Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 08:06

General

  • Target

    c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe

  • Size

    45KB

  • MD5

    c458461bf6c48e025687b6e7b8138b50

  • SHA1

    055059f5fcbdec89225b4ca30133e5356cd99f4e

  • SHA256

    ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519

  • SHA512

    4edcba0ee1f988f4647fb0da82d8f15985dc6df4e721f7efc3113931d67b1d355cceea9eb1ccdd3c589fd372f7640de946c28f9778ccbea7731b02db803b0159

  • SSDEEP

    768:/h4AXKiTroAq0RB+XPPmNwQLNXEzTxideVASwekft5nEw2r:/a8jroAbRB+XWCQLZeIdSwkhr

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • ASPack v2.12-2.42 21 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 54 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\c458461bf6c48e025687b6e7b8138b50_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3196
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4972
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:684
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1804
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2460
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3720
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1880
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4140
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4340
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5040
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:452
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4992
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2116
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3528
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4196
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1276
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2524
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3664
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1972
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2920
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4296
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5104
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2604
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3764
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1548
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5092
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3444
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2324
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4184
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2484
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3480

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    45KB

    MD5

    29e64c2e4ae1a9ce51f6e7a34f74bac4

    SHA1

    93ec0f121fe5473b6b8ab91d89aaaaaf5d7da6c3

    SHA256

    345ca22084952109aa281f0b95daa35e84b20d41291b9ece8668be3652ed9cf4

    SHA512

    92100dbe890c386ecaee91f511e0374011df818ee0cb2f5beee9e70ccddd3b32891746a82b90b6b7dff20ce16141ca902f589b903c29267fcfe168bb1fd25cc2

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    45KB

    MD5

    b8590d95906eca765ce01488a0556694

    SHA1

    948d09585bb93c864d813f4021857698546fbb23

    SHA256

    fd8b33da4f3379784546f2d5c738175fc0f9834601d0b751443b042163bd0c9d

    SHA512

    99d1598c7878ecf598ad02b1976f89c4a129c70751df4d0723fb9b660df3d0af0689fc5867b0bfe2f131b5c89e350dff9dabbb57265e4b566b9123a1a55d6e82

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    45KB

    MD5

    880538b07df6cb5e777429f61aa77f2a

    SHA1

    e6f6f80c1a5225d624c3c9bcface192657bbf435

    SHA256

    017735a6484b834b0ed2560507dd9c1d49fee18ec49cac4e52fab5eb3dbdd74a

    SHA512

    cd3a1ec4a31ae4e5e32bc7ea49912e808eb7e95fd62c4af054b57a1663c7330fa5f7daa4261ecc1b70e45b7ec3abdedc11a04c3fba03497698aac7b2bcb97454

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    c458461bf6c48e025687b6e7b8138b50

    SHA1

    055059f5fcbdec89225b4ca30133e5356cd99f4e

    SHA256

    ed7ccce61dfecef83e0ce4f61613ef4a35b36bae4490d30e19ea947b34f0a519

    SHA512

    4edcba0ee1f988f4647fb0da82d8f15985dc6df4e721f7efc3113931d67b1d355cceea9eb1ccdd3c589fd372f7640de946c28f9778ccbea7731b02db803b0159

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    933649237612e7dd81ef90c7aae258da

    SHA1

    0696f1f49a5da1ac3c7f81d16ce7eaf8ad9180d2

    SHA256

    e5783d85b30227667450f497e40385dade538aaaa6fbf1e2ec2f76263bd411cd

    SHA512

    7a817a474e68a59d01db7e37ce09ceeaf73951c2acce0e3c19d82518ed32bdc05257062c92648c5cfc638c7699ecde91582d96cdf5ca801556c9cdc03857b7f1

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    6cb2f5ec12e8f69fd42048fbc1093e9b

    SHA1

    1b9435c7dedbd30541a7d635dbc1df5fa3d7ae1b

    SHA256

    793e74a9c3274f951d1747b57d58d215741c4accda6aa12ba4abb27401952a74

    SHA512

    621cce3803e8571feaab679a8a6c38214764feb64d9f77fa75521bcfe4a340de1b5f79ba86e727ee47eb0172b6052fff449a0db110f2a2cc5f751031353e449e

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    4988789b6ca75ab84063e4939737bfe6

    SHA1

    b64241db750388770e95ed24f7d222222506c2d0

    SHA256

    a94f876201c99fe148f86d2a4d2d626ccb5f0be650d2af80a40a8e457581220e

    SHA512

    fe2c3a635d207dc1ce7a452f632752a9cbad911ef8356b78feb8af70060a93abc104fce96c3c69b1b790a0250f72d2f98d08134c2e01b84d2f71ea797dd653a5

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    45KB

    MD5

    f1dd70290c3f5ed449bf4d981f026c90

    SHA1

    b890a8852c57ecef1fae524fb5eaea5d5b0cecc4

    SHA256

    8fa950a0e913273a3c2d0cd045d591cdf3e9f3152a669530265e1cbb2c2f6705

    SHA512

    86912408d4d20ee4a82fc117dae6a4629842d1d020240b200a35376a654b2a111d8b14c70410c3459545c87fa596885ac872eb083673679c3dafa0e6ffb68cc2

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    f663619057d9d3eee6f25fcee412eef5

    SHA1

    67b41c9921232f09e7436c560270b1af7223c4b1

    SHA256

    fcfef41a7294d913cc04563201341e5ea8bb52983ea90f94869a1a9ec0ae3b7c

    SHA512

    8e89afd505484b17183c22adce439f325eea78b2fd804aa49b4ddb1c9a0bfe1a502c231bab88a3e39a93cf6f5e77ef4bdaa9c1be795bf0cc570eb9c33c6a57b3

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    45KB

    MD5

    da3edb285a3b6b7ca8c92906e69bba8b

    SHA1

    4507c8f132d17aa3649ab6fae7c18bd4c7939696

    SHA256

    e4cce1f46098a726d7e17983d092ec97339ffe0d39b49da32bb055adb508cbbc

    SHA512

    8bb3e55ca7237a4c8ae678009175d2bbbfa9d38317c08ae923679fe11960267fff41cd1f63b8e1502a9d3fc63dee426f0217512ad6f8a16d8a3b4ddd7cd8e598

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    b54b61e48ced870675413271a2703401

    SHA1

    faf649c93e8e9cf98c4d1941e381c4f0ad74d0cc

    SHA256

    71746774a8a1498b4f3f58001a4d4566fec4fc4f42eeab17ab3301982b138e9f

    SHA512

    f158d361c69617ca34b6bac6adac4c59f0e2d5caee99034db89f6572dcabd37ff41e440829fe146f618ea89ebbc4da94785f966ac18689841a8a7011e9436101

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    45KB

    MD5

    166b5268160fa9fdff079e8e49b1de04

    SHA1

    383b8f2d7d1164714be5143d8327208664d0a1a5

    SHA256

    660f580c487e4799a8ff26086419e46f7cc7866e5d6d2707b3fae1d5a81c5bdf

    SHA512

    383fabb556f0f688b3c342e2149f500e8378c275d0688d2eb19ce6090dc63292bed8a7a7151c4ae6870c44a50874db1042508f3eaaf9313777cc3d4ef6894306

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    45KB

    MD5

    5cca73056e07503f9aac24c56ca0a806

    SHA1

    667613347876995f375aca7257b74e0b025f5be6

    SHA256

    047729308eb3363081ada701bd0585d3c4b34d95755b6cacc4ad674a2c23d896

    SHA512

    ea95b3cd630f833045f5eebe6dac96f858ae6b70f97e32883be9d9c319fe7e38405c42c6f08543f92b1e0eff2aed204479a46719eb704680c25c6f33e8bd8757

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    45KB

    MD5

    aced98ed4a71d0c136e13524158b29bd

    SHA1

    b12404e9dbd513b8cdccfe12cd3fab02870f677b

    SHA256

    5dc36683393c275ea05af4690343d5b2e8375b0a2733c6a52095d54496b51876

    SHA512

    412eb11f60bc84924dd2187891bfa6721af59f531dbfa7cf44e91858d3c60da6d1d03b8d3203bbf56f535b621fd71b94c914783e437fdfddf231ecf26b3b98d9

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    6da94b7492972aa1c17aa65237cc1a68

    SHA1

    223b1fb4cdeb68ae8320f187babd63f05c3cc54b

    SHA256

    22c1e36eae4b639b1fa8fe4995854b4689dea7f34342f8a29b7f46825c9763ab

    SHA512

    d0b141f26afaef16532d5b394156f7e2d68dd27c088f5760546b3ad6f869c85673e23841c03da5dce9178701aed5710cef36dc7d12564b4ba34f56ea88bbf41c

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    c13dbc1ddd4970c6ea0aea4486155a62

    SHA1

    ec63c3bcab09bdb33e03f58a65c0d9954caabfaa

    SHA256

    53f468e28a279b9c94470f979bcf3411ca6d2b8bcceca3352c1535cc70a5527d

    SHA512

    f1e2679a9024b1a63d2415d9d5de45f0542507f529264dc008ffe750a2b38072fc0173747257a329515ca07ece9af61602ab5a019b187d23dd396991dac3b0c4

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    45KB

    MD5

    ced665d0c5d8b98896c3e1986cd62877

    SHA1

    e3dd1625610851e05fbb2f7dd764dbf9f6fc7f17

    SHA256

    bae4017ddbb9fb9fe174459d88eb7f31c9826be587316413e0190874b60a71e7

    SHA512

    c695eb1e7dd5a551a2ee62a6919f829fc99d499bce1054e58c3553904d9ecd31f1da50c00c9c03fa7ca5e832be4b3d7d980ca8f64d9036a39ddaa1db45065a7d

  • C:\Windows\babon.exe

    Filesize

    45KB

    MD5

    821cd36dcde607c9a47cf28897b59504

    SHA1

    6a9f1320354cef725d67e53909296ce38f4c68c4

    SHA256

    290282ffdb8f4302a898bf42402abcdf2684105f7aeccb38e1f4ffd3766544bd

    SHA512

    14dfc5c20a10eb62d0b0467ba655e3e892da774e63d97205b6ee1a78d048f29d6574ec9189e7bd48feefdd695a49d4366bcd81d9dd31b7fa1ef246f36de76f78

  • C:\Windows\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\babon.exe

    Filesize

    45KB

    MD5

    880bb54f6a931d46b393f618cc10c454

    SHA1

    7b91c093c1d3b6725eed928a6938ebcfd2600aee

    SHA256

    87d0a9f7a165fd456509bebb281a6238602ad7229545b6e0bce5c667e6d579f4

    SHA512

    487b7e0995c91dc7172a9b00fd723fef1b3b171d5fb570398f8e551d0fa2db9e99fbc7a9785621756f91d73cfd535208c5247c3c4224327ae5831a29beda6248

  • C:\babon.exe

    Filesize

    45KB

    MD5

    5e103c3bed0b0c07047a7bbe05f85013

    SHA1

    89c02b436ba14e66a145ae111b1c0ff9843e7e47

    SHA256

    f0bfbbd118df7f6b1d9bc787d703ee48ee734d73b7c8c0ac9781f5111741d9ad

    SHA512

    6051a86764f8b470b2bce39ffcbf9080fc9a73fae89cdab6bab2fca6bba71a7d1d70d0da939f2e66cf7c3a61b1a1db57d310bc0e2ecc3d105d80abea3e77e9ec

  • C:\babon.exe

    Filesize

    45KB

    MD5

    8abf53bcbdd28ebdc0f6232f65ed52fa

    SHA1

    efdead3ff914d7ff68f47701118350869194fe6c

    SHA256

    115bc5f860a97cea12dbf64fa87a4cd17d44f34ed7d819757c765ba0a9506315

    SHA512

    c40acb9a8f7fb705d14f1fa1924b476f70e1688dba410613a7955af8e8f96bf20968f8cd3cdf34456c211e2bf2ff442c519ed5867d199deb7b22856d365b76dd

  • C:\wangsit.txt

    Filesize

    416B

    MD5

    8c460e27a1949370d14f20942ef964c3

    SHA1

    fb1f75839903c83911b45b49956792d27db56185

    SHA256

    2c001b5c9684baf861870ffbaf0bec9df22560cdf3cd5a719a78a882e3122f8d

    SHA512

    ad4299385bd91f7157f4d4b01025664333423f15f796a9a70e3f5df251842cdef3ad8f1158dc3c8b51c8ea4d082d62d56a6b57fade7b563fb953f8b511a17bcd

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e

  • memory/452-218-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/684-252-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1276-346-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1548-386-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1548-394-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1804-247-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1804-305-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1972-391-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/1972-380-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2116-316-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2324-362-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2460-310-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2524-357-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2524-364-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2604-366-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2604-358-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2920-401-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/2920-122-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3196-131-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3196-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3444-349-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3480-397-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3528-116-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/3528-400-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4140-399-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4140-108-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4184-370-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4184-377-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4196-255-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4196-314-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4296-312-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4296-285-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4340-193-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4340-198-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4972-398-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4972-101-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4992-220-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/4992-287-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5040-199-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5040-212-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5092-128-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5092-402-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

  • memory/5104-351-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB