Analysis

  • max time kernel
    149s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 06:56

General

  • Target

    b6959f13299705953061b1985cd61720_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    b6959f13299705953061b1985cd61720

  • SHA1

    84d3789ce1e46d649a1b3b242cea9413a1512d8e

  • SHA256

    9f16094205aa191fbe0048445a35c8f6a0552f40479f836ba6409fe4ee351f7f

  • SHA512

    1d1ca9a3e40b21feac3d1bada310ac1af1537d14ddabb00a8d6c10316fbae4bc8140ec1e6980ee73a8502338019a1ed96b93bd233d6c8775b944614b2b23930f

  • SSDEEP

    768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEwU:/a8jroAbRB+XWCQLZeIdSwk1

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • ASPack v2.12-2.42 17 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b6959f13299705953061b1985cd61720_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4140
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1988
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2712
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3896
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1644
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2212
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1432
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4172
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4168
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1912
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2672
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2364
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3060
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1212
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3096
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3588
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4740
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:976
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:688
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:940
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4524
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:3760
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1356
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3424
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2236
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2692
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1100
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4812
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:552
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4896
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1388

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    45KB

    MD5

    ef45fd843d69afb6153e052d90cd58b6

    SHA1

    89d267eea43b10b0b8102e0a2255e2468819be5f

    SHA256

    e2277c20e0630c8bbe8b07c07081d1ff7beeeae8c01901aa4935f2b4e56e35c2

    SHA512

    8207c5e047f523b40c55f4560669aca8fe598c55a20af66173f53830d5fad664b4f011fb2bce63d8dfe9934acb03fc947014c769ff3b0a4f2a5c42ddf1a05ab4

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    4829f0f8cbd32ae39fd6e0210f1925da

    SHA1

    23328757babfe269d632b586c0d50f3c85dd9ebd

    SHA256

    36309c337206b6c43e9087886dcabbcd2e68d21b754cd8511d12cd8a7677282c

    SHA512

    bed9fa0b72b0023770132bbbacc5c6f224620a71cb354f5e94179118bb2b7ff3990b80960e01801e59eb060f7b93111628678b069e677a2cfb4950ed97d53d35

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    45KB

    MD5

    189163c8ad3dc01b0dfb3291c156c536

    SHA1

    da872cf97d45716ae5b0bb192781cf09e758f508

    SHA256

    9897bd7ff419d56831e9ef5f9fd23168d46c0c3d5497144e6f81f78330d22d1d

    SHA512

    c55c445a2d667055d480acce87cc253e05595dc69019f99be14969739d4e8b1635c171048439bda9b2ea3c8be88935c353e7dbd6d3001ac70e10bf188515b076

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    b6959f13299705953061b1985cd61720

    SHA1

    84d3789ce1e46d649a1b3b242cea9413a1512d8e

    SHA256

    9f16094205aa191fbe0048445a35c8f6a0552f40479f836ba6409fe4ee351f7f

    SHA512

    1d1ca9a3e40b21feac3d1bada310ac1af1537d14ddabb00a8d6c10316fbae4bc8140ec1e6980ee73a8502338019a1ed96b93bd233d6c8775b944614b2b23930f

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    79d874e08ac0cf572ae8d454eb5b3732

    SHA1

    10ebd5b352d54f96b6c01ee4757728d90753db60

    SHA256

    1cee494308fec9ad8943b753b0095a313bcc6e94e9a0fcb3dedb98d641ba4214

    SHA512

    cce40818a4c02f4866ece68ac1cbb25abf4f951d7d520a800becdd5625ff0f32d9729415e03b5d75258c1beb9f5b380e5ac201c12f37e52cefc19a9b087437f4

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    58b162edf991484544b61b9b5d2a540c

    SHA1

    efc4a0adc8d42f1b05d08da789774b30eab8a6d2

    SHA256

    5f8985c32926b02f72ff26929fe4ba00fa83e1a068d3323c5f8cde630e674ea6

    SHA512

    f849f0f3062607fcf3e9656364e8d06992d8f714bd3e1192265b95e5c79314fd3a5f24200b318d49313890fb9429126bc7cb6d701d208037696a585d678ad5d3

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    bed75d0c3edd2358f0a0c56feddd11bd

    SHA1

    5111b27816a7b45d0a6242dceae3f9b07cca08c9

    SHA256

    5e9cf8175aea9c08ca5d8396f3ca74d7dc51e69678bfc75a7c6f576809c10c85

    SHA512

    f1e23e316b6e812751f015c26127c58fdc121d1089742aeb56b94b452c0d95e86bb125de7b982939e31e9db16280bec99077ed0f2eccefec4b7d40354cb7f6aa

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    749b5ee9a155a085cd65c1386052344c

    SHA1

    883fe7547497d1477933f8e7b2f1eca28079d24d

    SHA256

    820352e4e6aa1219a56faaf8ab099d3802c58453b0c4a2c1a25011140f8462d3

    SHA512

    58faa85d4a050f463a60959eeba19b1a4d7e560073c9c97ba9bbdf24e11fb2d8a2841a40b6032272b384f0f590c96996d9553b510defabe0876b05d88bd62315

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    fa54f1fc054264e0c0900c4d7d1fbf07

