Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/06/2024, 21:38

General

  • Target

    0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe

  • Size

    91KB

  • MD5

    499eb5354d018ee4a0a4eaa0d54d5de0

  • SHA1

    c228922423384522797e100bd239cc0146e9ee6a

  • SHA256

    0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5

  • SHA512

    d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db

  • SSDEEP

    1536:npDnq+5h/tDSZ15Wwd4pDnq+5h/tDSZ15WwdM:npDRzSZaC4pDRzSZaCM

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables Task Manager via registry modification
  • Disables cmd.exe use via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 18 IoCs
  • Drops autorun.inf file 1 TTPs 8 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Drops file in Windows directory 24 IoCs
  • Modifies Control Panel 42 IoCs
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:408
    • C:\Windows\babon.exe
      C:\Windows\babon.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1948
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4540
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1408
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4988
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4692
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3532
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4992
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1028
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:5096
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3592
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5036
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3008
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3624
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4336
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2620
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2580
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1268
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1000
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4656
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2572
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4000
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2604
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:944
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2108
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Disables RegEdit via registry modification
      • Disables cmd.exe use via registry modification
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2068
      • C:\Windows\babon.exe
        C:\Windows\babon.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4616
      • C:\Windows\SysWOW64\IExplorer.exe
        C:\Windows\system32\IExplorer.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:4780
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1192
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4600
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\lsass.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\csrss.exe

    Filesize

    91KB

    MD5

    e9a8e13bee37c1462e4323aeef91bdbf

    SHA1

    d3373f177d94c82d9faf970bcae6f60626d03c10

    SHA256

    735b175fd67a0e61c50ff6291bd310506e0591250297839417df8504aba80ea5

    SHA512

    4a647f71e79e7335d486275fb1c3eed7d4fc9cc1e91f91696fe73dc753f52a8932d1fb5cb8ef3b5f02fcbbe275238a84a10e4f7342e0f6ecfe7f46c4c68e8a8c

  • C:\Users\Admin\AppData\Local\WINDOWS\lsass.exe

    Filesize

    91KB

    MD5

    8b48261673ad8a15b555e9164e15481a

    SHA1

    6a59f3aba4f09d081918a7aa448105a2736f651f

    SHA256

    a5b71e7ebbadb3e5a72b9703dba486d40a0901a21ba67655f5b4fe9d151d45c6

    SHA512

    1f356e69abe090cc3e9d89d2a8875113f800a23278e70997bc38a7e1fc0a19abed26a0fed484e15adb64872a354e04552bf128809286682aa16f10224e4a02ca

  • C:\Users\Admin\AppData\Local\WINDOWS\winlogon.exe

    Filesize

    91KB

    MD5

    bc9a58054bc14c7b20a96d9f2b3a6f87

    SHA1

    2ee62aeb22cd0393049aa4d622fcda7e166750d6

    SHA256

    173e21e6d593257cc95a1f403e6005229fd23881931f0f76a6de4c48559fda54

    SHA512

    1affd523e7bdb0b46f38bd01981624893631699580d7e9b6e0f88f0758afa806068a080a26ef7f763d02f422d4b94609bbd80600ff3b795b49d5fe7a22ec5318

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    499eb5354d018ee4a0a4eaa0d54d5de0

    SHA1

    c228922423384522797e100bd239cc0146e9ee6a

    SHA256

    0c6b49f628b30a8aaed4eb49d2536b9278a104bf055999f65dfa6c14ea5924e5

    SHA512

    d331d570993e7ca31111e68fd6803c3a3d2446074412111bbb47ed63a07b5bd12dcfe8adb34b51dae52a61a74fc43efbfe0bee3b45643274c16543a83c3ac2db

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    7bef640f7927169c01ed9b94b5ccb2d6

