0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Size

91KB
MD5

499eb5354d018ee4a0a4eaa0d54d5de0
SHA1

c228922423384522797e100bd239cc0146e9ee6a
SHA256

0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5
SHA512

d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db
SSDEEP

1536:npDnq+5h/tDSZ15Wwd4pDnq+5h/tDSZ15WwdM:npDRzSZaC4pDRzSZaCM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	babon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	babon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 30 IoCs

pid	Process
1948	babon.exe
4992	IExplorer.exe
3624	winlogon.exe
4656	csrss.exe
2068	lsass.exe
4540	babon.exe
1028	babon.exe
1408	IExplorer.exe
5096	IExplorer.exe
4988	winlogon.exe
3592	winlogon.exe
4692	csrss.exe
4336	babon.exe
5036	csrss.exe
2572	babon.exe
3532	lsass.exe
4616	babon.exe
3008	lsass.exe
2620	IExplorer.exe
4780	IExplorer.exe
4000	IExplorer.exe
2580	winlogon.exe
1192	winlogon.exe
2604	winlogon.exe
1268	csrss.exe
4600	csrss.exe
944	csrss.exe
1000	lsass.exe
1020	lsass.exe
2108	lsass.exe

Loads dropped DLL 5 IoCs

pid	Process
4540	babon.exe
1028	babon.exe
4336	babon.exe
2572	babon.exe
4616	babon.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	lsass.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	babon.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\I:	winlogon.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\M:	babon.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\P:	babon.exe
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\V:	winlogon.exe
File opened (read-only)	\??\Y:	winlogon.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\N:	babon.exe
File opened (read-only)	\??\O:	babon.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\R:	winlogon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\X:	winlogon.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\J:	babon.exe
File opened (read-only)	\??\W:	winlogon.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\U:	babon.exe
File opened (read-only)	\??\O:	winlogon.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\T:	babon.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\R:	lsass.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\L:	babon.exe
File opened (read-only)	\??\Y:	babon.exe
File opened (read-only)	\??\Z:	babon.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\Q:	winlogon.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\V:	babon.exe
File opened (read-only)	\??\S:	winlogon.exe

Modifies WinLogon 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	csrss.exe

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	IExplorer.exe
File opened for modification	C:\autorun.inf	IExplorer.exe
File created	F:\autorun.inf	babon.exe
File opened for modification	F:\autorun.inf	babon.exe
File created	F:\autorun.inf	IExplorer.exe
File opened for modification	F:\autorun.inf	IExplorer.exe
File created	C:\autorun.inf	babon.exe
File opened for modification	C:\autorun.inf	babon.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	babon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\babon.scr	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	lsass.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\babon.exe	winlogon.exe
File opened for modification	C:\Windows\babon.exe	csrss.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	winlogon.exe
File opened for modification	C:\Windows\babon.exe	lsass.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File created	C:\Windows\babon.exe	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
File created	C:\Windows\babon.exe	babon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	lsass.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	IExplorer.exe
File created	C:\Windows\babon.exe	csrss.exe

