Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
-
Size
91KB
-
MD5
499eb5354d018ee4a0a4eaa0d54d5de0
-
SHA1
c228922423384522797e100bd239cc0146e9ee6a
-
SHA256
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5
-
SHA512
d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db
-
SSDEEP
1536:npDnq+5h/tDSZ15Wwd4pDnq+5h/tDSZ15WwdM:npDRzSZaC4pDRzSZaCM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 30 IoCs
pid Process 1852 babon.exe 2380 IExplorer.exe 2284 winlogon.exe 400 csrss.exe 2280 lsass.exe 2076 babon.exe 2864 IExplorer.exe 2032 winlogon.exe 2568 babon.exe 1412 csrss.exe 2372 IExplorer.exe 2300 babon.exe 2964 winlogon.exe 1708 lsass.exe 1616 babon.exe 1180 csrss.exe 2328 IExplorer.exe 1500 babon.exe 1528 IExplorer.exe 2956 lsass.exe 2552 winlogon.exe 2712 csrss.exe 2220 IExplorer.exe 2428 winlogon.exe 2808 lsass.exe 2796 csrss.exe 2772 winlogon.exe 2420 lsass.exe 2528 csrss.exe 2884 lsass.exe -
Loads dropped DLL 45 IoCs
pid Process 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 1852 babon.exe 1852 babon.exe 1852 babon.exe 1852 babon.exe 1852 babon.exe 1852 babon.exe 2380 IExplorer.exe 2380 IExplorer.exe 2380 IExplorer.exe 2380 IExplorer.exe 1852 babon.exe 1852 babon.exe 2380 IExplorer.exe 2380 IExplorer.exe 2284 winlogon.exe 2284 winlogon.exe 400 csrss.exe 400 csrss.exe 2380 IExplorer.exe 2380 IExplorer.exe 2284 winlogon.exe 2280 lsass.exe 2280 lsass.exe 2284 winlogon.exe 2284 winlogon.exe 2284 winlogon.exe 2284 winlogon.exe 400 csrss.exe 400 csrss.exe 400 csrss.exe 2280 lsass.exe 2280 lsass.exe 400 csrss.exe 400 csrss.exe 2280 lsass.exe 2280 lsass.exe 2280 lsass.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: babon.exe File opened (read-only) \??\Q: babon.exe File opened (read-only) \??\Z: babon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\T: lsass.exe File opened (read-only) \??\U: lsass.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\P: babon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\V: babon.exe File opened (read-only) \??\N: lsass.exe File opened (read-only) \??\B: babon.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\S: lsass.exe File opened (read-only) \??\X: lsass.exe File opened (read-only) \??\V: IExplorer.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\L: babon.exe File opened (read-only) \??\X: babon.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\J: lsass.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\M: lsass.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\U: babon.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\W: lsass.exe File opened (read-only) \??\K: babon.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf babon.exe File opened for modification C:\autorun.inf babon.exe File created F:\autorun.inf babon.exe File opened for modification F:\autorun.inf babon.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\babon.scr 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe winlogon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe lsass.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe babon.exe File opened for modification C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe babon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe csrss.exe File created C:\Windows\babon.exe csrss.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 42 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\ csrss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 1852 babon.exe 400 csrss.exe 2284 winlogon.exe 2380 IExplorer.exe 2280 lsass.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 1852 babon.exe 2380 IExplorer.exe 2284 winlogon.exe 400 csrss.exe 2280 lsass.exe 2076 babon.exe 2864 IExplorer.exe 2032 winlogon.exe 2568 babon.exe 2372 IExplorer.exe 1412 csrss.exe 2964 winlogon.exe 2300 babon.exe 1708 lsass.exe 1616 babon.exe 1180 csrss.exe 2328 IExplorer.exe 1500 babon.exe 2956 lsass.exe 2552 winlogon.exe 1528 IExplorer.exe 2712 csrss.exe 2428 winlogon.exe 2808 lsass.exe 2220 IExplorer.exe 2796 csrss.exe 2772 winlogon.exe 2420 lsass.exe 2528 csrss.exe 2884 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2860 wrote to memory of 1852 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 1852 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 1852 