Resubmissions

09-05-2023 19:22

230509-x3fn4adg58 10

09-05-2023 19:14

230509-xxsrgaff7x 10

09-05-2023 19:14

230509-xxr5yadg42 7

09-05-2023 19:14

230509-xxrt6sff7w 8

09-05-2023 19:14

230509-xxrjeaff7v 8

09-05-2023 19:14

230509-xxqxwadg39 7

09-05-2023 19:14

230509-xxql4sff7t 10

09-05-2023 19:14

230509-xxqbcadg38 7

09-05-2023 19:10

230509-xvl6xadf64 10

Analysis

  • max time kernel
    178s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2023 19:10

General

  • Target

    trojan-leaks-main/Halloware (BerkayV).exe

  • Size

    23.1MB

  • MD5

    2701cf0c52d8d8d961f21f9952af15e7

  • SHA1

    d8b9de327f95ba090e5606862003419388fc3dc7

  • SHA256

    616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933

  • SHA512

    b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110

  • SSDEEP

    196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 20 IoCs
  • Executes dropped EXE 10 IoCs
  • Modifies file permissions 1 TTPs 20 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 5 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 11 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe
    "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\system32\wscript.exe
      "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\FA28.tmp\FA29.vbs
      2⤵
      • UAC bypass
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:280
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1568
        • C:\Windows\system32\wscript.exe
          wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
          4⤵
            PID:1092
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator
          3⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Disables RegEdit via registry modification
          • Modifies system executable filetype association
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1404
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat"
            4⤵
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:824
            • C:\Windows\System32\takeown.exe
              takeown /f sethc.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1220
            • C:\Windows\System32\icacls.exe
              icacls sethc.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:2012
            • C:\Windows\System32\takeown.exe
              takeown /f csrss.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1968
            • C:\Windows\System32\icacls.exe
              icacls csrss.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:384
            • C:\Windows\System32\takeown.exe
              takeown /f winload.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:556
            • C:\Windows\System32\icacls.exe
              icacls winload.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1008
            • C:\Windows\System32\takeown.exe
              takeown /f logonUI.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:588
            • C:\Windows\System32\icacls.exe
              icacls logonUI.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1072
            • C:\Windows\System32\takeown.exe
              takeown /f bcdedit.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1980
            • C:\Windows\System32\icacls.exe
              icacls bcdedit.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:364
            • C:\Windows\system32\takeown.exe
              takeown /f explorer.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:692
            • C:\Windows\system32\icacls.exe
              icacls explorer.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1616
            • C:\Windows\system32\takeown.exe
              takeown /f notepad.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1416
            • C:\Windows\system32\icacls.exe
              icacls sethc.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1608
            • C:\Windows\system32\takeown.exe
              takeown /f regedit.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1436
            • C:\Windows\system32\icacls.exe
              icacls regedit.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:844
            • C:\Windows\System32\takeown.exe
              takeown /f taskmgr.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:820
            • C:\Windows\System32\icacls.exe
              icacls taskmgr.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1060
            • C:\Windows\System32\takeown.exe
              takeown /f rundll32.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1524
            • C:\Windows\System32\icacls.exe
              icacls rundll32.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:1144
          • C:\Windows\System32\cmd.exe
            cmd /c ""C:\Program Files\halloware\findit.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1888
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq kosuyorum.exe"
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2016
          • C:\Windows\System32\shutdown.exe
            "C:\Windows\System32\shutdown.exe" -r -t 00
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1224
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:432
      • C:\Windows\system32\wscript.exe
        "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3B4D.tmp\3B5D.vbs /flags:0x0
        2⤵
        • Modifies data under HKEY_USERS
        PID:1208
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Program Files\halloware\findit.bat" "
          3⤵
            PID:1168
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq kosuyorum.exe"
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1920
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe
            3⤵
              PID:1096
              • C:\Program Files\Halloware\kosuyorum.exe
                Kosuyorum.exe
                4⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                PID:1924
                • C:\Windows\system32\wscript.exe
                  "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\475D.tmp\475E.vbs
                  5⤵
                  • Modifies data under HKEY_USERS
                  PID:1328
                  • C:\Program Files\halloware\Hware.exe
                    "C:\Program Files\halloware\Hware.exe"
                    6⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    PID:1976
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x1e8
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1348
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:1248
          • C:\Windows\system32\wscript.exe
            "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\BA99.tmp\BA9A.vbs /flags:0x0
            2⤵
            • Modifies data under HKEY_USERS
            PID:1908
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Program Files\halloware\findit.bat" "
              3⤵
                PID:1404
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq kosuyorum.exe"
                  4⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2024
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe
                3⤵
                  PID:904
                  • C:\Program Files\Halloware\kosuyorum.exe
                    Kosuyorum.exe
                    4⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                    PID:1760
                    • C:\Windows\system32\wscript.exe
                      "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\C820.tmp\C831.vbs
                      5⤵
                      • Modifies data under HKEY_USERS
                      PID:632
                      • C:\Program Files\halloware\Hware.exe
                        "C:\Program Files\halloware\Hware.exe"
                        6⤵
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:1176
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0
              1⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              PID:1784
              • C:\Windows\system32\wscript.exe
                "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3969.tmp\396A.vbs /flags:0x0
                2⤵
                • Modifies data under HKEY_USERS
                PID:1340
                • C:\Windows\system32\cmd.exe
                  cmd /c ""C:\Program Files\halloware\findit.bat" "
                  3⤵
                    PID:1916
                    • C:\Windows\system32\tasklist.exe
                      tasklist /FI "IMAGENAME eq kosuyorum.exe"
                      4⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1552
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe
                    3⤵
                      PID:1224
                      • C:\Program Files\Halloware\kosuyorum.exe
                        Kosuyorum.exe
                        4⤵
                        • Executes dropped EXE
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                        PID:864
                        • C:\Windows\system32\wscript.exe
                          "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\4606.tmp\4607.vbs
                          5⤵
                          • Modifies data under HKEY_USERS
                          PID:1976
                          • C:\Program Files\halloware\Hware.exe
                            "C:\Program Files\halloware\Hware.exe"
                            6⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Modifies data under HKEY_USERS
                            PID:1608
                • C:\Windows\system32\LogonUI.exe
                  "LogonUI.exe" /flags:0x1
                  1⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  PID:1176
                  • C:\Windows\system32\wscript.exe
                    "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\B0F8.tmp\B0F9.vbs /flags:0x1
                    2⤵
                    • Modifies data under HKEY_USERS
                    PID:1104
                    • C:\Windows\system32\cmd.exe
                      cmd /c ""C:\Program Files\halloware\findit.bat" "
                      3⤵
                        PID:1760
                        • C:\Windows\system32\tasklist.exe
                          tasklist /FI "IMAGENAME eq kosuyorum.exe"
                          4⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1188

