Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19/06/2024, 21:38
Static task
static1
Behavioral task
behavioral1
Sample
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
-
Size
91KB
-
MD5
499eb5354d018ee4a0a4eaa0d54d5de0
-
SHA1
c228922423384522797e100bd239cc0146e9ee6a
-
SHA256
0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5
-
SHA512
d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db
-
SSDEEP
1536:npDnq+5h/tDSZ15Wwd4pDnq+5h/tDSZ15WwdM:npDRzSZaC4pDRzSZaCM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" babon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" babon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" babon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 30 IoCs
pid Process 1948 babon.exe 4992 IExplorer.exe 3624 winlogon.exe 4656 csrss.exe 2068 lsass.exe 4540 babon.exe 1028 babon.exe 1408 IExplorer.exe 5096 IExplorer.exe 4988 winlogon.exe 3592 winlogon.exe 4692 csrss.exe 4336 babon.exe 5036 csrss.exe 2572 babon.exe 3532 lsass.exe 4616 babon.exe 3008 lsass.exe 2620 IExplorer.exe 4780 IExplorer.exe 4000 IExplorer.exe 2580 winlogon.exe 1192 winlogon.exe 2604 winlogon.exe 1268 csrss.exe 4600 csrss.exe 944 csrss.exe 1000 lsass.exe 1020 lsass.exe 2108 lsass.exe -
Loads dropped DLL 5 IoCs
pid Process 4540 babon.exe 1028 babon.exe 4336 babon.exe 2572 babon.exe 4616 babon.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe" lsass.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: babon.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\H: lsass.exe File opened (read-only) \??\M: babon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\P: babon.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\V: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\Y: lsass.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\N: babon.exe File opened (read-only) \??\O: babon.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\N: IExplorer.exe File opened (read-only) \??\B: lsass.exe File opened (read-only) \??\P: lsass.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\L: lsass.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\J: babon.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\U: babon.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\P: IExplorer.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\E: lsass.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\T: babon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\G: lsass.exe File opened (read-only) \??\R: lsass.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\L: babon.exe File opened (read-only) \??\Y: babon.exe File opened (read-only) \??\Z: babon.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\O: lsass.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\V: babon.exe File opened (read-only) \??\S: winlogon.exe -
Modifies WinLogon 2 TTPs 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^" csrss.exe -
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf IExplorer.exe File opened for modification C:\autorun.inf IExplorer.exe File created F:\autorun.inf babon.exe File opened for modification F:\autorun.inf babon.exe File created F:\autorun.inf IExplorer.exe File opened for modification F:\autorun.inf IExplorer.exe File created C:\autorun.inf babon.exe File opened for modification C:\autorun.inf babon.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\babon.scr winlogon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr babon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\shell.exe babon.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File created C:\Windows\SysWOW64\babon.scr 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\IExplorer.exe babon.exe File created C:\Windows\SysWOW64\IExplorer.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\babon.scr lsass.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe csrss.exe File opened for modification C:\Windows\SysWOW64\babon.scr csrss.exe File opened for modification C:\Windows\SysWOW64\shell.exe lsass.exe File created C:\Windows\SysWOW64\IExplorer.exe lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe babon.exe File opened for modification C:\Windows\SysWOW64\shell.exe winlogon.exe -
Drops file in Windows directory 24 IoCs