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	lsass.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	lsass.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4656	csrss.exe
1948	babon.exe
3624	winlogon.exe
4992	IExplorer.exe
2068	lsass.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
1948	babon.exe
4992	IExplorer.exe
3624	winlogon.exe
4656	csrss.exe
2068	lsass.exe
4540	babon.exe
1028	babon.exe
1408	IExplorer.exe
5096	IExplorer.exe
4988	winlogon.exe
3592	winlogon.exe
4692	csrss.exe
5036	csrss.exe
3532	lsass.exe
4336	babon.exe
2572	babon.exe
4616	babon.exe
3008	lsass.exe
2620	IExplorer.exe
4780	IExplorer.exe
4000	IExplorer.exe
2580	winlogon.exe
1192	winlogon.exe
2604	winlogon.exe
1268	csrss.exe
4600	csrss.exe
944	csrss.exe
1000	lsass.exe
1020	lsass.exe
2108	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 1948	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	82
PID 408 wrote to memory of 1948	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	82
PID 408 wrote to memory of 1948	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	82
PID 408 wrote to memory of 4992	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	83
PID 408 wrote to memory of 4992	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	83
PID 408 wrote to memory of 4992	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	83
PID 408 wrote to memory of 3624	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	85
PID 408 wrote to memory of 3624	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	85
PID 408 wrote to memory of 3624	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	85
PID 408 wrote to memory of 4656	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	86
PID 408 wrote to memory of 4656	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	86
PID 408 wrote to memory of 4656	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	86
PID 408 wrote to memory of 2068	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	87
PID 408 wrote to memory of 2068	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	87
PID 408 wrote to memory of 2068	408	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe	87
PID 1948 wrote to memory of 4540	1948	babon.exe	90
PID 1948 wrote to memory of 4540	1948	babon.exe	90
PID 1948 wrote to memory of 4540	1948	babon.exe	90
PID 4992 wrote to memory of 1028	4992	IExplorer.exe	91
PID 4992 wrote to memory of 1028	4992	IExplorer.exe	91
PID 4992 wrote to memory of 1028	4992	IExplorer.exe	91
PID 1948 wrote to memory of 1408	1948	babon.exe	92
PID 1948 wrote to memory of 1408	1948	babon.exe	92
PID 1948 wrote to memory of 1408	1948	babon.exe	92
PID 4992 wrote to memory of 5096	4992	IExplorer.exe	93
PID 4992 wrote to memory of 5096	4992	IExplorer.exe	93
PID 4992 wrote to memory of 5096	4992	IExplorer.exe	93
PID 1948 wrote to memory of 4988	1948	babon.exe	94
PID 1948 wrote to memory of 4988	1948	babon.exe	94
PID 1948 wrote to memory of 4988	1948	babon.exe	94
PID 4992 wrote to memory of 3592	4992	IExplorer.exe	95
PID 4992 wrote to memory of 3592	4992	IExplorer.exe	95
PID 4992 wrote to memory of 3592	4992	IExplorer.exe	95
PID 1948 wrote to memory of 4692	1948	babon.exe	96
PID 1948 wrote to memory of 4692	1948	babon.exe	96
PID 1948 wrote to memory of 4692	1948	babon.exe	96
PID 3624 wrote to memory of 4336	3624	winlogon.exe	97
PID 3624 wrote to memory of 4336	3624	winlogon.exe	97
PID 3624 wrote to memory of 4336	3624	winlogon.exe	97
PID 4992 wrote to memory of 5036	4992	IExplorer.exe	98
PID 4992 wrote to memory of 5036	4992	IExplorer.exe	98
PID 4992 wrote to memory of 5036	4992	IExplorer.exe	98
PID 4656 wrote to memory of 2572	4656	csrss.exe	99
PID 4656 wrote to memory of 2572	4656	csrss.exe	99
PID 4656 wrote to memory of 2572	4656	csrss.exe	99
PID 1948 wrote to memory of 3532	1948	babon.exe	101
PID 1948 wrote to memory of 3532	1948	babon.exe	101
PID 1948 wrote to memory of 3532	1948	babon.exe	101
PID 2068 wrote to memory of 4616	2068	lsass.exe	102
PID 2068 wrote to memory of 4616	2068	lsass.exe	102
PID 2068 wrote to memory of 4616	2068	lsass.exe	102
PID 4992 wrote to memory of 3008	4992	IExplorer.exe	103
PID 4992 wrote to memory of 3008	4992	IExplorer.exe	103
PID 4992 wrote to memory of 3008	4992	IExplorer.exe	103
PID 3624 wrote to memory of 2620	3624	winlogon.exe	104
PID 3624 wrote to memory of 2620	3624	winlogon.exe	104
PID 3624 wrote to memory of 2620	3624	winlogon.exe	104
PID 2068 wrote to memory of 4780	2068	lsass.exe	105
PID 2068 wrote to memory of 4780	2068	lsass.exe	105
PID 2068 wrote to memory of 4780	2068	lsass.exe	105
PID 4656 wrote to memory of 4000	4656	csrss.exe	106
PID 4656 wrote to memory of 4000	4656	csrss.exe	106
PID 4656 wrote to memory of 4000	4656	csrss.exe	106
PID 3624 wrote to memory of 2580	3624	winlogon.exe	107

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe

C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:408
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1948
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4540
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1408
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4988
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4692
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3532
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4992
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1028
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5096
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3592
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5036
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3008
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3624
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4336
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2580
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1268
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1000
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4656
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2572
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4000
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2604
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:944
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2108
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2068
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4616
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4780
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1192
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4600
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