    SHA1

    735487ee0d90b9725da3b4ea28f502fc3236dbac

    SHA256

    fa1b82ca7cc1dd6d392db350625e7a4a2a9e34b4f27949ac767cc2d1b307c8f2

    SHA512

    e4c758f763c6f1761e2a3108fac0c479bf7f07152c2a9054f197ad5a3f62e62429428b9491c6dd5cf891cd99b4e7e5e080981b3c4fcc673651d75abeb6ad4597

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    4aef22a1bd8b5d349aefe6205ecb7d9d

    SHA1

    7d8086cd824b214e902258896498eda23babed78

    SHA256

    08c30fdc31d6770d8fc5203fb55f53a717f2b93855e4441c63058856c4ea0a39

    SHA512

    fe6ba891c290c43fcf24e90a890fa77868c0bfd9ff8fa91ddd38fb68cde924f39bdc6f938729ace0c907226fc144da2218e73ed401c8c6099f6e0105d5351a7e

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    1e799c79f752172a82f623ba1888204e

    SHA1

    ff65a74bb0280c4b7c910bdd246c59386083170e

    SHA256

    e784d1815e97c65c57f5b0e509a675d5259800e30bc15c873aa3be85d0020b13

    SHA512

    c281e909ee632ad5d8142c19f21df33f6585fa96cc95a4f2eb445d53510580e1d6ed04f594ea9dedc2cb21b67fb6d286389d92525a5e0af19a8097249054ff5c

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    76513f6923809023e272e1a50109a117

    SHA1

    7567bfed677ebc7f67cf10ce796421dcdaaff3ac

    SHA256

    572f410127454b80cd67e73d83e6ebedd9e47bf9cce18e64e7b68673f9bc7750

    SHA512

    651287848b2bb020a8f76df93f763339441d1c5fe08a4e0207a8acc69db1eb2dd625b98695157c81bdbc960330e4d18707bdb002fb9f59754cdb4202dc92fdfb

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    45KB

    MD5

    4c7e01472a1fa6922abe66f1cdb58b73

    SHA1

    b4645ae19d762247eac90c8fb212ca5783707903

    SHA256

    59b3e3a19108ff2ecef78c5caf1103acd1b09792db29a0f5b3f0c6d1f7c0d07e

    SHA512

    6eb29c6e480374d6ba2aacb7ab77cf3af40caa60eb44e419360f2548682768190bbc60cb359a46f78e342d43e4ffeaf281581dcefef88a15b6dc7af6ae770bc1

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    a7241f475f543afa0772cb4b9d8b9d69

    SHA1

    b04787f0bb76904837e9c0f89884d9f82f47c830

    SHA256

    d0648ae0946c840ec58eb2e1be8d86fd95a63dacab53cdd3dc845595f9c189fb

    SHA512

    052e9dff3e2dd2be98df2cfa898ec81015dba574eebd82a4ac1a918e7f91d45b2ab752591e50b40eebf281df1da67dba34e9c6ed74074c870d18afee63e039ad

  • C:\Windows\babon.exe

    Filesize

    45KB

    MD5

    69998f68da9cc7f0821e472840a59dd1

    SHA1

    9e10da6adc68da4f819dd9d5c9a4bf09ef4cce1a

    SHA256

    1a693d7047686196ae602f6b73c9f70b1c093f9cdc936317b5616e0f7e129079

    SHA512

    61ca6f15f9b2ffc3a6bd3b162ec37794d596e532c27e267a3622a754770bb274055b75e80422f11dd6633315dff91795cb35171135fc561efa493bc0e7f8a2d5

  • C:\Windows\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\babon.exe

    Filesize

    45KB

    MD5

    f5075df2fe01809a46d1411d10565cea

    SHA1

    b16d791c995fcdccf009019c50453b681b3529eb

    SHA256

    24fb70eea70732ba7e2dcd4cad76ef07e76296f9185796c167f85ce2fcc1e857

    SHA512

    59099591da982ae13970da1595dae79c5aa9031cb963fa53143ecba1a380023dfc60c56790b1516184fe8ad30c007ae3b1ede7060670d4635f392041067d7355

  • C:\babon.exe

    Filesize

    45KB

    MD5

    2e87a571ea5d8c8b219f7979be91d524

    SHA1

    a9521b95e1f8194dfa4761160893d2715b7e2801

    SHA256

    729ee340b735110f230584aa762304f03568cf11da6650b9ae19a7dda08f1e54

    SHA512

    6dfb822627a6cb1da5214424bc089c1bb4a103bf615edf2a74e385aee343342eb283f280b10f9c12bb58c0a7bb4e0e8d4b828d7aea0aafe4585a3c8405a3b861

  • C:\wangsit.txt

    Filesize

    416B

    MD5

    8c460e27a1949370d14f20942ef964c3

    SHA1

    fb1f75839903c83911b45b49956792d27db56185

    SHA256

    2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

    SHA512

    ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

  • memory/552-357-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/688-389-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/688-384-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/940-122-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/940-397-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1100-302-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1100-287-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1212-396-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1212-116-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1356-366-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1388-381-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1432-370-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1432-362-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1644-276-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1644-290-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1912-244-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1912-247-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1988-394-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1988-102-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2212-299-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2236-393-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2364-322-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2672-293-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2672-285-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2692-398-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2692-128-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2712-162-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2712-194-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3060-354-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3060-330-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3096-304-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3424-371-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3588-311-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3588-324-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3760-326-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3760-310-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3896-242-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3896-184-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4140-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4140-132-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4168-234-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4172-395-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4172-107-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4524-313-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4524-288-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4740-368-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4740-355-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4812-318-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4812-300-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB