Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/05/2024, 22:00

General

  • Target

    468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe

  • Size

    91KB

  • MD5

    b1d40ed23f434400f1332a468bdd75d0

  • SHA1

    1b02aafa08536bceea27f8fe633beffbe6f3c478

  • SHA256

    468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c

  • SHA512

    bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec

  • SSDEEP

    1536:9a8jroAbRB+XWCQLZeIdSwkRa8jroAbRB+XWCQLZeIdSwky:LFRBLJSpFRBLJS8

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Detects executables packed with ASPack 60 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • ASPack v2.12-2.42 20 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 12 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe
    "C:\Users\Admin\AppData\Local\Temp\468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1396
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2308
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4512
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2156
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:624
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:696
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1776
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1212
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4940
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4040
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1484
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3048
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5052
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4476
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:920
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4636
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4572
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4640
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:640
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4564
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3160
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3116
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3480
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5004
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3380
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4060
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:740
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2636
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1464
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3164
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    91KB

    MD5

    122372ce2028bcec969d6f4039149e51

    SHA1

    f7e8ac5c7334da4ae2f91b367e318b5df5bbbe12

    SHA256

    ef8b6d0a9450d024b358a7a49d261665987d72c7c40e42002add23af07ff42bf

    SHA512

    00c1f6a1ffd0d6af94d78371956b16461696eb7d8fc59257dc87bef52ec5055be92de9beca0caac7f7d18b447949cbf7324b83e49003f5460a5900faf99fd656

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    91KB

    MD5

    637d2c6224867fa0f37d2f09f2186857

    SHA1

    a34057dfb3692929ebd45d2aac02ff4389b95443

    SHA256

    84f5d2220901b6b089e35a4de581ac9c38f752fa1f6cf2f6778dd5b5b1118ff6

    SHA512

    f294a199914bffdc5767b6dfd32142acd56ff65beb88cd12b4482ca0c8fa2ea8cffb787275741e620d171bb7d2a6f21e9cddfa4a7d6090ca8c099a0716efcc2c

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    91KB

    MD5

    770113bbd293c60ef68455a43370ffa9

    SHA1

    ca7a3582c89b0f7042001791fbf22b16fa2f721b

    SHA256

    5183130392172eabb1a56f93f1f66c63faaaa6043570462c821c93c80686c2b1

    SHA512

    669115500042b710d179aa30cddf6563f0dd0aae773c040593dc1935481ba891641ad805b020d4bc9b987ebe91c92180c445ef649f627f5c66cca5491ce9c77f

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    b1d40ed23f434400f1332a468bdd75d0

    SHA1

    1b02aafa08536bceea27f8fe633beffbe6f3c478

    SHA256

    468c61c42f7c91b3d5f74a9131dbb1dc7c18f478eba5736526d257085f7cc93c

    SHA512

    bb332dda06746f08a6049fc7a803ae0f013a58c19bab7a964af62e86eb65fdefe815c932f1af9497ab0c9e65794ce1d05f525d3f69bae4f3ae9699f2416a67ec

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    7fbe141b08ef0a4d20a9f7b2d84713b1

    SHA1

    76722824bda42d25f0c622679de98b3cb8face6f

    SHA256

    ab10410aa13ec7f590ab35e5fc3948e6a204d52b32300b889ddcfcfbe5816ace

    SHA512

    c0a788eba87e69897665044710c7bbc6d0d90280a6def2bce53296094238220a21aad3f7a2dad65eaefe13c16a01fa2a6acdbb50b98ffdb99fd58e4290ef6014

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    a97cb8bbf9a43ff425132c1be59979d6

    SHA1

    d998d2cdf70c275709485b0d82c2c74ff982b97b

    SHA256

    e3ce99ca7fdd765f42d37477ab28fc9e49a2f6f179d20e8943900740ecb4eb75

    SHA512

    fbda67c27c4cdbb68d37c64cb791509e13fa0570c89fbcd6dc87ccda610696efaa9bb5afd85bc46b9732ec24fe8589a03dceb0aff611e20cb8eb14370da41814

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    4f417dc08f3911edebdf723d55b6581e

    SHA1

    f65e1fba07c6735ff243e9aff49c7ea7cd290ae0

    SHA256

    4075692e943ee0abde529f22d528472e8cf52a0c1c3ba1adde1614f570e89401

    SHA512

    332353ecdbe9bc8f4f35e1a4f56096c775987e7a03f25aec043accaba6b27c921b908166ccdd3b86c1bd4e7af2dfc44939076537c4e7666bca611a9c1bb163ea

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    c5008a8b2eebb44f6149e4dbbfcc5822

    SHA1

    309af6b7b400dce91af417b0004ee1d3f6e1f2a6

    SHA256

    7008a4f7f2baf0b3aa5d39732b14201774ac6405135b05db20722a6b7367587b

    SHA512

    f901f238f5799d61670e779f87413be5923fbd958f796ebf0a146c9bba9c5c1bfefefa0075932d5286be924f691512e34c6b32dbd4ea52fc7c8d6cdba666fcc9

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    ab47ebed6e55093f78024f3726be3070

    SHA1

    cc66b2f8b3b08a2b432774c6b2224c10e313ead3

    SHA256

    4b8166e4df6958d6cc417eee4753fcb8ff8f3b28ecc98fcf7aa25bd4898d3d4f

    SHA512

    16f535fa10596117dd091ff34ac57f51a833071f776a62aacd41286bd657c57459fdeed3a5acd92127d10374651092705c87c2e094ca988320adfb3ba3048488

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    7f7fb796dad5afa365589476a896c3d6

    SHA1

    7a26b9dde60bb8ac4fb70d779a5ca425e177b272

    SHA256

    477b77944458f11c7a22ead5a51f9c41068f4d22f0fba0f57e8ac724c7ce5b15

    SHA512

    76554d479c4b35024f525490b75329f4952e3bac559d0ef501fd85abc7bad3972d180a6918053e97062d0f5aba695c7b13070c223a90fe45c12436790ce616cf

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    e5405fa99b9b7534ccefaafea5990874

    SHA1

    6dc55957395403cfe575a6daf47278e3ef958cea

    SHA256

    53db639439cc340a9106e70c874034e99104b168e5b4ef4a9e64e419a51af492

    SHA512

    8d8e03ebea08f21065581413655340a7660497592b50e9532f5c5dedd14436607e126d2609d2f6062b44cbd1468c5c656154a4d4431d464aafc52d6032278cd2

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    0e31e3515b8196573ffd06b69bf87aed

    SHA1

    0af6a4adca8b207fcbacfa3eb645cdb8567bab76

    SHA256

    d9c361dcfb17bedb963956808a0f3d329adf6693b660dc310e4b1e06092cf532

    SHA512

    aaab26e946195efcceac31a04e112480bc26e2a7383d01d65967e0ef652938b88904c9a2c0759ae72d134fced3286569a3ef9c99e9b982e820f4ade6b108fa54

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    91KB

    MD5

    617fbc142165e322a5705011afe2687f

    SHA1

    fd4d1365a2a52e271a708bf751bd792b9d8b9adf

    SHA256

    92d8ea792368d53f1cec7e52f9a60362008348c0bc4760a2fe23feffc4ff0633

    SHA512

    99711f10f2a6106a94e21550f68ffa9bcdffd8150d93e7c3b07cd27ada33eaa5cbd117dca00d3f5f49a7d4f46cc80297de4a9f28084e31f17334661a38506d3a

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    91KB

    MD5

    ca41d0f22295d4991223ef71f124c132

    SHA1

    2dcab07f63c53052e39dcab774bc50ad5d609c4d

    SHA256

    34fc8d535888cc89acc5aae27c974341cd81b90aa407abda07706c34e1366107

    SHA512

    e97be022f2e4f940b33c5274c04109f13da835e6e842df6e6744bf0008864abe04b934aeed023029c8328425f0f8654b8031dace383cf8a671d0e7ff69527fd2

