a40a8e457581220e
SHA512fe2c3a635d207dc1ce7a452f632752a9cbad911ef8356b78feb8af70060a93abc104fce96c3c69b1b790a0250f72d2f98d08134c2e01b84d2f71ea797dd653a5
-
Filesize
45KB
MD5f1dd70290c3f5ed449bf4d981f026c90
SHA1b890a8852c57ecef1fae524fb5eaea5d5b0cecc4
SHA2568fa950a0e913273a3c2d0cd045d591cdf3e9f3152a669530265e1cbb2c2f6705
SHA51286912408d4d20ee4a82fc117dae6a4629842d1d020240b200a35376a654b2a111d8b14c70410c3459545c87fa596885ac872eb083673679c3dafa0e6ffb68cc2
-
Filesize
45KB
MD5f663619057d9d3eee6f25fcee412eef5
SHA167b41c9921232f09e7436c560270b1af7223c4b1
SHA256fcfef41a7294d913cc04563201341e5ea8bb52983ea90f94869a1a9ec0ae3b7c
SHA5128e89afd505484b17183c22adce439f325eea78b2fd804aa49b4ddb1c9a0bfe1a502c231bab88a3e39a93cf6f5e77ef4bdaa9c1be795bf0cc570eb9c33c6a57b3
-
Filesize
45KB
MD5da3edb285a3b6b7ca8c92906e69bba8b
SHA14507c8f132d17aa3649ab6fae7c18bd4c7939696
SHA256e4cce1f46098a726d7e17983d092ec97339ffe0d39b49da32bb055adb508cbbc
SHA5128bb3e55ca7237a4c8ae678009175d2bbbfa9d38317c08ae923679fe11960267fff41cd1f63b8e1502a9d3fc63dee426f0217512ad6f8a16d8a3b4ddd7cd8e598
-
Filesize
45KB
MD5b54b61e48ced870675413271a2703401
SHA1faf649c93e8e9cf98c4d1941e381c4f0ad74d0cc
SHA25671746774a8a1498b4f3f58001a4d4566fec4fc4f42eeab17ab3301982b138e9f
SHA512f158d361c69617ca34b6bac6adac4c59f0e2d5caee99034db89f6572dcabd37ff41e440829fe146f618ea89ebbc4da94785f966ac18689841a8a7011e9436101
-
Filesize
45KB
MD5166b5268160fa9fdff079e8e49b1de04
SHA1383b8f2d7d1164714be5143d8327208664d0a1a5
SHA256660f580c487e4799a8ff26086419e46f7cc7866e5d6d2707b3fae1d5a81c5bdf
SHA512383fabb556f0f688b3c342e2149f500e8378c275d0688d2eb19ce6090dc63292bed8a7a7151c4ae6870c44a50874db1042508f3eaaf9313777cc3d4ef6894306
-
Filesize
45KB
MD55cca73056e07503f9aac24c56ca0a806
SHA1667613347876995f375aca7257b74e0b025f5be6
SHA256047729308eb3363081ada701bd0585d3c4b34d95755b6cacc4ad674a2c23d896
SHA512ea95b3cd630f833045f5eebe6dac96f858ae6b70f97e32883be9d9c319fe7e38405c42c6f08543f92b1e0eff2aed204479a46719eb704680c25c6f33e8bd8757
-
Filesize
45KB
MD5aced98ed4a71d0c136e13524158b29bd
SHA1b12404e9dbd513b8cdccfe12cd3fab02870f677b
SHA2565dc36683393c275ea05af4690343d5b2e8375b0a2733c6a52095d54496b51876
SHA512412eb11f60bc84924dd2187891bfa6721af59f531dbfa7cf44e91858d3c60da6d1d03b8d3203bbf56f535b621fd71b94c914783e437fdfddf231ecf26b3b98d9
-
Filesize
45KB
MD56da94b7492972aa1c17aa65237cc1a68
SHA1223b1fb4cdeb68ae8320f187babd63f05c3cc54b
SHA25622c1e36eae4b639b1fa8fe4995854b4689dea7f34342f8a29b7f46825c9763ab
SHA512d0b141f26afaef16532d5b394156f7e2d68dd27c088f5760546b3ad6f869c85673e23841c03da5dce9178701aed5710cef36dc7d12564b4ba34f56ea88bbf41c
-
Filesize
45KB
MD5c13dbc1ddd4970c6ea0aea4486155a62
SHA1ec63c3bcab09bdb33e03f58a65c0d9954caabfaa
SHA25653f468e28a279b9c94470f979bcf3411ca6d2b8bcceca3352c1535cc70a5527d
SHA512f1e2679a9024b1a63d2415d9d5de45f0542507f529264dc008ffe750a2b38072fc0173747257a329515ca07ece9af61602ab5a019b187d23dd396991dac3b0c4
-
Filesize
45KB
MD5ced665d0c5d8b98896c3e1986cd62877
SHA1e3dd1625610851e05fbb2f7dd764dbf9f6fc7f17
SHA256bae4017ddbb9fb9fe174459d88eb7f31c9826be587316413e0190874b60a71e7
SHA512c695eb1e7dd5a551a2ee62a6919f829fc99d499bce1054e58c3553904d9ecd31f1da50c00c9c03fa7ca5e832be4b3d7d980ca8f64d9036a39ddaa1db45065a7d
-
Filesize
45KB
MD5821cd36dcde607c9a47cf28897b59504
SHA16a9f1320354cef725d67e53909296ce38f4c68c4
SHA256290282ffdb8f4302a898bf42402abcdf2684105f7aeccb38e1f4ffd3766544bd
SHA51214dfc5c20a10eb62d0b0467ba655e3e892da774e63d97205b6ee1a78d048f29d6574ec9189e7bd48feefdd695a49d4366bcd81d9dd31b7fa1ef246f36de76f78
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
45KB
MD5880bb54f6a931d46b393f618cc10c454
SHA17b91c093c1d3b6725eed928a6938ebcfd2600aee
SHA25687d0a9f7a165fd456509bebb281a6238602ad7229545b6e0bce5c667e6d579f4
SHA512487b7e0995c91dc7172a9b00fd723fef1b3b171d5fb570398f8e551d0fa2db9e99fbc7a9785621756f91d73cfd535208c5247c3c4224327ae5831a29beda6248
-
Filesize
45KB
MD55e103c3bed0b0c07047a7bbe05f85013
SHA189c02b436ba14e66a145ae111b1c0ff9843e7e47
SHA256f0bfbbd118df7f6b1d9bc787d703ee48ee734d73b7c8c0ac9781f5111741d9ad
SHA5126051a86764f8b470b2bce39ffcbf9080fc9a73fae89cdab6bab2fca6bba71a7d1d70d0da939f2e66cf7c3a61b1a1db57d310bc0e2ecc3d105d80abea3e77e9ec
-
Filesize
45KB
MD58abf53bcbdd28ebdc0f6232f65ed52fa
SHA1efdead3ff914d7ff68f47701118350869194fe6c
SHA256115bc5f860a97cea12dbf64fa87a4cd17d44f34ed7d819757c765ba0a9506315
SHA512c40acb9a8f7fb705d14f1fa1924b476f70e1688dba410613a7955af8e8f96bf20968f8cd3cdf34456c211e2bf2ff442c519ed5867d199deb7b22856d365b76dd
-
Filesize
416B
MD58c460e27a1949370d14f20942ef964c3
SHA1fb1f75839903c83911b45b49956792d27db56185
SHA2562c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e