description ioc Process File created C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\babon.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe babon.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe IExplorer.exe File opened for modification C:\Windows\babon.exe winlogon.exe File opened for modification C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File created C:\Windows\babon.exe 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe File created C:\Windows\babon.exe babon.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\babon.exe lsass.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\babon.exe IExplorer.exe File created C:\Windows\babon.exe csrss.exe -
Modifies Control Panel 42 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" lsass.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\ lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" babon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\ babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s1159 = "Babon" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\s2359 = "Babon" lsass.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\ IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ winlogon.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\ winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" csrss.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\ lsass.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\ babon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~" babon.exe Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com" lsass.exe -
Modifies Internet Explorer start page 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" babon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com" lsass.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 4656 csrss.exe 1948 babon.exe 3624 winlogon.exe 4992 IExplorer.exe 2068 lsass.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 1948 babon.exe 4992 IExplorer.exe 3624 winlogon.exe 4656 csrss.exe 2068 lsass.exe 4540 babon.exe 1028 babon.exe 1408 IExplorer.exe 5096 IExplorer.exe 4988 winlogon.exe 3592 winlogon.exe 4692 csrss.exe 5036 csrss.exe 3532 lsass.exe 4336 babon.exe 2572 babon.exe 4616 babon.exe 3008 lsass.exe 2620 IExplorer.exe 4780 IExplorer.exe 4000 IExplorer.exe 2580 winlogon.exe 1192 winlogon.exe 2604 winlogon.exe 1268 csrss.exe 4600 csrss.exe 944 csrss.exe 1000 lsass.exe 1020 lsass.exe 2108 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 408 wrote to memory of 1948 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 82 PID 408 wrote to memory of 1948 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 82 PID 408 wrote to memory of 1948 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 82 PID 408 wrote to memory of 4992 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 83 PID 408 wrote to memory of 4992 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 83 PID 408 wrote to memory of 4992 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 83 PID 408 wrote to memory of 3624 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 85 PID 408 wrote to memory of 3624 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 85 PID 408 wrote to memory of 3624 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 85 PID 408 wrote to memory of 4656 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 86 PID 408 wrote to memory of 4656 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 86 PID 408 wrote to memory of 4656 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 86 PID 408 wrote to memory of 2068 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 87 PID 408 wrote to memory of 2068 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 87 PID 408 wrote to memory of 2068 408 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe 87 PID 1948 wrote to memory of 4540 1948 babon.exe 90 PID 1948 wrote to memory of 4540 1948 babon.exe 90 PID 1948 wrote to memory of 4540 1948 babon.exe 90 PID 4992 wrote to memory of 1028 4992 IExplorer.exe 91 PID 4992 wrote to memory of 1028 4992 IExplorer.exe 91 PID 4992 wrote to memory of 1028 4992 IExplorer.exe 91 PID 1948 wrote to memory of 1408 1948 babon.exe 92 PID 1948 wrote to memory of 1408 1948 babon.exe 92 PID 1948 wrote to memory of 1408 1948 babon.exe 92 PID 4992 wrote to memory of 5096 4992 IExplorer.exe 93 PID 4992 wrote to memory of 5096 4992 IExplorer.exe 93 PID 4992 wrote to memory of 5096 4992 IExplorer.exe 93 PID 1948 wrote to memory of 4988 1948 babon.exe 94 PID 1948 wrote to memory of 4988 1948 babon.exe 94 PID 1948 wrote to memory of 4988 1948 babon.exe 94 PID 4992 wrote to memory