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    91KB

    MD5

    5b80fc7658e849f5196b330a833a2551

    SHA1

    626323263f4909bb030e4a45a9a90281b220ca1f

    SHA256

    4d2a697701335fef91fba39d15b6329dcd29ee7b05612ceeda0895cc42f604ea

    SHA512

    e42fccd8ab7ffcff1fe1bd735f105c89778ae595b0a3c1de4ba75e7c0e590546e8ce4689087f9f94c98f7136bf294e1cbdc22d9c0e327cc0cf308d1a66935353

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    91KB

    MD5

    71f06556ad0c8e188ed07db9fa4015ab

    SHA1

    6cb0b33fdd4bf57e2f8dcbff834bdbc0613751d6

    SHA256

    27f66e6e8879d6f2698e2ffdf24227da5b695a63ef3a7f3feed8b8e10550946e

    SHA512

    2891421f8be520e19b4d6d430e0d67d2efaed6328ee7a387ab6b7bee226034895b3955385ac3c83761952919c6653d4abfc7fced261eb202aa8a9225c9f3988c

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    91KB

    MD5

    7b294a1786cb566409516bad3f0a932f

    SHA1

    595b461bfa6ad5161edcd131b6b62a178f37166b

    SHA256

    032cf1d6e6d7a31d55ad0eb45541b8a1375c23c1e46022095797049bb47f7fbc

    SHA512

    e1909565b0c5e159997af94f963bf0907c63b0d5a3cadf5a28ee2c6dc69a45df40c004bc3e724b17e85b6d8a882e993343588b875561be45ed270a129c39e4ef

  • C:\Windows\babon.exe

    Filesize

    91KB

    MD5

    88332c4cbfa8dbc0d030f49f21be6776

    SHA1

    756f2729847405baf2352322a3b15cdd440ad6ae

    SHA256

    e5a1ba13c6627690c87f0d4fcd31da17178650560a9fc3e0f4adf30f3cd0ccf5

    SHA512

    9d61001a0cd41e13734158c8cec1ba6a9b45ee09cd844b74e12f7bedaadcffe31112ce2529d2d4d2d317b354b2f2faa90020b0a0cd1d00bcd9de571abc553ad1

  • C:\Windows\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\babon.exe

    Filesize

    91KB

    MD5

    74491fded5f82b1a63f2c5fd2cfe2b71

    SHA1

    71aefda4f6deb726d287cacc43514289951cad3a

    SHA256

    a44126a455ca139c552599a6fc32d743868badb4e2d4290c05fa6d43c3104a66

    SHA512

    f5c264d3d72968981001d794fc5b19b273cf9d880869de405cac7660cee225ba9875fb4f593a6c1fe52a08ae17e3a7d269a1445fb97ecffe3404209876e2a41b

  • C:\babon.exe

    Filesize

    91KB

    MD5

    199d9f3dea30210a75ea4ab26e0fa108

    SHA1

    ed3f0b65c0e433ae72b0b3d738fd3722491bcc24

    SHA256

    431b6cfa8ab9a4fbda469e428fa8f2d3a96b36ad1fefc4332eed876773b4229c

    SHA512

    94cf01ae372c6674e14fece9fb4d2cfc1727f41dd546973c2fbf2afb214729ecab293f0516226671bee996fe5befc4930cfd4babc567fc91908cd047dbff3a75

  • C:\wangsit.txt

    Filesize

    416B

    MD5

    8c460e27a1949370d14f20942ef964c3

    SHA1

    fb1f75839903c83911b45b49956792d27db56185

    SHA256

    2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

    SHA512

    ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

  • memory/624-316-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/640-329-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/640-341-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/740-291-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/920-247-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1212-109-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1212-399-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1396-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1396-132-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1464-333-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1464-324-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1484-299-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1484-306-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1776-395-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2156-178-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2156-182-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2308-102-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2308-398-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2636-295-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2636-312-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3104-372-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3116-286-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3160-282-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3480-314-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4040-230-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4060-402-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4060-127-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4476-400-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4476-116-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4512-176-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4512-162-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4564-121-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4564-401-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4572-309-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4572-297-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4636-252-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4640-322-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4640-310-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4940-224-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5052-346-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB