Malware Analysis Report

2025-01-22 12:26

Sample ID 240516-jzp7gabd2v
Target c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics
SHA256 ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519
Tags
aspackv2 evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519

Threat Level: Known bad

The file c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

aspackv2 evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Disables cmd.exe use via registry modification

Disables Task Manager via registry modification

Disables use of System Restore points

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies Control Panel

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer start page

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 08:06

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 08:06

Reported

2024-05-16 08:09

Platform

win7-20240419-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\babon.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\babon.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\babon.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\babon.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\B: C:\Windows\babon.exe N/A
File opened (read-only) \??\R: C:\Windows\babon.exe N/A
File opened (read-only) \??\Y: C:\Windows\babon.exe N/A
File opened (read-only) \??\N: C:\Windows\babon.exe N/A
File opened (read-only) \??\Z: C:\Windows\babon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\babon.exe N/A
File opened (read-only) \??\S: C:\Windows\babon.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Windows\babon.exe N/A
File created C:\autorun.inf C:\Windows\babon.exe N/A
File opened for modification C:\autorun.inf C:\Windows\babon.exe N/A
File created F:\autorun.inf C:\Windows\babon.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\babon.exe
PID 3000 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\babon.exe
PID 3000 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\babon.exe
PID 3000 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\babon.exe
PID 3000 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3000 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3000 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3000 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3000 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3000 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3000 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3000 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3000 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3000 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3000 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3000 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3000 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3048 wrote to memory of 2052 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 3048 wrote to memory of 2052 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 3048 wrote to memory of 2052 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 3048 wrote to memory of 2052 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 3048 wrote to memory of 2764 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3048 wrote to memory of 2764 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3048 wrote to memory of 2764 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3048 wrote to memory of 2764 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2760 wrote to memory of 376 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2760 wrote to memory of 376 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2760 wrote to memory of 376 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 2760 wrote to memory of 376 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 3068 wrote to memory of 832 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 3068 wrote to memory of 832 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 3068 wrote to memory of 832 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 3068 wrote to memory of 832 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 3048 wrote to memory of 1348 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3048 wrote to memory of 1348 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3048 wrote to memory of 1348 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3048 wrote to memory of 1348 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2760 wrote to memory of 2124 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2760 wrote to memory of 2124 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2760 wrote to memory of 2124 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2760 wrote to memory of 2124 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3068 wrote to memory of 984 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3068 wrote to memory of 984 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3068 wrote to memory of 984 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3068 wrote to memory of 984 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3048 wrote to memory of 2508 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3048 wrote to memory of 2508 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3048 wrote to memory of 2508 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3048 wrote to memory of 2508 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2760 wrote to memory of 2368 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2760 wrote to memory of 2368 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2760 wrote to memory of 2368 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2760 wrote to memory of 2368 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3048 wrote to memory of 1784 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3048 wrote to memory of 1784 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3048 wrote to memory of 1784 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3048 wrote to memory of 1784 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 2760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 2760 wrote to memory of 2160 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

Network

N/A

Files

memory/3000-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\lsass.exe

MD5 c458461bf6c48e025687b6e7b8138b50
SHA1 055059f5fcbdec89225b4ca30133e5356cd99f4e
SHA256 ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519
SHA512 4edcba0ee1f988f4647fb0da82d8f15985dc6df4e721f7efc3113931d67b1d355cceea9eb1ccdd3c589fd372f7640de946c28f9778ccbea7731b02db803b0159

C:\Windows\babon.exe

MD5 e780285cf2c757fd8b01844281692b85
SHA1 2632f1efd32ae91c64ce649cb8164a5731e04e55
SHA256 9ad8b7503a745185e72ba3e434d2d73b43bac51f583af8b96b854b725b590ec9
SHA512 fe4cb6e7cf81a4ae3fdf183d711c742bcf70fe98abb678a3ea29d7dd74dafc291ad9354a97a52492cd566a4751e9feddcd95ee7d090230ffa5a8bbe0a0101328

memory/3048-107-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3000-105-0x0000000000840000-0x0000000000863000-memory.dmp

memory/3000-104-0x0000000000840000-0x0000000000863000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 1268008706835afb5a3f29d5f1edebd6
SHA1 16446cc6e5f337f1b369bf074ae2794685b00ce6
SHA256 8e3c48808c6d2a8ae10e9c6cfa20ebc32c4f5e49751e3b5b1b1e3093282f9c36
SHA512 4d5412074c603d50e0c9cc6d78b3c641eaa38273798a47c79e46346a49a39faba5dc904e4c10ab7171d64d47f706d1be9be9e526f8e9baffbe556fc3b080d7d2

memory/3000-109-0x0000000000840000-0x0000000000863000-memory.dmp

memory/2760-116-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 279f07b50480690299c084350cd21d71
SHA1 d514a30ae40bacc0dbf4b5b0ddf841db024b7438
SHA256 ac2ac0e16fff95dcf2cddcc58c44b4b41868f40f8d2338233352fa63b00cb443
SHA512 c5f9d4209c59f32be733f0260ac14b27fa6f24d04435b6522ddd431d4e3997b76dd16777a8dadc68c61549578ccc254863d77d4e682f0c0280b19de3826a6c3d

memory/3000-127-0x0000000000840000-0x0000000000863000-memory.dmp

memory/3068-129-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\csrss.exe

MD5 c6fb29b24ec8175f06e88951054d4a86
SHA1 527cf5cd53ba87fd479a3433a32ee31a2bd22734
SHA256 eec28af7c4924270094943022d427e398d5e89755c3788be7876b423db2258df
SHA512 4b2f92672af0835ca079ade29022ace4ea8f13c816f8828d8265147c02ad5d4addc145d585dbd097f81536b540ea4f6e3be76cd888e592a665c17d72afcb235e

memory/3000-139-0x0000000000840000-0x0000000000863000-memory.dmp

memory/952-140-0x0000000000400000-0x0000000000423000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 cd70169213ff946bb22d582a7d444285
SHA1 9daee505c530105fe51c3b8256b1fbaa7f51b834
SHA256 59189af5787b0396ceac86508dc658204e89a3bdc8d254b2c08749a86221125c
SHA512 3002a55c1c8c9da0c433dd4809958b7dd7c3c11601b02094454a75bf3354c85d9bff85d05d02c8432ae3f99e27d7fde79d89c6708dc06e35e0930e884967cfda

memory/3000-145-0x0000000000840000-0x0000000000863000-memory.dmp

memory/3000-154-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 c9926f9ee879c5f7eeaecec6c00df677
SHA1 d1f5df646082a696244c5f9d63f75dba287edc3b
SHA256 6db70d70eecbf6bd5af782b60db06ceb4ddd1af90ef36a6e84dcc136bb6e70b3
SHA512 f78d69ff6c3b23f094ef0b03e850c362625af37aa8792bab2ddea604d86dc71506ec35f0f4bb2eefd537b54f6b0ad55690ef9712673adfe965417a8a95af2974

C:\babon.exe

MD5 7d0ea8f7c7f1f20e93e99b32368b8ca6
SHA1 aad7ad905f26542de50159bef0d07dfefd0e70a4
SHA256 c487a0988822ee5dd6108d4e1ff6c029b2133b1e93d8deef05dda129f6ecad43
SHA512 14c29e4a6b9fce80c98b9e10011e73485ba262102fc9cb6a059dfed5753954343407ccba9bd29e681a4998323ad637ed757e771e7770ba76f3a9ef751135b4af

C:\Windows\SysWOW64\shell.exe

MD5 ef9eb98593d3cd6b9abff85f83306a18
SHA1 c2a39b7edda6c1b6235cc90e0fb6aab2299caa3c
SHA256 3db32bd6aa0de40c74b7e6da7e996e19184ef81bac5c3115f8c237ce84a7ce31
SHA512 228b9c195b19bdff1ad05338c550ea6c7959ea45d78346bc213ec519dc8f92dd551886f72fb761bd5356d44da78ca874505b9c65fc80cf8a4e2feeaa28f56a17

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

memory/2052-189-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3048-188-0x0000000002560000-0x0000000002583000-memory.dmp

C:\Windows\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 f2991b82416975cd71109386b2f020c4
SHA1 d200df53c44189ce70352482e7643b3dd012af20
SHA256 0ac29983bd2cdc3f344c65e3c038af33ede5444a6440b7b946907537c95854df
SHA512 a991fb879b8dba4d7cec174aa295e64745aca335cfe600c8cff8ad62eac5344d361eac7c1f570f32739c213cfe55bc39cb8534b43002f913b7f39a7d07b70d07

C:\Windows\SysWOW64\shell.exe

MD5 a4616906609cb2a04b63e89216ae5449
SHA1 2a951b2c99c530234edd35ec47f3e8d0f7ef9852
SHA256 a3fd8ae12888caa37e579460f952b70f8c9e57d6bf68342390cf47862957f599
SHA512 007afb449255b6b0cde59c557229b8c9cff108770aa59c8aaa0ad60d749c284adf6edb3380fe0c5c0368268df8196d42878322567c85369c587ddea57f9ddcf7

C:\Windows\SysWOW64\babon.scr

MD5 cac414bbd07a15434a02474e06796182
SHA1 75d5b2789b3924790bbdb7b857eea102ce194f86
SHA256 7455f16b4e02bac23f6560d2cea9631d2780a6633ff5f764dd9ecb1bc08c6466
SHA512 1b00fd1baf7b3087490a71b6b65712671b649dca153cb4b210dc639d67ced6446ed921e2e80e560e0dad2bd0a9d29313ef1250de0d28c7f9282e889104256aec

C:\babon.exe

MD5 fec1f3362a4555dde78ca603048620b8
SHA1 4fa48bfebb41dfb14aee787b481cab4eb020f627
SHA256 c62ac022cd06bc549aa7972ca8c910e5aaf156b1477c9d5a2d699e3387fa3222
SHA512 c7e8bc7998cdc8a55c38afbb616da11cf594d7be75d70188d8b66da576a917ea0aa680a5f12bb2f2b2f82467c2ad4fc1b524e69c5513cb7e0b4adbfb7634fd15

memory/3048-223-0x0000000002560000-0x0000000002583000-memory.dmp

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 35186422f86b569746e7be314877fe2f
SHA1 4fd950104bf98f58d696f80556293098a86edb45
SHA256 4500fbb0b783c6a9b24bb4179f4dda6229d3826f80bfddae636e986f53b04b52
SHA512 eaee12378c3a3397fe19a4cef488956bc0455d8e62711a61cfbbdeebdfa21e07ba04d37da447228f02a926228f0091add12adf46b25cdceb23bd5a68ff41d3df

memory/2052-228-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2052-226-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/3048-224-0x0000000002560000-0x0000000002583000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 245a5d7cd894b9f64e1c3c9023c5c5cb
SHA1 89db1cb16a6e6bc2f399e0df9c4f157186ec359d
SHA256 0c1466882d49f331fee05ec22f7c72673107b35243789588846eb24ebf10e412
SHA512 bc854ee474dfc894beb92ecc9932e1defd83e8d6ecaab8dcabe8a65803078dab935240c7c1ba3a478658411391e763c17f4cb6e5f44ccd99ea76641206ce0c70

memory/3068-261-0x0000000000560000-0x0000000000583000-memory.dmp

memory/3048-264-0x0000000002560000-0x0000000002583000-memory.dmp

memory/2764-270-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3048-265-0x0000000002560000-0x0000000002583000-memory.dmp

memory/376-280-0x0000000000400000-0x0000000000423000-memory.dmp

memory/376-275-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2124-279-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1348-298-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2508-296-0x0000000000400000-0x0000000000423000-memory.dmp

memory/832-292-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2508-311-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2368-308-0x0000000000400000-0x0000000000423000-memory.dmp

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

memory/3004-350-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2160-334-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1784-324-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1784-320-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2160-319-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-302-0x00000000030A0000-0x00000000030C3000-memory.dmp

memory/832-290-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2124-288-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-278-0x00000000030A0000-0x00000000030C3000-memory.dmp

memory/1348-277-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-276-0x00000000030A0000-0x00000000030C3000-memory.dmp

memory/952-394-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/2700-397-0x0000000000400000-0x0000000000423000-memory.dmp

memory/984-401-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1556-372-0x0000000001DD0000-0x0000000001DF3000-memory.dmp

memory/2536-404-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1796-408-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2536-411-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2556-420-0x0000000000400000-0x0000000000423000-memory.dmp

memory/952-418-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/3036-417-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2700-416-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2936-428-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2616-423-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2616-427-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3036-430-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2700-413-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1796-407-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2556-406-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1556-405-0x0000000001DD0000-0x0000000001DF3000-memory.dmp

memory/2156-433-0x0000000000220000-0x0000000000230000-memory.dmp

memory/3068-435-0x0000000000560000-0x0000000000583000-memory.dmp

memory/2156-436-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1652-443-0x0000000000220000-0x0000000000230000-memory.dmp

memory/2936-442-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3028-449-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1652-447-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1652-445-0x0000000000400000-0x0000000000423000-memory.dmp

memory/952-437-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/624-451-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1392-455-0x0000000000400000-0x0000000000423000-memory.dmp

memory/952-456-0x0000000000390000-0x00000000003B3000-memory.dmp

memory/624-460-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2852-462-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2760-464-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3048-463-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1556-467-0x0000000000400000-0x0000000000423000-memory.dmp

memory/952-466-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3068-465-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3048-528-0x0000000002560000-0x0000000002583000-memory.dmp

memory/3068-530-0x0000000000560000-0x0000000000583000-memory.dmp

memory/3048-535-0x0000000002560000-0x0000000002583000-memory.dmp

memory/3048-536-0x0000000002560000-0x0000000002583000-memory.dmp

memory/2760-538-0x00000000030A0000-0x00000000030C3000-memory.dmp

memory/2760-537-0x00000000030A0000-0x00000000030C3000-memory.dmp

memory/2760-539-0x00000000030A0000-0x00000000030C3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 08:06

Reported

2024-05-16 08:09

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Disables Task Manager via registry modification

evasion

Disables cmd.exe use via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A

Disables use of System Restore points

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" C:\Windows\SysWOW64\IExplorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\I: C:\Windows\babon.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\Y: C:\Windows\babon.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\babon.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Windows\babon.exe N/A
File opened (read-only) \??\N: C:\Windows\babon.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\babon.exe N/A
File opened (read-only) \??\W: C:\Windows\babon.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\babon.exe N/A
File opened (read-only) \??\O: C:\Windows\babon.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\R: C:\Windows\babon.exe N/A
File opened (read-only) \??\S: C:\Windows\babon.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\IExplorer.exe N/A
File opened (read-only) \??\J: C:\Windows\babon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A
File created F:\autorun.inf C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\SysWOW64\babon.scr C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\SysWOW64\babon.scr C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\babon.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File created C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\IExplorer.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
File opened for modification C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
File created C:\Windows\babon.exe C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\babon.exe C:\Windows\babon.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Windows\babon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" C:\Windows\babon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s2359 = "Babon" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\s1159 = "Babon" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Mouse\SwapMouseButtons = "1" C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\babon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ C:\Windows\SysWOW64\IExplorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Windows\babon.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\IExplorer.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
N/A N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\babon.exe
PID 3196 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\babon.exe
PID 3196 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\babon.exe
PID 3196 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3196 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3196 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3196 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3196 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3196 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3196 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3196 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3196 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 3196 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3196 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 3196 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 4972 wrote to memory of 684 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 4972 wrote to memory of 684 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 4972 wrote to memory of 684 N/A C:\Windows\babon.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 4340 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 4340 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 4340 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 5040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4140 wrote to memory of 5040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4140 wrote to memory of 5040 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4140 wrote to memory of 452 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4140 wrote to memory of 452 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4140 wrote to memory of 452 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4140 wrote to memory of 4992 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4140 wrote to memory of 4992 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4140 wrote to memory of 4992 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4972 wrote to memory of 1804 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 1804 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 1804 N/A C:\Windows\babon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3528 wrote to memory of 4196 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 3528 wrote to memory of 4196 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 3528 wrote to memory of 4196 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\babon.exe
PID 2920 wrote to memory of 4296 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 2920 wrote to memory of 4296 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 2920 wrote to memory of 4296 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\babon.exe
PID 4140 wrote to memory of 2116 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 4140 wrote to memory of 2116 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 4140 wrote to memory of 2116 N/A C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
PID 4972 wrote to memory of 2460 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4972 wrote to memory of 2460 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 4972 wrote to memory of 2460 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 5092 wrote to memory of 3444 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 5092 wrote to memory of 3444 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 5092 wrote to memory of 3444 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\babon.exe
PID 3528 wrote to memory of 1276 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3528 wrote to memory of 1276 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3528 wrote to memory of 1276 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2920 wrote to memory of 5104 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2920 wrote to memory of 5104 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2920 wrote to memory of 5104 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4972 wrote to memory of 3720 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4972 wrote to memory of 3720 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 4972 wrote to memory of 3720 N/A C:\Windows\babon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
PID 5092 wrote to memory of 2324 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5092 wrote to memory of 2324 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 5092 wrote to memory of 2324 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3528 wrote to memory of 2524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3528 wrote to memory of 2524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 3528 wrote to memory of 2524 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
PID 2920 wrote to memory of 2604 N/A C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\SysWOW64\IExplorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Windows\babon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Windows\babon.exe

C:\Windows\babon.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.218:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 218.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3196-0-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 c458461bf6c48e025687b6e7b8138b50
SHA1 055059f5fcbdec89225b4ca30133e5356cd99f4e
SHA256 ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519
SHA512 4edcba0ee1f988f4647fb0da82d8f15985dc6df4e721f7efc3113931d67b1d355cceea9eb1ccdd3c589fd372f7640de946c28f9778ccbea7731b02db803b0159

C:\Windows\babon.exe

MD5 821cd36dcde607c9a47cf28897b59504
SHA1 6a9f1320354cef725d67e53909296ce38f4c68c4
SHA256 290282ffdb8f4302a898bf42402abcdf2684105f7aeccb38e1f4ffd3766544bd
SHA512 14dfc5c20a10eb62d0b0467ba655e3e892da774e63d97205b6ee1a78d048f29d6574ec9189e7bd48feefdd695a49d4366bcd81d9dd31b7fa1ef246f36de76f78

memory/4972-101-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 b54b61e48ced870675413271a2703401
SHA1 faf649c93e8e9cf98c4d1941e381c4f0ad74d0cc
SHA256 71746774a8a1498b4f3f58001a4d4566fec4fc4f42eeab17ab3301982b138e9f
SHA512 f158d361c69617ca34b6bac6adac4c59f0e2d5caee99034db89f6572dcabd37ff41e440829fe146f618ea89ebbc4da94785f966ac18689841a8a7011e9436101

memory/4140-108-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

MD5 880538b07df6cb5e777429f61aa77f2a
SHA1 e6f6f80c1a5225d624c3c9bcface192657bbf435
SHA256 017735a6484b834b0ed2560507dd9c1d49fee18ec49cac4e52fab5eb3dbdd74a
SHA512 cd3a1ec4a31ae4e5e32bc7ea49912e808eb7e95fd62c4af054b57a1663c7330fa5f7daa4261ecc1b70e45b7ec3abdedc11a04c3fba03497698aac7b2bcb97454

memory/3528-116-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

MD5 29e64c2e4ae1a9ce51f6e7a34f74bac4
SHA1 93ec0f121fe5473b6b8ab91d89aaaaaf5d7da6c3
SHA256 345ca22084952109aa281f0b95daa35e84b20d41291b9ece8668be3652ed9cf4
SHA512 92100dbe890c386ecaee91f511e0374011df818ee0cb2f5beee9e70ccddd3b32891746a82b90b6b7dff20ce16141ca902f589b903c29267fcfe168bb1fd25cc2

memory/2920-122-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

MD5 b8590d95906eca765ce01488a0556694
SHA1 948d09585bb93c864d813f4021857698546fbb23
SHA256 fd8b33da4f3379784546f2d5c738175fc0f9834601d0b751443b042163bd0c9d
SHA512 99d1598c7878ecf598ad02b1976f89c4a129c70751df4d0723fb9b660df3d0af0689fc5867b0bfe2f131b5c89e350dff9dabbb57265e4b566b9123a1a55d6e82

memory/5092-128-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3196-131-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 933649237612e7dd81ef90c7aae258da
SHA1 0696f1f49a5da1ac3c7f81d16ce7eaf8ad9180d2
SHA256 e5783d85b30227667450f497e40385dade538aaaa6fbf1e2ec2f76263bd411cd
SHA512 7a817a474e68a59d01db7e37ce09ceeaf73951c2acce0e3c19d82518ed32bdc05257062c92648c5cfc638c7699ecde91582d96cdf5ca801556c9cdc03857b7f1

C:\wangsit.txt

MD5 8c460e27a1949370d14f20942ef964c3
SHA1 fb1f75839903c83911b45b49956792d27db56185
SHA256 2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d
SHA512 ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

C:\Windows\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 6cb2f5ec12e8f69fd42048fbc1093e9b
SHA1 1b9435c7dedbd30541a7d635dbc1df5fa3d7ae1b
SHA256 793e74a9c3274f951d1747b57d58d215741c4accda6aa12ba4abb27401952a74
SHA512 621cce3803e8571feaab679a8a6c38214764feb64d9f77fa75521bcfe4a340de1b5f79ba86e727ee47eb0172b6052fff449a0db110f2a2cc5f751031353e449e

memory/4340-193-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\babon.scr

MD5 166b5268160fa9fdff079e8e49b1de04
SHA1 383b8f2d7d1164714be5143d8327208664d0a1a5
SHA256 660f580c487e4799a8ff26086419e46f7cc7866e5d6d2707b3fae1d5a81c5bdf
SHA512 383fabb556f0f688b3c342e2149f500e8378c275d0688d2eb19ce6090dc63292bed8a7a7151c4ae6870c44a50874db1042508f3eaaf9313777cc3d4ef6894306

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 f663619057d9d3eee6f25fcee412eef5
SHA1 67b41c9921232f09e7436c560270b1af7223c4b1
SHA256 fcfef41a7294d913cc04563201341e5ea8bb52983ea90f94869a1a9ec0ae3b7c
SHA512 8e89afd505484b17183c22adce439f325eea78b2fd804aa49b4ddb1c9a0bfe1a502c231bab88a3e39a93cf6f5e77ef4bdaa9c1be795bf0cc570eb9c33c6a57b3

C:\Windows\SysWOW64\shell.exe

MD5 6da94b7492972aa1c17aa65237cc1a68
SHA1 223b1fb4cdeb68ae8320f187babd63f05c3cc54b
SHA256 22c1e36eae4b639b1fa8fe4995854b4689dea7f34342f8a29b7f46825c9763ab
SHA512 d0b141f26afaef16532d5b394156f7e2d68dd27c088f5760546b3ad6f869c85673e23841c03da5dce9178701aed5710cef36dc7d12564b4ba34f56ea88bbf41c

C:\babon.exe

MD5 880bb54f6a931d46b393f618cc10c454
SHA1 7b91c093c1d3b6725eed928a6938ebcfd2600aee
SHA256 87d0a9f7a165fd456509bebb281a6238602ad7229545b6e0bce5c667e6d579f4
SHA512 487b7e0995c91dc7172a9b00fd723fef1b3b171d5fb570398f8e551d0fa2db9e99fbc7a9785621756f91d73cfd535208c5247c3c4224327ae5831a29beda6248

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 f1dd70290c3f5ed449bf4d981f026c90
SHA1 b890a8852c57ecef1fae524fb5eaea5d5b0cecc4
SHA256 8fa950a0e913273a3c2d0cd045d591cdf3e9f3152a669530265e1cbb2c2f6705
SHA512 86912408d4d20ee4a82fc117dae6a4629842d1d020240b200a35376a654b2a111d8b14c70410c3459545c87fa596885ac872eb083673679c3dafa0e6ffb68cc2

memory/4992-220-0x0000000000400000-0x0000000000423000-memory.dmp

memory/452-218-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1804-247-0x0000000000400000-0x0000000000423000-memory.dmp

memory/684-252-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4196-255-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 c13dbc1ddd4970c6ea0aea4486155a62
SHA1 ec63c3bcab09bdb33e03f58a65c0d9954caabfaa
SHA256 53f468e28a279b9c94470f979bcf3411ca6d2b8bcceca3352c1535cc70a5527d
SHA512 f1e2679a9024b1a63d2415d9d5de45f0542507f529264dc008ffe750a2b38072fc0173747257a329515ca07ece9af61602ab5a019b187d23dd396991dac3b0c4

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

MD5 da3edb285a3b6b7ca8c92906e69bba8b
SHA1 4507c8f132d17aa3649ab6fae7c18bd4c7939696
SHA256 e4cce1f46098a726d7e17983d092ec97339ffe0d39b49da32bb055adb508cbbc
SHA512 8bb3e55ca7237a4c8ae678009175d2bbbfa9d38317c08ae923679fe11960267fff41cd1f63b8e1502a9d3fc63dee426f0217512ad6f8a16d8a3b4ddd7cd8e598

C:\Windows\SysWOW64\babon.scr

MD5 5cca73056e07503f9aac24c56ca0a806
SHA1 667613347876995f375aca7257b74e0b025f5be6
SHA256 047729308eb3363081ada701bd0585d3c4b34d95755b6cacc4ad674a2c23d896
SHA512 ea95b3cd630f833045f5eebe6dac96f858ae6b70f97e32883be9d9c319fe7e38405c42c6f08543f92b1e0eff2aed204479a46719eb704680c25c6f33e8bd8757

C:\babon.exe

MD5 5e103c3bed0b0c07047a7bbe05f85013
SHA1 89c02b436ba14e66a145ae111b1c0ff9843e7e47
SHA256 f0bfbbd118df7f6b1d9bc787d703ee48ee734d73b7c8c0ac9781f5111741d9ad
SHA512 6051a86764f8b470b2bce39ffcbf9080fc9a73fae89cdab6bab2fca6bba71a7d1d70d0da939f2e66cf7c3a61b1a1db57d310bc0e2ecc3d105d80abea3e77e9ec

memory/5040-212-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

MD5 4988789b6ca75ab84063e4939737bfe6
SHA1 b64241db750388770e95ed24f7d222222506c2d0
SHA256 a94f876201c99fe148f86d2a4d2d626ccb5f0be650d2af80a40a8e457581220e
SHA512 fe2c3a635d207dc1ce7a452f632752a9cbad911ef8356b78feb8af70060a93abc104fce96c3c69b1b790a0250f72d2f98d08134c2e01b84d2f71ea797dd653a5

memory/5040-199-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4340-198-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4296-285-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4992-287-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Windows\SysWOW64\shell.exe

MD5 ced665d0c5d8b98896c3e1986cd62877
SHA1 e3dd1625610851e05fbb2f7dd764dbf9f6fc7f17
SHA256 bae4017ddbb9fb9fe174459d88eb7f31c9826be587316413e0190874b60a71e7
SHA512 c695eb1e7dd5a551a2ee62a6919f829fc99d499bce1054e58c3553904d9ecd31f1da50c00c9c03fa7ca5e832be4b3d7d980ca8f64d9036a39ddaa1db45065a7d

C:\Windows\SysWOW64\babon.scr

MD5 aced98ed4a71d0c136e13524158b29bd
SHA1 b12404e9dbd513b8cdccfe12cd3fab02870f677b
SHA256 5dc36683393c275ea05af4690343d5b2e8375b0a2733c6a52095d54496b51876
SHA512 412eb11f60bc84924dd2187891bfa6721af59f531dbfa7cf44e91858d3c60da6d1d03b8d3203bbf56f535b621fd71b94c914783e437fdfddf231ecf26b3b98d9

C:\babon.exe

MD5 8abf53bcbdd28ebdc0f6232f65ed52fa
SHA1 efdead3ff914d7ff68f47701118350869194fe6c
SHA256 115bc5f860a97cea12dbf64fa87a4cd17d44f34ed7d819757c765ba0a9506315
SHA512 c40acb9a8f7fb705d14f1fa1924b476f70e1688dba410613a7955af8e8f96bf20968f8cd3cdf34456c211e2bf2ff442c519ed5867d199deb7b22856d365b76dd

memory/1804-305-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4296-312-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2116-316-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4196-314-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2460-310-0x0000000000400000-0x0000000000423000-memory.dmp

F:\autorun.inf

MD5 097661e74e667ec2329bc274acb87b0d
SHA1 91c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256 aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512 e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

memory/1276-346-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3444-349-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5104-351-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2604-358-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2524-364-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2604-366-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4184-370-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2324-362-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2524-357-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4184-377-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1972-380-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1548-386-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1972-391-0x0000000000400000-0x0000000000423000-memory.dmp

memory/1548-394-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3480-397-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4972-398-0x0000000000400000-0x0000000000423000-memory.dmp

memory/4140-399-0x0000000000400000-0x0000000000423000-memory.dmp

memory/2920-401-0x0000000000400000-0x0000000000423000-memory.dmp

memory/5092-402-0x0000000000400000-0x0000000000423000-memory.dmp

memory/3528-400-0x0000000000400000-0x0000000000423000-memory.dmp