of 3592 4992 IExplorer.exe 95 PID 4992 wrote to memory of 3592 4992 IExplorer.exe 95 PID 4992 wrote to memory of 3592 4992 IExplorer.exe 95 PID 1948 wrote to memory of 4692 1948 babon.exe 96 PID 1948 wrote to memory of 4692 1948 babon.exe 96 PID 1948 wrote to memory of 4692 1948 babon.exe 96 PID 3624 wrote to memory of 4336 3624 winlogon.exe 97 PID 3624 wrote to memory of 4336 3624 winlogon.exe 97 PID 3624 wrote to memory of 4336 3624 winlogon.exe 97 PID 4992 wrote to memory of 5036 4992 IExplorer.exe 98 PID 4992 wrote to memory of 5036 4992 IExplorer.exe 98 PID 4992 wrote to memory of 5036 4992 IExplorer.exe 98 PID 4656 wrote to memory of 2572 4656 csrss.exe 99 PID 4656 wrote to memory of 2572 4656 csrss.exe 99 PID 4656 wrote to memory of 2572 4656 csrss.exe 99 PID 1948 wrote to memory of 3532 1948 babon.exe 101 PID 1948 wrote to memory of 3532 1948 babon.exe 101 PID 1948 wrote to memory of 3532 1948 babon.exe 101 PID 2068 wrote to memory of 4616 2068 lsass.exe 102 PID 2068 wrote to memory of 4616 2068 lsass.exe 102 PID 2068 wrote to memory of 4616 2068 lsass.exe 102 PID 4992 wrote to memory of 3008 4992 IExplorer.exe 103 PID 4992 wrote to memory of 3008 4992 IExplorer.exe 103 PID 4992 wrote to memory of 3008 4992 IExplorer.exe 103 PID 3624 wrote to memory of 2620 3624 winlogon.exe 104 PID 3624 wrote to memory of 2620 3624 winlogon.exe 104 PID 3624 wrote to memory of 2620 3624 winlogon.exe 104 PID 2068 wrote to memory of 4780 2068 lsass.exe 105 PID 2068 wrote to memory of 4780 2068 lsass.exe 105 PID 2068 wrote to memory of 4780 2068 lsass.exe 105 PID 4656 wrote to memory of 4000 4656 csrss.exe 106 PID 4656 wrote to memory of 4000 4656 csrss.exe 106 PID 4656 wrote to memory of 4000 4656 csrss.exe 106 PID 3624 wrote to memory of 2580 3624 winlogon.exe 107 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" 0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System babon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" babon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1" lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:408 -
C:\Windows\babon.exeC:\Windows\babon.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4540
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4988
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4692
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3532
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4992 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1028
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5096
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3592
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3624 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2620
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1000
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4656 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2572
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2604
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:944
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2108
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2068 -
C:\Windows\babon.exeC:\Windows\babon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4616
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4600
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5e9a8e13bee37c1462e4323aeef91bdbf
SHA1d3373f177d94c82d9faf970bcae6f60626d03c10
SHA256735b175fd67a0e61c50ff6291bd310506e0591250297839417df8504aba80ea5
SHA5124a647f71e79e7335d486275fb1c3eed7d4fc9cc1e91f91696fe73dc753f52a8932d1fb5cb8ef3b5f02fcbbe275238a84a10e4f7342e0f6ecfe7f46c4c68e8a8c
-
Filesize
91KB
MD58b48261673ad8a15b555e9164e15481a
SHA16a59f3aba4f09d081918a7aa448105a2736f651f
SHA256a5b71e7ebbadb3e5a72b9703dba486d40a0901a21ba67655f5b4fe9d151d45c6
SHA5121f356e69abe090cc3e9d89d2a8875113f800a23278e70997bc38a7e1fc0a19abed26a0fed484e15adb64872a354e04552bf128809286682aa16f10224e4a02ca
-
Filesize
91KB
MD5bc9a58054bc14c7b20a96d9f2b3a6f87
SHA12ee62aeb22cd0393049aa4d622fcda7e166750d6
SHA256173e21e6d593257cc95a1f403e6005229fd23881931f0f76a6de4c48559fda54
SHA5121affd523e7bdb0b46f38bd01981624893631699580d7e9b6e0f88f0758afa806068a080a26ef7f763d02f422d4b94609bbd80600ff3b795b49d5fe7a22ec5318
-
Filesize
91KB
MD5499eb5354d018ee4a0a4eaa0d54d5de0
SHA1c228922423384522797e100bd239cc0146e9ee6a
SHA2560c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5
SHA512d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db
-
Filesize
91KB
MD57bef640f7927169c01ed9b94b5ccb2d6
SHA185a2f3c08d1ea38a2a775a47aacf4f6c717077a4
SHA256e88db4b7a132c7f0adb42b09d52ee56590020dfbc7df859bef130a7c8753a51c
SHA512181664e9f17c11822273489a4a533d6b4fca5b4ea0010c268493d2322d89d885644790aa37332b6b3fad414711d935a99df132edc43af04b626eaf4c392e9eb7
-
Filesize
91KB
MD54fec3287cdb7e591879c11adeaa6aa8a
SHA1d7f22e338aea8c8462d0b7dc81bdf091d21b2b40
SHA256afc4a0fd47074b257f4e94b4b22c9f01307f70d149d50008e98d9c9615d7a51d
SHA5127513b2eade397ca79406c14ddc55d88e342db181a094808836238ad4571bf28105d423fb7837668c40f70a1fe21d31d48a8214c175397a0f9f3c43806c8e9f8f
-
Filesize
91KB
MD5116ab655ded5b4f4a7985a1c4e03e888
SHA1215b119cbafc47a15b7d4770f26986acb75aae1c
SHA2562fb60c2df7e9ef016e1b59e36f1eff5001610dd38dc9015f4920cbf7a2c64815
SHA5121cfe9cd8f8b6f4581d5e1530c29ea65c568b2f7db01c376313b248aaaf343a7ab4e9f5cfab4a794668cac27ba8078ca3e7e9ea5b79c79227bc27299d3b80e27b
-
Filesize
91KB
MD51684cf6c80cbae626f62c8f2ef8a3a50
SHA19ba69c136b9023d3a059f0720ac9a988a917337f
SHA256149637b0c8b388bcccad07416b262edef217cc2135a34cac5b66723e3c5dc995
SHA51285de03e7edfd930444ae501f40cbec47d9a19a838514f4cfa9a3eeecce7c750b50b3a84c5bae92ebdf349d0f1fd71cd1bf2fac73139e69e255ff8ee9e3187221
-
Filesize
91KB
MD5a4e473d81befd4bc967d894d669c735a
SHA15d46e6dcd65dcf4676bb3964a92feca11fad696f
SHA256b7b7862c6c8600c50a45cab44425be98a9d66828b9c7764d9e0f2297f7c51741
SHA5124471d0dca419c4bb8272d28ea191d227393a8fa4a759e5fff14933e492fd47f7ca0f0655c7db8420290e3a81c70d69497aa61b6da4f8f05e3907da1d92008777
-
Filesize
91KB
MD5cadddf32f598ea8b80c955b9cb97b349
SHA186082c40316840acf7a4fa403bd4a3ba16b1e3cc
SHA2563b82f3ba651ee6bbea92e0935f9ddcc29559612622dfb0b567c2700ebbc831b4
SHA5120dc6a47c47ae1d2239fda30af57ef14a7c8dc69d4358b78a548eb2496893f75fd3622b9ddfd77171446e70fc13226f5f92c64ec2b14bf69b69d6545925d70ade
-
Filesize
91KB
MD5704ebce1dfaa2beecb7cb897a1fd0982
SHA10a628a689f3ed809e1f1fa7471501066b7e5c515
SHA2565f2b26cef64c43d4731f7aec1080868baa8df491d4fa8e05e07942ceb81748d1
SHA512fc6e625a0360bd8b62363eea7b84a828e83b99f2a883d3276580c8d3433572d96ffdc5b08b2ebd5e4676d31bb570ba23dfcb2ece286350f5e85cecd138561f5b
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
91KB
MD53ed6a072b6cee63919e2f94971ad53e9
SHA1419ddcaae4567f48e847cf8e8025c19eadaea059
SHA2563501078e98c52ff7a187bf4b58e35651107483fbdd058dfc2774a4c9cc8b9f0d
SHA5121e3e46ff69aeaf1ef613c4066106c47914284685ca3190ad64385fa9ec504dea94742ee125d78589baf9e053ca2baebc1c5967c8221ad24acece52e630b3c7f7
-
Filesize
91KB
MD543a82e7dcab7d7595b8d2372747327a4
SHA1ec22b4b42e8418c3a20ee31671ebd41d43382962
SHA2563c9433a8577b86862409f91acc17d2b015d85c777224b6c739952c254edbff4f
SHA512bf563d4d59d2fdeb91e8c5247f1e02c6ea74682a3286b0520efa98705385267fc95307af93c8a56ae9e2f480031d4534798b1a381de366c0af6059e53f51e56b
-
Filesize
91KB
MD5b15d9ec0ea6ef8d28fde20d0f26a8062
SHA1459af3f749114bf43dd2854fb12d22c52b58e0fe
SHA25658e8032456cafcc2a27bc8f08045b1339ec9e79eec84821bf9631a9a573809d5
SHA512c2d9573c4da2650ecfbcf7ad217a28febfc56bcfaf003226fd6e695c2c5ce68ceda6005540b8bd8920016afe4ba2b3c64b511f3881a990c08bc4e9306ba41e86
-
Filesize
91KB
MD5479c77eadbb2d8bf7e2f31175fcea324
SHA1409e6c399be837a76ea7a4d2fcaaeeed6ca7e96e
SHA256cccea37d0141d00dae05306cfc6a8e068447fafb2d6c3d9e83642faa5ba8d1ca
SHA512a59dfe27e19dfd0b37b2597b349bb35dc73d70c6ea52cd081bf016649886d8716328394eb66edbc5b3fcfcda9825c3844e981f7436318019c680ffb36b0ad289
-
Filesize
91KB
MD5b580cb6c7df912196519b1db40bca9cb
SHA121b53b950fc33dd94f8aed061e0a8f049fb3bd4e
SHA25672375cc2006d31448deee876d4c713fad4268ba034935e7075a041a672197911
SHA512a36e577d63825332d257526c33bc27b0184caba53515a3b189f78e8bb686a9fc9eeeece8f64786f64a95991c9da7a9c8c458802dedc22a38c9a5cc2b69b3c278
-
Filesize
91KB
MD537328291c0d922484e0ed3da1b28f73d
SHA11abe0a1fc635daebb821906ff301fb2d4eaa547e
SHA25631e20f57600e38995c911a9676e3acbbb2c3c27687a0c7b25d7f219c3ce849c4
SHA5129756f0651455ef073b351b6b6de28be73651aebf1d37d2aa0a78aa4a25cba44276cffca14166b3bd0ff1c95793476453c308fbea107a9b57409d9b39c86f0d85
-
Filesize
359B
MD5df2f3e6971a7548c1688706f9a9798a8
SHA1e38539857523a1e7eb3aa857e017bf6461b16a08
SHA2561fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918
SHA512d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072
-
Filesize
41B
MD5097661e74e667ec2329bc274acb87b0d
SHA191c68a6089af2f61035e2e5f2a8da8c908dc93ed
SHA256aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0
SHA512e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e