Filesize
91KB

MD5
e9a8e13bee37c1462e4323aeef91bdbf

SHA1
d3373f177d94c82d9faf970bcae6f60626d03c10

SHA256
735b175fd67a0e61c50ff6291bd310506e0591250297839417df8504aba80ea5

SHA512
4a647f71e79e7335d486275fb1c3eed7d4fc9cc1e91f91696fe73dc753f52a8932d1fb5cb8ef3b5f02fcbbe275238a84a10e4f7342e0f6ecfe7f46c4c68e8a8c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
91KB

MD5
8b48261673ad8a15b555e9164e15481a

SHA1
6a59f3aba4f09d081918a7aa448105a2736f651f

SHA256
a5b71e7ebbadb3e5a72b9703dba486d40a0901a21ba67655f5b4fe9d151d45c6

SHA512
1f356e69abe090cc3e9d89d2a8875113f800a23278e70997bc38a7e1fc0a19abed26a0fed484e15adb64872a354e04552bf128809286682aa16f10224e4a02ca

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
91KB

MD5
bc9a58054bc14c7b20a96d9f2b3a6f87

SHA1
2ee62aeb22cd0393049aa4d622fcda7e166750d6

SHA256
173e21e6d593257cc95a1f403e6005229fd23881931f0f76a6de4c48559fda54

SHA512
1affd523e7bdb0b46f38bd01981624893631699580d7e9b6e0f88f0758afa806068a080a26ef7f763d02f422d4b94609bbd80600ff3b795b49d5fe7a22ec5318

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
499eb5354d018ee4a0a4eaa0d54d5de0

SHA1
c228922423384522797e100bd239cc0146e9ee6a

SHA256
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5

SHA512
d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
7bef640f7927169c01ed9b94b5ccb2d6

SHA1
85a2f3c08d1ea38a2a775a47aacf4f6c717077a4

SHA256
e88db4b7a132c7f0adb42b09d52ee56590020dfbc7df859bef130a7c8753a51c

SHA512
181664e9f17c11822273489a4a533d6b4fca5b4ea0010c268493d2322d89d885644790aa37332b6b3fad414711d935a99df132edc43af04b626eaf4c392e9eb7

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
4fec3287cdb7e591879c11adeaa6aa8a

SHA1
d7f22e338aea8c8462d0b7dc81bdf091d21b2b40

SHA256
afc4a0fd47074b257f4e94b4b22c9f01307f70d149d50008e98d9c9615d7a51d

SHA512
7513b2eade397ca79406c14ddc55d88e342db181a094808836238ad4571bf28105d423fb7837668c40f70a1fe21d31d48a8214c175397a0f9f3c43806c8e9f8f

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
116ab655ded5b4f4a7985a1c4e03e888

SHA1
215b119cbafc47a15b7d4770f26986acb75aae1c

SHA256
2fb60c2df7e9ef016e1b59e36f1eff5001610dd38dc9015f4920cbf7a2c64815

SHA512
1cfe9cd8f8b6f4581d5e1530c29ea65c568b2f7db01c376313b248aaaf343a7ab4e9f5cfab4a794668cac27ba8078ca3e7e9ea5b79c79227bc27299d3b80e27b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
91KB

MD5
1684cf6c80cbae626f62c8f2ef8a3a50

SHA1
9ba69c136b9023d3a059f0720ac9a988a917337f

SHA256
149637b0c8b388bcccad07416b262edef217cc2135a34cac5b66723e3c5dc995

SHA512
85de03e7edfd930444ae501f40cbec47d9a19a838514f4cfa9a3eeecce7c750b50b3a84c5bae92ebdf349d0f1fd71cd1bf2fac73139e69e255ff8ee9e3187221

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
91KB

MD5
a4e473d81befd4bc967d894d669c735a

SHA1
5d46e6dcd65dcf4676bb3964a92feca11fad696f

SHA256
b7b7862c6c8600c50a45cab44425be98a9d66828b9c7764d9e0f2297f7c51741

SHA512
4471d0dca419c4bb8272d28ea191d227393a8fa4a759e5fff14933e492fd47f7ca0f0655c7db8420290e3a81c70d69497aa61b6da4f8f05e3907da1d92008777

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
91KB

MD5
cadddf32f598ea8b80c955b9cb97b349

SHA1
86082c40316840acf7a4fa403bd4a3ba16b1e3cc

SHA256
3b82f3ba651ee6bbea92e0935f9ddcc29559612622dfb0b567c2700ebbc831b4

SHA512
0dc6a47c47ae1d2239fda30af57ef14a7c8dc69d4358b78a548eb2496893f75fd3622b9ddfd77171446e70fc13226f5f92c64ec2b14bf69b69d6545925d70ade

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
91KB

MD5
704ebce1dfaa2beecb7cb897a1fd0982

SHA1
0a628a689f3ed809e1f1fa7471501066b7e5c515

SHA256
5f2b26cef64c43d4731f7aec1080868baa8df491d4fa8e05e07942ceb81748d1

SHA512
fc6e625a0360bd8b62363eea7b84a828e83b99f2a883d3276580c8d3433572d96ffdc5b08b2ebd5e4676d31bb570ba23dfcb2ece286350f5e85cecd138561f5b

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
3ed6a072b6cee63919e2f94971ad53e9

SHA1
419ddcaae4567f48e847cf8e8025c19eadaea059

SHA256
3501078e98c52ff7a187bf4b58e35651107483fbdd058dfc2774a4c9cc8b9f0d

SHA512
1e3e46ff69aeaf1ef613c4066106c47914284685ca3190ad64385fa9ec504dea94742ee125d78589baf9e053ca2baebc1c5967c8221ad24acece52e630b3c7f7

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
91KB

MD5
43a82e7dcab7d7595b8d2372747327a4

SHA1
ec22b4b42e8418c3a20ee31671ebd41d43382962

SHA256
3c9433a8577b86862409f91acc17d2b015d85c777224b6c739952c254edbff4f

SHA512
bf563d4d59d2fdeb91e8c5247f1e02c6ea74682a3286b0520efa98705385267fc95307af93c8a56ae9e2f480031d4534798b1a381de366c0af6059e53f51e56b

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
91KB

MD5
b15d9ec0ea6ef8d28fde20d0f26a8062

SHA1
459af3f749114bf43dd2854fb12d22c52b58e0fe

SHA256
58e8032456cafcc2a27bc8f08045b1339ec9e79eec84821bf9631a9a573809d5

SHA512
c2d9573c4da2650ecfbcf7ad217a28febfc56bcfaf003226fd6e695c2c5ce68ceda6005540b8bd8920016afe4ba2b3c64b511f3881a990c08bc4e9306ba41e86

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
91KB

MD5
479c77eadbb2d8bf7e2f31175fcea324

SHA1
409e6c399be837a76ea7a4d2fcaaeeed6ca7e96e

SHA256
cccea37d0141d00dae05306cfc6a8e068447fafb2d6c3d9e83642faa5ba8d1ca

SHA512
a59dfe27e19dfd0b37b2597b349bb35dc73d70c6ea52cd081bf016649886d8716328394eb66edbc5b3fcfcda9825c3844e981f7436318019c680ffb36b0ad289

Download Submit
C:\Windows\babon.exe

Filesize
91KB

MD5
b580cb6c7df912196519b1db40bca9cb

SHA1
21b53b950fc33dd94f8aed061e0a8f049fb3bd4e

SHA256
72375cc2006d31448deee876d4c713fad4268ba034935e7075a041a672197911

SHA512
a36e577d63825332d257526c33bc27b0184caba53515a3b189f78e8bb686a9fc9eeeece8f64786f64a95991c9da7a9c8c458802dedc22a38c9a5cc2b69b3c278

Download Submit
C:\babon.exe

Filesize
91KB

MD5
37328291c0d922484e0ed3da1b28f73d

SHA1
1abe0a1fc635daebb821906ff301fb2d4eaa547e

SHA256
31e20f57600e38995c911a9676e3acbbb2c3c27687a0c7b25d7f219c3ce849c4

SHA512
9756f0651455ef073b351b6b6de28be73651aebf1d37d2aa0a78aa4a25cba44276cffca14166b3bd0ff1c95793476453c308fbea107a9b57409d9b39c86f0d85

Download Submit
C:\wangsit.txt

Filesize
359B

MD5
df2f3e6971a7548c1688706f9a9798a8

SHA1
e38539857523a1e7eb3aa857e017bf6461b16a08

SHA256
1fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918

SHA512
d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072

Download Submit
F:\autorun.inf

Filesize
41B

MD5
097661e74e667ec2329bc274acb87b0d

SHA1
91c68a6089af2f61035e2e5f2a8da8c908dc93ed

SHA256
aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

SHA512
e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

Download Submit