    SHA1

    85a2f3c08d1ea38a2a775a47aacf4f6c717077a4

    SHA256

    e88db4b7a132c7f0adb42b09d52ee56590020dfbc7df859bef130a7c8753a51c

    SHA512

    181664e9f17c11822273489a4a533d6b4fca5b4ea0010c268493d2322d89d885644790aa37332b6b3fad414711d935a99df132edc43af04b626eaf4c392e9eb7

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    4fec3287cdb7e591879c11adeaa6aa8a

    SHA1

    d7f22e338aea8c8462d0b7dc81bdf091d21b2b40

    SHA256

    afc4a0fd47074b257f4e94b4b22c9f01307f70d149d50008e98d9c9615d7a51d

    SHA512

    7513b2eade397ca79406c14ddc55d88e342db181a094808836238ad4571bf28105d423fb7837668c40f70a1fe21d31d48a8214c175397a0f9f3c43806c8e9f8f

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    116ab655ded5b4f4a7985a1c4e03e888

    SHA1

    215b119cbafc47a15b7d4770f26986acb75aae1c

    SHA256

    2fb60c2df7e9ef016e1b59e36f1eff5001610dd38dc9015f4920cbf7a2c64815

    SHA512

    1cfe9cd8f8b6f4581d5e1530c29ea65c568b2f7db01c376313b248aaaf343a7ab4e9f5cfab4a794668cac27ba8078ca3e7e9ea5b79c79227bc27299d3b80e27b

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\smss.exe

    Filesize

    91KB

    MD5

    1684cf6c80cbae626f62c8f2ef8a3a50

    SHA1

    9ba69c136b9023d3a059f0720ac9a988a917337f

    SHA256

    149637b0c8b388bcccad07416b262edef217cc2135a34cac5b66723e3c5dc995

    SHA512

    85de03e7edfd930444ae501f40cbec47d9a19a838514f4cfa9a3eeecce7c750b50b3a84c5bae92ebdf349d0f1fd71cd1bf2fac73139e69e255ff8ee9e3187221

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    a4e473d81befd4bc967d894d669c735a

    SHA1

    5d46e6dcd65dcf4676bb3964a92feca11fad696f

    SHA256

    b7b7862c6c8600c50a45cab44425be98a9d66828b9c7764d9e0f2297f7c51741

    SHA512

    4471d0dca419c4bb8272d28ea191d227393a8fa4a759e5fff14933e492fd47f7ca0f0655c7db8420290e3a81c70d69497aa61b6da4f8f05e3907da1d92008777

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    cadddf32f598ea8b80c955b9cb97b349

    SHA1

    86082c40316840acf7a4fa403bd4a3ba16b1e3cc

    SHA256

    3b82f3ba651ee6bbea92e0935f9ddcc29559612622dfb0b567c2700ebbc831b4

    SHA512

    0dc6a47c47ae1d2239fda30af57ef14a7c8dc69d4358b78a548eb2496893f75fd3622b9ddfd77171446e70fc13226f5f92c64ec2b14bf69b69d6545925d70ade

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

    Filesize

    91KB

    MD5

    704ebce1dfaa2beecb7cb897a1fd0982

    SHA1

    0a628a689f3ed809e1f1fa7471501066b7e5c515

    SHA256

    5f2b26cef64c43d4731f7aec1080868baa8df491d4fa8e05e07942ceb81748d1

    SHA512

    fc6e625a0360bd8b62363eea7b84a828e83b99f2a883d3276580c8d3433572d96ffdc5b08b2ebd5e4676d31bb570ba23dfcb2ece286350f5e85cecd138561f5b

  • C:\Windows\MSVBVM60.DLL

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    3ed6a072b6cee63919e2f94971ad53e9

    SHA1

    419ddcaae4567f48e847cf8e8025c19eadaea059

    SHA256

    3501078e98c52ff7a187bf4b58e35651107483fbdd058dfc2774a4c9cc8b9f0d

    SHA512

    1e3e46ff69aeaf1ef613c4066106c47914284685ca3190ad64385fa9ec504dea94742ee125d78589baf9e053ca2baebc1c5967c8221ad24acece52e630b3c7f7

  • C:\Windows\SysWOW64\babon.scr

    Filesize

    91KB

    MD5

    43a82e7dcab7d7595b8d2372747327a4

    SHA1

    ec22b4b42e8418c3a20ee31671ebd41d43382962

    SHA256

    3c9433a8577b86862409f91acc17d2b015d85c777224b6c739952c254edbff4f

    SHA512

    bf563d4d59d2fdeb91e8c5247f1e02c6ea74682a3286b0520efa98705385267fc95307af93c8a56ae9e2f480031d4534798b1a381de366c0af6059e53f51e56b

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    91KB

    MD5

    b15d9ec0ea6ef8d28fde20d0f26a8062

    SHA1

    459af3f749114bf43dd2854fb12d22c52b58e0fe

    SHA256

    58e8032456cafcc2a27bc8f08045b1339ec9e79eec84821bf9631a9a573809d5

    SHA512

    c2d9573c4da2650ecfbcf7ad217a28febfc56bcfaf003226fd6e695c2c5ce68ceda6005540b8bd8920016afe4ba2b3c64b511f3881a990c08bc4e9306ba41e86

  • C:\Windows\SysWOW64\shell.exe

    Filesize

    91KB

    MD5

    479c77eadbb2d8bf7e2f31175fcea324

    SHA1

    409e6c399be837a76ea7a4d2fcaaeeed6ca7e96e

    SHA256

    cccea37d0141d00dae05306cfc6a8e068447fafb2d6c3d9e83642faa5ba8d1ca

    SHA512

    a59dfe27e19dfd0b37b2597b349bb35dc73d70c6ea52cd081bf016649886d8716328394eb66edbc5b3fcfcda9825c3844e981f7436318019c680ffb36b0ad289

  • C:\Windows\babon.exe

    Filesize

    91KB

    MD5

    b580cb6c7df912196519b1db40bca9cb

    SHA1

    21b53b950fc33dd94f8aed061e0a8f049fb3bd4e

    SHA256

    72375cc2006d31448deee876d4c713fad4268ba034935e7075a041a672197911

    SHA512

    a36e577d63825332d257526c33bc27b0184caba53515a3b189f78e8bb686a9fc9eeeece8f64786f64a95991c9da7a9c8c458802dedc22a38c9a5cc2b69b3c278

  • C:\babon.exe

    Filesize

    91KB

    MD5

    37328291c0d922484e0ed3da1b28f73d

    SHA1

    1abe0a1fc635daebb821906ff301fb2d4eaa547e

    SHA256

    31e20f57600e38995c911a9676e3acbbb2c3c27687a0c7b25d7f219c3ce849c4

    SHA512

    9756f0651455ef073b351b6b6de28be73651aebf1d37d2aa0a78aa4a25cba44276cffca14166b3bd0ff1c95793476453c308fbea107a9b57409d9b39c86f0d85

  • C:\wangsit.txt

    Filesize

    359B

    MD5

    df2f3e6971a7548c1688706f9a9798a8

    SHA1

    e38539857523a1e7eb3aa857e017bf6461b16a08

    SHA256

    1fd0a101a74c19c0c9e287eac64ee506df3eebdbc11f12022dda94fedd123918

    SHA512

    d2d41257135381d7f4c4936139282a505094af7a8f9bc824ccc08d09da9ab010b6adf1460feacf5c0151cb9d4299b8bde934fd90904bb3c3ce6c396af449c072

  • F:\autorun.inf

    Filesize

    41B

    MD5

    097661e74e667ec2329bc274acb87b0d

    SHA1

    91c68a6089af2f61035e2e5f2a8da8c908dc93ed

    SHA256

    aab4cf640f2520966a0aac31af8d1b819eea28736c6b103db16b07c3188ec6c0

    SHA512

    e90e678526270cd9388538246793534411c478b082ab914bfe2756b18771229f146c731c0f9c94ed59d8689b2ef77d25f7b22d3d6b8c2d439e5b3437f8dc649e