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 1852 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 28 PID 2860 wrote to memory of 2380 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 29 PID 2860 wrote to memory of 2380 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 29 PID 2860 wrote to memory of 2380 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 29 PID 2860 wrote to memory of 2380 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 29 PID 2860 wrote to memory of 2284 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 30 PID 2860 wrote to memory of 2284 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 30 PID 2860 wrote to memory of 2284 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 30 PID 2860 wrote to memory of 2284 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 30 PID 2860 wrote to memory of 400 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 31 PID 2860 wrote to memory of 400 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 31 PID 2860 wrote to memory of 400 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 31 PID 2860 wrote to memory of 400 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 31 PID 2860 wrote to memory of 2280 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 32 PID 2860 wrote to memory of 2280 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 32 PID 2860 wrote to memory of 2280 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 32 PID 2860 wrote to memory of 2280 2860 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 32 PID 1852 wrote to memory of 2076 1852 babon.exe 33 PID 1852 wrote to memory of 2076 1852 babon.exe 33 PID 1852 wrote to memory of 2076 1852 babon.exe 33 PID 1852 wrote to memory of 2076 1852 babon.exe 33 PID 1852 wrote to memory of 2864 1852 babon.exe 34 PID 1852 wrote to memory of 2864 1852 babon.exe 34 PID 1852 wrote to memory of 2864 1852 babon.exe 34 PID 1852 wrote to memory of 2864 1852 babon.exe 34 PID 1852 wrote to memory of 2032 1852 babon.exe 35 PID 1852 wrote to memory of 2032 1852 babon.exe 35 PID 1852 wrote to memory of 2032 1852 babon.exe 35 PID 1852 wrote to memory of 2032 1852 babon.exe 35 PID 2380 wrote to memory of 2568 2380 IExplorer.exe 36 PID 2380 wrote to memory of 2568 2380 IExplorer.exe 36 PID 2380 wrote to memory of 2568 2380 IExplorer.exe 36 PID 2380 wrote to memory of 2568 2380 IExplorer.exe 36 PID 1852 wrote to memory of 1412 1852 babon.exe 37 PID 1852 wrote to memory of 1412 1852 babon.exe 37 PID 1852 wrote to memory of 1412 1852 babon.exe 37 PID 1852 wrote to memory of 1412 1852 babon.exe 37 PID 2380 wrote to memory of 2372 2380 IExplorer.exe 38 PID 2380 wrote to memory of 2372 2380 IExplorer.exe 38 PID 2380 wrote to memory of 2372 2380 IExplorer.exe 38 PID 2380 wrote to memory of 2372 2380 IExplorer.exe 38 PID 2284 wrote to memory of 2300 2284 winlogon.exe 39 PID 2284 wrote to memory of 2300 2284 winlogon.exe 39 PID 2284 wrote to memory of 2300 2284 winlogon.exe 39 PID 2284 wrote to memory of 2300 2284 winlogon.exe 39 PID 2380 wrote to memory of 2964 2380 IExplorer.exe 40 PID 2380 wrote to memory of 2964 2380 IExplorer.exe 40 PID 2380 wrote to memory of 2964 2380 IExplorer.exe 40 PID 2380 wrote to memory of 2964 2380 IExplorer.exe 40 PID 1852 wrote to memory of 1708 1852 babon.exe 41 PID 1852 wrote to memory of 1708 1852 babon.exe 41 PID 1852 wrote to memory of 1708 1852 babon.exe 41 PID 1852 wrote to memory of 1708 1852 babon.exe 41 PID 400 wrote to memory of 1616 400 csrss.exe 42 PID 400 wrote to memory of 1616 400 csrss.exe 42 PID 400 wrote to memory of 1616 400 csrss.exe 42 PID 400 wrote to memory of 1616 400 csrss.exe 42 PID 2380 wrote to memory of 1180 2380 IExplorer.exe 43 PID 2380 wrote to memory of 1180 2380 IExplorer.exe 43 PID 2380 wrote to memory of 1180 2380 IExplorer.exe 43 PID 2380 wrote to memory of 1180 2380 IExplorer.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2860 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1412
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2380 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2284 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2712
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:400 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1616
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2428
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2280 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1500
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2220
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2772
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5499eb5354d018ee4a0a4eaa0d54d5de0
SHA1c228922423384522797e100bd239cc0146e9ee6a
SHA2560c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5
SHA512d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db
-
Filesize
91KB
MD56c9fd09eda54f6bbc2ada21378905c1d
SHA1e5ebefda48dc28275f32b1bc913859f006235bf2
SHA2566bd7a923ae6a4cfbdf2f23abc91fd284645f7f17acfb634e8406db24743b96b8
SHA512ea0ca78a53ccdee48eaec4644e86df61eb188813d453cb4095837d69db242f6f0be5cc4be460ddb394a05c44a1ff9905d7ce1e8b6515c728586d0fcafb0f0cf4
-
Filesize
91KB
MD5d8a2c91b6ec6196842db2a5e927efb54
SHA1dc2fb21aede9413a072364542f217d148a983e18
SHA2561195f6a69a7ed52347e1e7ba2588d9ffbefc6485b0e4198d07652389deabdc8a
SHA5121cadb1bc5fdc08605c31da4f07cafe752953df442ddd90b8f960ad307c43115b09484536b922db5ef4d5b90aa830bd78db6d2a5d0f3f0406455bb49148c320d1
-
Filesize
91KB
MD5a17446c35b98580558320cd961bd22a7
SHA1d475f50991767bc6d43bfae09c3bf0c5c20e1b12
SHA256ed66022c231bf356bc4119bf27843e9492ef2d6abfac49a74b1dacb4e20b9bea
SHA51255759ffadc715505b8b25750d88d444dae7fc1f46e604abdea3f106ec6578142e7ff7c21d4f9d37ff8e025d1da10ecfdbccce000dd958b85a0f3e333284c4560
-
Filesize
91KB
MD50699eb8bc57218baf8adf758f66f9b79
SHA16d6a655714aa9205e59a221d5c77e2bfc583cab5
SHA2564ed306db4d8ba6894c3a449ba2b73ce075ffe949b9fbdf365e2af46e9885f72b
SHA512ca7b06a5af7965e4a9a05d5dda95109ca1f02a9faab79884c667191cb6d9ecae3b26780e1a622c6dc097113b554795ea275ad9b6ec3f229b33fd880240b19b6d
-
Filesize
91KB
MD54ecb9c5b4980529ea6599a7cc84d49d8
SHA1f8f3c6124854dd94b54c67779792e05171e27dd5
SHA256ca519af441d09714676353184b87534af2c388e4f88739959c65d6cb37405fe4
SHA512654f55bb83393705e45bb50b13368d9ea1c235218543fe3e3c5321af34e74042fef0b37338a70f9ea6d90de8fa13e8fbbad194e761008e7c6b5e47b35f33bb54
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
91KB
MD5dc881b9d7820739bbdfaf90c2cf2174b
SHA1d323106374068a46802c6312ab1469d8870a33a0
SHA25685583e6db4703f511fa8987aa46be82b8be0e776b3d71ac59cf7a1b3d8148570
SHA5123a740b6a575ab6b53410ec90e36a3629f2aaa8e7e6ce6ed4e78a9d170fc8719d82fdbd349c3e00f974e40eeaaa30c693fd0fd2d5d0b7edd2e73efc2d919d5e31
-
Filesize
91KB
MD55bc369b05cc2dca9ef9eefd32dcf25bd
SHA12a3153c3d04619cae4c27311cc6404091707efbd
SHA2560efb078b29ab9e62b53b7ad2e5029b8f7d5a32e09529da45e39e869802589497
SHA51267d1837b872531d9ce2c3933f45cca38b7ef989da1849c8a40bdfec63f5e1d10f70d63260415fff3c9ca7f19735b0bdfa8028d773a419c155a768ce165751123
-
Filesize
91KB
MD592d6a2ee05a12f7b14fede19b6350a4d
SHA1e3570dd1224da7992ea2b87cfb17cdd24d255bf9
SHA256f98db8edb0ba425b6e7cdff2473122f43b412c5f8f81c53457e4334e330e1086
SHA51249d0beaef83f07964833bdd13acfa3584b815991c72ca6ece493c0d460d3a09a1a057bcca47a0ee80019a93b419dd6b589dd024d8fd43bfce4944b73da75f3fe
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e
-
Filesize
91KB
MD51f1486fa76ea76d07f2d914c43792131
SHA160a202e07462c23cc2fff3449693781c7162e920
SHA256fd29f9f26f52f530c39a7dec9cb464e1d4c9d51751c748f84e84f92404cf7220
SHA5127e249631df49a6ed2c2d9c5a9ab035c42e52132241aa81f8c22ce193595c964f99a341b00f87e9776f0ae2523f0f31bd8ed40dd070a5b1854903c3afb9c16780
-
Filesize
91KB
MD5c9fbcf153738a5138bf614ef23f600a8
SHA10c3002f9eaf91b49d9e9549d71a415d26c4edcf8
SHA2568febaff7792460ab4cdd8569e4f436596e996756ca4a6750e2e86e48842f6a72
SHA51270b6b4bdc00cad2b4ed81540752f96447e062cfe544c0f4f77e1bb8191ecb0f57487233709ebe7f96347013a05686c83a6cc16e00d24090cc40c18567d434950
-
Filesize
91KB
MD53fac68d73c58f5602c3913859df2b940
SHA19434e8869d3486faf7aaaa41c93a632ded05be65
SHA256af606ea739de4731ffd4c3d25fbdd0e50ef07764a775652f2dfe2a71de14e8b3
SHA5129a9ef2c517a51b1e2c24444bfb1b8fb147202f2ec80da86f61d76cedd3ab5ae3e491201b5037a91c110d2a86ae4386b9bcd7341660c6ee6910371b538fc5a5ca
-
Filesize
91KB
MD539584461c96d346443982e181f663ac7
SHA1043861f55694dbb013801de46a616661c50e6673
SHA25645c1450c743fcc086d31084ff10ced51920d272713429c602ceb859421c6cfac
SHA512fd719e3e37844d3afa7ce5be2dc761b3fb8eb7820bfd383305be3067a4f9f8f606f19054a88f7e5d16a47b65632fb4ec6bcb02cd79444faf5aad4001f839226d