2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Size

147KB
MD5

5064222fe180b7105f2c889d422dd6d0
SHA1

67f0e38e2f66c6decc71a3adb7f652847ea0963a
SHA256

2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8
SHA512

862f104f8d08e1049216d187acb6b5bcdc7f007fb403327b7ded55ced39186dd4ead274b94beb840e74ef31ec11373eede035293f907c41bb47823dc738a2c39
SSDEEP

1536:nWwaMcKOER0m9mwWAAggupnhycpDnq+5h/tDSZ15WwdAy:WzKR0xwWpWnhFpDRzSZaCAy

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	Shell.exe

Modifies visibility of file extensions in Explorer 2 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe

Disables RegEdit via registry modification 7 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	babon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 7 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 46 IoCs

pid	Process
1228	babon.exe
2712	IExplorer.exe
1352	winlogon.exe
1664	csrss.exe
1476	lsass.exe
2012	babon.exe
576	babon.exe
924	IExplorer.exe
2128	babon.exe
2916	IExplorer.exe
752	winlogon.exe
352	csrss.exe
892	IExplorer.exe
2228	winlogon.exe
2400	winlogon.exe
2160	csrss.exe
3060	lsass.exe
876	csrss.exe
3048	lsass.exe
3064	lsass.exe
2760	Shell.exe
2748	Shell.exe
2672	Shell.exe
2892	Shell.exe
2584	Shell.exe
2528	babon.exe
3056	babon.exe
1976	IExplorer.exe
2452	IExplorer.exe
2732	winlogon.exe
2784	csrss.exe
2552	lsass.exe
984	winlogon.exe
1780	csrss.exe
1544	lsass.exe
1112	Shell.exe
1464	Shell.exe
2232	Shell.exe
2852	Shell.exe
2448	babon.exe
552	IExplorer.exe
1296	winlogon.exe
292	csrss.exe
1392	lsass.exe
684	Shell.exe
1900	Shell.exe

Loads dropped DLL 64 IoCs

pid	Process
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
1228	babon.exe
1228	babon.exe
2712	IExplorer.exe
2712	IExplorer.exe
1228	babon.exe
1228	babon.exe
1228	babon.exe
1228	babon.exe
1352	winlogon.exe
1352	winlogon.exe
2712	IExplorer.exe
2712	IExplorer.exe
1352	winlogon.exe
1228	babon.exe
1228	babon.exe
1352	winlogon.exe
1352	winlogon.exe
2712	IExplorer.exe
2712	IExplorer.exe
1352	winlogon.exe
1352	winlogon.exe
2712	IExplorer.exe
2712	IExplorer.exe
2556	WerFault.exe
2556	WerFault.exe
2708	WerFault.exe
2708	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2556	WerFault.exe
2556	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
1476	lsass.exe
1476	lsass.exe
1476	lsass.exe
1476	lsass.exe
1664	csrss.exe
1664	csrss.exe
1476	lsass.exe
1476	lsass.exe
1476	lsass.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1664	csrss.exe
1432	WerFault.exe
2700	WerFault.exe
1432	WerFault.exe
1856	WerFault.exe
1856	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\babon = "C:\\Windows\\babon"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\csrss.exe"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\winlogon.exe"	Shell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\U:	Shell.exe
File opened (read-only)	\??\G:	babon.exe
File opened (read-only)	\??\V:	babon.exe
File opened (read-only)	\??\B:	IExplorer.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\J:	Shell.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\P:	winlogon.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\L:	winlogon.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\L:	IExplorer.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\K:	winlogon.exe
File opened (read-only)	\??\M:	babon.exe
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\N:	Shell.exe
File opened (read-only)	\??\J:	babon.exe
File opened (read-only)	\??\U:	winlogon.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\R:	babon.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\B:	Shell.exe
File opened (read-only)	\??\G:	Shell.exe
File opened (read-only)	\??\O:	babon.exe
File opened (read-only)	\??\Z:	babon.exe
File opened (read-only)	\??\J:	winlogon.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\G:	winlogon.exe
File opened (read-only)	\??\H:	Shell.exe
File opened (read-only)	\??\P:	Shell.exe
File opened (read-only)	\??\T:	babon.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\H:	winlogon.exe
File opened (read-only)	\??\M:	winlogon.exe
File opened (read-only)	\??\E:	Shell.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\O:	Shell.exe
File opened (read-only)	\??\X:	Shell.exe
File opened (read-only)	\??\Y:	Shell.exe
File opened (read-only)	\??\Q:	babon.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\E:	winlogon.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\U:	babon.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\Z:	Shell.exe

Modifies WinLogon 2 TTPs 21 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Please enjoy the Babon Entertainment ^_^"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Welcome Friend"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\winlogon\	IExplorer.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	babon.exe
File opened for modification	C:\autorun.inf	babon.exe
File created	F:\autorun.inf	babon.exe
File opened for modification	F:\autorun.inf	babon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	winlogon.exe
File created	C:\Windows\SysWOW64\shell.exe	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	csrss.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	babon.exe
File created	C:\Windows\SysWOW64\shell.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\babon.scr	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	lsass.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\babon.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	babon.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	lsass.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	winlogon.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	csrss.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File created	C:\Windows\babon.exe	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\babon.exe	lsass.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\babon.exe	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\babon.exe	winlogon.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\babon.exe	lsass.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\babon.exe	winlogon.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\babon.exe	babon.exe
File created	C:\Windows\babon.exe	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\babon.exe	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	IExplorer.exe
File created	C:\Windows\babon.exe	IExplorer.exe
File opened for modification	C:\Windows\babon.exe	csrss.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
2708	2712	WerFault.exe	29
2700	1352	WerFault.exe	30
2556	1228	WerFault.exe	28
1432	1476	WerFault.exe	32
1856	1664	WerFault.exe	31
1428	2760	WerFault.exe	52

Modifies Control Panel 49 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\babon.SCR"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s2359 = "Babon"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\International\s1159 = "Babon"	lsass.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://www.jasakom.com"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Windows Title = "Babon hates Norman..:P~~"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	babon.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 7 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	babon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.jasakom.com"	winlogon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	babon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\Default = "C:\\WINDOWS\\win\\system\\host32.exe /ShowErrorINF"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	IExplorer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
1228	babon.exe
2712	IExplorer.exe
1352	winlogon.exe
1664	csrss.exe
1476	lsass.exe
2012	babon.exe
576	babon.exe
924	IExplorer.exe
752	winlogon.exe
2128	babon.exe
2916	IExplorer.exe
2228	winlogon.exe
892	IExplorer.exe
352	csrss.exe
2400	winlogon.exe
3060	lsass.exe
2160	csrss.exe
876	csrss.exe
3064	lsass.exe
3048	lsass.exe
2760	Shell.exe
2748	Shell.exe
2672	Shell.exe
2892	Shell.exe
2584	Shell.exe
2528	babon.exe
3056	babon.exe
1976	IExplorer.exe
2732	winlogon.exe
2784	csrss.exe
2552	lsass.exe
2452	IExplorer.exe
984	winlogon.exe
1780	csrss.exe
1544	lsass.exe
1112	Shell.exe
1464	Shell.exe
2232	Shell.exe
2852	Shell.exe
2448	babon.exe
552	IExplorer.exe
1296	winlogon.exe
292	csrss.exe
1392	lsass.exe
684	Shell.exe
1900	Shell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1228	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	28
PID 2248 wrote to memory of 1228	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	28
PID 2248 wrote to memory of 1228	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	28
PID 2248 wrote to memory of 1228	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	28
PID 2248 wrote to memory of 2712	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	29
PID 2248 wrote to memory of 2712	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	29
PID 2248 wrote to memory of 2712	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	29
PID 2248 wrote to memory of 2712	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	29
PID 2248 wrote to memory of 1352	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	30
PID 2248 wrote to memory of 1352	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	30
PID 2248 wrote to memory of 1352	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	30
PID 2248 wrote to memory of 1352	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	30
PID 2248 wrote to memory of 1664	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	31
PID 2248 wrote to memory of 1664	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	31
PID 2248 wrote to memory of 1664	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	31
PID 2248 wrote to memory of 1664	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	31
PID 2248 wrote to memory of 1476	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	32
PID 2248 wrote to memory of 1476	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	32
PID 2248 wrote to memory of 1476	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	32
PID 2248 wrote to memory of 1476	2248	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe	32
PID 1228 wrote to memory of 2012	1228	babon.exe	33
PID 1228 wrote to memory of 2012	1228	babon.exe	33
PID 1228 wrote to memory of 2012	1228	babon.exe	33
PID 1228 wrote to memory of 2012	1228	babon.exe	33
PID 2712 wrote to memory of 576	2712	IExplorer.exe	34
PID 2712 wrote to memory of 576	2712	IExplorer.exe	34
PID 2712 wrote to memory of 576	2712	IExplorer.exe	34
PID 2712 wrote to memory of 576	2712	IExplorer.exe	34
PID 1228 wrote to memory of 924	1228	babon.exe	35
PID 1228 wrote to memory of 924	1228	babon.exe	35
PID 1228 wrote to memory of 924	1228	babon.exe	35
PID 1228 wrote to memory of 924	1228	babon.exe	35
PID 1352 wrote to memory of 2128	1352	winlogon.exe	36
PID 1352 wrote to memory of 2128	1352	winlogon.exe	36
PID 1352 wrote to memory of 2128	1352	winlogon.exe	36
PID 1352 wrote to memory of 2128	1352	winlogon.exe	36
PID 2712 wrote to memory of 2916	2712	IExplorer.exe	37
PID 2712 wrote to memory of 2916	2712	IExplorer.exe	37
PID 2712 wrote to memory of 2916	2712	IExplorer.exe	37
PID 2712 wrote to memory of 2916	2712	IExplorer.exe	37
PID 1228 wrote to memory of 752	1228	babon.exe	38
PID 1228 wrote to memory of 752	1228	babon.exe	38
PID 1228 wrote to memory of 752	1228	babon.exe	38
PID 1228 wrote to memory of 752	1228	babon.exe	38
PID 1228 wrote to memory of 352	1228	babon.exe	39
PID 1228 wrote to memory of 352	1228	babon.exe	39
PID 1228 wrote to memory of 352	1228	babon.exe	39
PID 1228 wrote to memory of 352	1228	babon.exe	39
PID 1352 wrote to memory of 892	1352	winlogon.exe	40
PID 1352 wrote to memory of 892	1352	winlogon.exe	40
PID 1352 wrote to memory of 892	1352	winlogon.exe	40
PID 1352 wrote to memory of 892	1352	winlogon.exe	40
PID 2712 wrote to memory of 2228	2712	IExplorer.exe	41
PID 2712 wrote to memory of 2228	2712	IExplorer.exe	41
PID 2712 wrote to memory of 2228	2712	IExplorer.exe	41
PID 2712 wrote to memory of 2228	2712	IExplorer.exe	41
PID 1352 wrote to memory of 2400	1352	winlogon.exe	42
PID 1352 wrote to memory of 2400	1352	winlogon.exe	42
PID 1352 wrote to memory of 2400	1352	winlogon.exe	42
PID 1352 wrote to memory of 2400	1352	winlogon.exe	42
PID 1228 wrote to memory of 3060	1228	babon.exe	43
PID 1228 wrote to memory of 3060	1228	babon.exe	43
PID 1228 wrote to memory of 3060	1228	babon.exe	43
PID 1228 wrote to memory of 3060	1228	babon.exe	43

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	babon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Shell.exe

C:\Users\Admin\AppData\Local\Temp\2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2248
- C:\Windows\babon.exe
  C:\Windows\babon.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1228
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:924
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:352
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 376
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2556
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2748
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2892
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2712
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:576
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2228
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 380
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2708
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Executes dropped EXE
      Modifies system executable filetype association
      Adds Run key to start application
      Enumerates connected drives
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies Control Panel
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2760
    - - C:\Windows\babon.exe
        
        C:\Windows\babon.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2448
    - - C:\Windows\SysWOW64\IExplorer.exe
        
        C:\Windows\system32\IExplorer.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:552
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1296
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:292
    - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1392
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 396
        5⤵
        Program crash
        
        PID:1428
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:684
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1900
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1352
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:892
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2400
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2160
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 356
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2700
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2672
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2584
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1664
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3056
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2452
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:984
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1780
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 376
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1856
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1464
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2852
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1476
- - C:\Windows\babon.exe
    C:\Windows\babon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2528
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2732
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2784
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 352
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1432
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1112
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\lsass.exe

Filesize
147KB

MD5
5064222fe180b7105f2c889d422dd6d0

SHA1
67f0e38e2f66c6decc71a3adb7f652847ea0963a

SHA256
2c9c12b015719b15b5748c1aad7f95f358572da344b23fd47a78738b38bde3b8

SHA512
862f104f8d08e1049216d187acb6b5bcdc7f007fb403327b7ded55ced39186dd4ead274b94beb840e74ef31ec11373eede035293f907c41bb47823dc738a2c39

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

Filesize
147KB

MD5
248e79cf8cf9d97e1db979d6ae0cc038

SHA1
5ced58a143d70fb1677f2a0bdb07a420cd5e11a0

SHA256
d8d005ded4283792a1b1d70925fd2a6be496ee41efbb8a0b6c0d3132ef8527eb

SHA512
7adfc1aff4ea57eea815081a9f55ce6203526cb9fb0c02c8e13c2ad5256519f746186e45dfe713dbda97284479ae5414b840470b44268e9e723aa6a3b7029b89

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
147KB

MD5
4a3d98f25e50ef43bb204e69f24a9c62

SHA1
f6fa7ba6c1756bb97f03842e8ccde77ac53884b1

SHA256
1900ec57a995a5ced5d0722be7bb4b9b0f60c64f990e4c2f3eee54c9374f78a1

SHA512
ee19ba21a6c5e00672e5fdc156ed3e10c9eb7bf0a09fe3c140124676f6a190b3d9537f857fe2d2714f12900a8c5d2de1e7c17b6d61f7b834c11359abcb397b0f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
147KB

MD5
b54a0c3e291fe31da0e414f54fc41046

SHA1
3a7de23ee7f2f71051c1c4be70923a94c5b9b1b5

SHA256
f7b32dd3fc4213cd3fe7816a034003002d509888506ca5264bc3ac0a4ac69152

SHA512
bf4f4f0c906e3d9712a14b2deb9532bdffc8a8f89f576bd4916abcf0a39792b6568e751acdef9d6706b03f8ab680cc81968c3bd28ac5659667a6ab024bab4599

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
147KB

MD5
e03521fbfd91fb1899c3039b680746cc

SHA1
bd65fb6102cb725be4056045891b0609847889de

SHA256
43b985ae8c75eeff6b26f05458ef0ec6ef7294b11d5189589142f115a49650d8

SHA512
1c4f224f91ad9efecbef486455e338e5d3480505e44f76ed9172892c999a5aa42705fa75d98b9456097c06759da318e8052396d98c135690155c496e78a91ff1

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
147KB

MD5
4f65eb5aeebd02314c18a0abb0b2a5eb

SHA1
0b92fefb792ef0ed234ff9f2bfa4a6ccb08db437

SHA256
c39ec6f254e42eddbd140f11186b42c92f86b56b5338e5b529ccdd082e243261

SHA512
0c5c0c91576b09a744d175b85208200c70bb6ed5a226e14b08ef850125a3f4f0d93912efc93c5d825dbabaef3a116356a33f1ed04f0e46917207bfc3e324f9cb

Download Submit
C:\Windows\SysWOW64\babon.scr

Filesize
147KB

MD5
e53afdd44bf6944fc56612875c04b96d

SHA1
d49fb4771bbf4a5056e1abcd93b8702af610570b

SHA256
11b0c0f044e5ec7a171435c2e370ba2ceac73fa8a6856f12f1acf3b240e703ad

SHA512
57299388882d634f21e5884712d3c43f055ac69705adad83d489f3af7a966f69884c2c26b4f3f4ba715b89388523f1b928a54d83d18a4a543f18c9d0b0f44ba3

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
147KB

MD5
a39a4ee05d2d497b20ad555b0a3cf363

SHA1
8c1ac4414e70ebbb8ac75847ec85a7cd41cffaa7

SHA256
671a363eae7d6b8107ce1cb763d4b86361e781f7822d2cb1299723f64edeb241

SHA512
df27ab62cbedc88f295a5ac65b03fdca5f470e14efacffa7cff36f8f674dd012a0ec1b19390b73467450586ef151b4d1dffa3cd515f1a2c123fc0d8b80047772

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
147KB

MD5
56a7ccd3225f2a74e6d59afd0991655a

SHA1
60a4761400afcbcdd9f86b2a5f3ebd71bf74502f

SHA256
4ff32ac63c588c53d91e5a08609dad739d66fb3533f4d8a23cfa1f7b28328cc3

SHA512
8d544266c1ee64c455360f79c204e9c3aaff38ffbb4013411c59246d571ee8cefa4b81ef5e3d91165b9a254ca1c03aa23c057314133bd6adbe6cf1f71776be4e

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
147KB

MD5
a85e6a5c026999949da7de0e9ebae3f9

SHA1
4a445cd9e61bd67a95c6473a822a9dce03fbbd14

SHA256
b17725f2471c488b78a32053a26c878f96ec7df9bd65173a5d7484c69a94a72e

SHA512
a7ed59d4fd1ab3c7fbbd04b2d80cb8431678f382efab4a1864ca0bf6176d01dc3f33dc8f5722811737eba5cfa954e026e161a84b1540adc9432dc871650f4677

Download Submit
C:\Windows\babon.exe

Filesize
147KB

MD5
6d672c40fec44ec73af195ab696bfe01

SHA1
c521e3521b85fee2b88a1e175ca7fca96e073fca

SHA256
bd666f3ccf4dd0e6f0a5346a5b0f540f7c487f8680cecc3110de9adb69ab8500

SHA512
2d71857cc5049d9feaaa66974ffdf69cef5284043106302ab734c3aed8b615eceac0eda994c8a9f1c71b71cc96240150861a77d4f7a71abbdead1b64c226c31a

Download Submit
C:\babon.exe

Filesize
147KB

MD5
406bc2a03383bbb0b61d9363a6f9ffe6

SHA1
dfc7aeefe20d9b96c495e311a2f1ac0bddd24722

SHA256
8827e2e774e3c2140ec24243837732ff051281423c366809dcf496e812d377e1

SHA512
83026cf4580277453f91df365037d4b8d0dc876c107909a671036e0801139983d50877afdbdb5f61835893b20cd44521e8390abdb2824685912abb1f66729af4

Download Submit
C:\babon.exe

Filesize
147KB

MD5
2b622fadf60919a7318208954ddc9c81

SHA1
82092852fc93415407860a9509dbd7e4aa221ef6

SHA256
0c2ae0be07515a3d0116794c100964c76506db20baa5a1caab84b1ad30f2a348

SHA512
07ff4828266a63a3573e92521f38f55425c91a5f2bc728b864a42d700b5af9532bb3e63aa2a7ad94b5affebcaf0ef21dae6ff72efffe7384b2a655d80a3e5723

Download Submit
C:\babon.exe

Filesize
147KB

MD5
dd59f3eddbfc1b01b8278cc76fd02d3e

SHA1
75720c34585390037e1398eeeec02076258faef9

SHA256
70735ec047dfddb6ea9b8f120bf6c0c81fe30065f895941bd995f2cbd8995aa0

SHA512
0a15acad87456ce125ab36e9161f6a63067d2a1b9de750eb8f2bd681f5efa73cb6db36ea8998d95b27834a1380f241877d773dd5723b13deab22e6f9ab91efb1

Download Submit
C:\wangsit.txt

Filesize
359B

MD5
df2f3e6971a7548c1688706f9a9798a8

SHA1
e38539857523a1e7eb3aa857e017bf6461b16a08

SHA256
1fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918

SHA512
d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072

Download Submit
F:\autorun.inf

Filesize
41B

MD5
097661e74e667ec2329bc274acb87b0d

SHA1
91c68a6089af2f61035e2e5f2a8da8c908dc93ed

SHA256
aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

SHA512
e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\csrss.exe

Filesize
147KB

MD5
119c55713b44e6457c29361ece427cc1

SHA1
9263e1b5595b303744fd5d2c583eb8ddab79abef

SHA256
86a6fa44e13f7b4905cf7a8d3cb83fce44314dee1e85208e27aa2b8bdd5bab74

SHA512
e2c824df37e29a78c0c19df5c46bb157faec7a4886f95666bef11020f70614c515f40063c11ed4bd6ddcd012045930650a5f974c3de69fe7af8d3d1879377d1d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\lsass.exe

Filesize
147KB

MD5
80f13cf452b08e17677bad60e0db0e74

SHA1
a7cf859f31fcb7d8d7c54303c921d0f3bddce763

SHA256
df383c58b274d6259b74686b08a15aa38dcdaa0ff3f17cbda7c5aee05523556a

SHA512
18bda701b41caba48d58e48693851abd0a1d9f3eae7e97f95b14ad33eea01cd171afc3ca01bb1d1bfdf6b44e757c7786040560c5cbda2ff344cdba049bda41e2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

Filesize
147KB

MD5
6efbc9054cab5424ab7f4d930f377284

SHA1
c16a8c153640354129a3d49d13ebdba5b1bac7f3

SHA256
a285d929072996a3aed849cd694751c46fe30fe9de8a06a263e824730bc84d1a

SHA512
4f528a1899a9dc01a77f3d40c62ec5bc0a9e7b6db093e651f017633fddc5b59839c06412f1a87e77bd73369341283b6fb33677f8715b479f1ee5c2653eaf636d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
147KB

MD5
eedfd3170c92ef1fca9339cbdb488445

SHA1
fa5d271627ffd8c98b5b723feb9a165a03cf5f0d

SHA256
dd434b44c11bec5e44a1126a2d7c1d14b9c1372e17f45835ecb59c1cc75adbf7

SHA512
9d65e87cb54ad3e775983c9ed05d5ef4e29f236173899ac961dea7bdefb0db38f0f6b442fb1a6f262074772ba94dbae0e708fe4916eb547d8a3ff532fca02dda

Download Submit
memory/292-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/352-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/352-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/352-302-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/552-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/576-263-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/576-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/752-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/876-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/984-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1112-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-222-0x00000000031F0000-0x0000000003224000-memory.dmp

Filesize
208KB

Download
memory/1228-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-316-0x00000000031F0000-0x0000000003224000-memory.dmp

Filesize
208KB

Download
memory/1228-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-223-0x00000000031F0000-0x0000000003224000-memory.dmp

Filesize
208KB

Download
memory/1228-348-0x00000000031F0000-0x0000000003224000-memory.dmp

Filesize
208KB

Download
memory/1228-399-0x00000000031F0000-0x0000000003224000-memory.dmp

Filesize
208KB

Download
memory/1296-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1296-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1352-291-0x0000000002690000-0x00000000026C4000-memory.dmp

Filesize
208KB

Download
memory/1352-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1392-487-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-437-0x0000000001E80000-0x0000000001EB4000-memory.dmp

Filesize
208KB

Download
memory/1476-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-472-0x0000000001E80000-0x0000000001EB4000-memory.dmp

Filesize
208KB

Download
memory/1476-438-0x0000000001E80000-0x0000000001EB4000-memory.dmp

Filesize
208KB

Download
memory/1476-401-0x0000000001E80000-0x0000000001EB4000-memory.dmp

Filesize
208KB

Download
memory/1476-434-0x0000000001E80000-0x0000000001EB4000-memory.dmp

Filesize
208KB

Download
memory/1476-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-400-0x0000000001E80000-0x0000000001EB4000-memory.dmp

Filesize
208KB

Download
memory/1544-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-431-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1664-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1664-425-0x00000000026F0000-0x0000000002724000-memory.dmp

Filesize
208KB

Download
memory/1780-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-495-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1976-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-220-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2128-287-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2128-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-104-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2248-134-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2248-148-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2248-109-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2248-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-130-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2248-129-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2248-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-103-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2400-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2400-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2448-473-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2448-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-402-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2552-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2552-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-319-0x0000000002760000-0x0000000002794000-memory.dmp

Filesize
208KB

Download
memory/2712-260-0x0000000002760000-0x0000000002794000-memory.dmp

Filesize
208KB

Download
memory/2712-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2748-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-478-0x00000000030F0000-0x0000000003124000-memory.dmp

Filesize
208KB

Download
memory/2760-496-0x00000000030F0000-0x0000000003124000-memory.dmp

Filesize
208KB

Download
memory/2760-357-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-471-0x00000000030F0000-0x0000000003124000-memory.dmp

Filesize
208KB

Download
memory/2852-446-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2852-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2892-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3048-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-408-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3056-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3060-318-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/3060-317-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/3064-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download