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Halloware\Hware.exe

                    Filesize

                    7.5MB

                    MD5

                    5b457c190f21d6dace76b0495f4aa07c

                    SHA1

                    289ec2d9541eb6734d187556955f1386196508e2

                    SHA256

                    a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

                    SHA512

                    a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

                  • C:\Program Files\Halloware\Hware.exe

                    Filesize

                    7.5MB

                    MD5

                    5b457c190f21d6dace76b0495f4aa07c

                    SHA1

                    289ec2d9541eb6734d187556955f1386196508e2

                    SHA256

                    a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

                    SHA512

                    a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

                  • C:\Program Files\Halloware\Hware.exe

                    Filesize

                    7.5MB

                    MD5

                    5b457c190f21d6dace76b0495f4aa07c

                    SHA1

                    289ec2d9541eb6734d187556955f1386196508e2

                    SHA256

                    a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

                    SHA512

                    a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

                  • C:\Program Files\Halloware\inyer.wav

                    Filesize

                    7.5MB

                    MD5

                    c1c8536e675d25027c962abe0d3faf43

                    SHA1

                    13e6375da0162b19db7f8ad74640ce80b8aa73c4

                    SHA256

                    f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

                    SHA512

                    c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

                  • C:\Program Files\Halloware\kosuyorum.exe

                    Filesize

                    58KB

                    MD5

                    7eba5d99235b23ca60597c8aa970f47f

                    SHA1

                    7d0c86680e2c32e709baa4907e9e4eeba51bedad

                    SHA256

                    5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

                    SHA512

                    80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

                  • C:\Program Files\Halloware\kosuyorum.exe

                    Filesize

                    58KB

                    MD5

                    7eba5d99235b23ca60597c8aa970f47f

                    SHA1

                    7d0c86680e2c32e709baa4907e9e4eeba51bedad

                    SHA256

                    5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

                    SHA512

                    80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

                  • C:\Program Files\Halloware\kosuyorum.exe

                    Filesize

                    58KB

                    MD5

                    7eba5d99235b23ca60597c8aa970f47f

                    SHA1

                    7d0c86680e2c32e709baa4907e9e4eeba51bedad

                    SHA256

                    5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

                    SHA512

                    80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

                  • C:\Program Files\Halloware\kosuyorum.exe

                    Filesize

                    58KB

                    MD5

                    7eba5d99235b23ca60597c8aa970f47f

                    SHA1

                    7d0c86680e2c32e709baa4907e9e4eeba51bedad

                    SHA256

                    5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

                    SHA512

                    80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

                  • C:\Program Files\Halloware\takeown.bat

                    Filesize

                    1KB

                    MD5

                    d477e71d1d7080cf90aba3100b9c761a

                    SHA1

                    7642aa8aeabd847519cfd20ae7d7f2d8edb83914

                    SHA256

                    3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

                    SHA512

                    cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

                  • C:\Program Files\halloware\Hware.exe

                    Filesize

                    7.5MB

                    MD5

                    5b457c190f21d6dace76b0495f4aa07c

                    SHA1

                    289ec2d9541eb6734d187556955f1386196508e2

                    SHA256

                    a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

                    SHA512

                    a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

                  • C:\Program Files\halloware\data\fakelogon.exe

                    Filesize

                    58KB

                    MD5

                    8f9b8205dba67cf950f20e3a0efbcc3a

                    SHA1

                    b50651abd1bcc78c374847caa36a44110d87d5cd

                    SHA256

                    43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

                    SHA512

                    4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

                  • C:\Program Files\halloware\findit.bat

                    Filesize

                    85B

                    MD5

                    54de83a183d4520fad36ad02d9747e63

                    SHA1

                    15caddac8a52ae3632510292e6eb6bf9a728ae45

                    SHA256

                    165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

                    SHA512

                    fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

                  • C:\Program files\halloware\takeact.vbs

                    Filesize

                    2KB

                    MD5

                    cfad575eb56b1059f428ed81fc4194d5

                    SHA1

                    ff91f34a63f7fa01090643191b39d5742ef8ffe0

                    SHA256

                    43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

                    SHA512

                    c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\FA29.vbs

                    Filesize

                    1KB

                    MD5

                    889a8f5bb195b72c33c48448fd516a1c

                    SHA1

                    744b4c40d2527a98e589cc8a04735cfdb92f5079

                    SHA256

                    45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

                    SHA512

                    3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\Hware.exe

                    Filesize

                    7.5MB

                    MD5

                    5b457c190f21d6dace76b0495f4aa07c

                    SHA1

                    289ec2d9541eb6734d187556955f1386196508e2

                    SHA256

                    a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

                    SHA512

                    a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\bin\@tile@@.jpg

                    Filesize

                    17KB

                    MD5

                    bfd5ee0327c8d108bd8e2d851a9ed06a

                    SHA1

                    55221d5e1d383cdff5bf0d7694d57bcde09d2faf

                    SHA256

                    25f194995cf4073a0c2e6625c3ad0514848cc5e4224f5c726e5d73bc81b694d1

                    SHA512

                    1c456da1da57c0711a2277ffd02e7136d2c1b3d16a3d36dfc66ac67e3f4e9c1d3ca7b536e057da7cd4c37a59c0ded2ea9d5d2ac6cf729d1ccd50d91017ede219

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\bin\pump.ico

                    Filesize

                    178KB

                    MD5

                    5df1f3790dd3b9df63f12a6f13277338

                    SHA1

                    7de32dc31c5360aea9024cd02bd4643e11fe2119

                    SHA256

                    c1d88f290da08027adc76649f54db6b352b76149dc2b3d9cddb7cf50d8af0cff

                    SHA512

                    fe858c60c3312a40a88cb5aa9a8ee9483d38973cecb356f55ab6dfa422eed25820dbe75bb40301849c9931e0ab8571af5b8102c082b518116343e50ff40c3d27

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\bin\pumpcur.cur

                    Filesize

                    4KB

                    MD5

                    d7197b2f55db9bd83c859a5e8b46a0d7

                    SHA1

                    598af4d8bcc14c411c48454dfb0caa2e79c1728d

                    SHA256

                    6cee1cb2cf41b5c0fd969ed062b9d4e2c1f7c921cd886d1df1b0725a301074f0

                    SHA512

                    7f55208ee395bf6d063ab0af26b0a8e64e3d4fcacf4958db8577183c7588e7be51b6a7144e28f067d8bab7fca34e1100b0e37750bb8b16b5c02492f4d315a366

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\data\fakelogon.exe

                    Filesize

                    58KB

                    MD5

                    8f9b8205dba67cf950f20e3a0efbcc3a

                    SHA1

                    b50651abd1bcc78c374847caa36a44110d87d5cd

                    SHA256

                    43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

                    SHA512

                    4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\delc.bat

                    Filesize

                    258B

                    MD5

                    40e381411edd280ece4372ff39f721c5

                    SHA1

                    6d90aada218e0cdeadf0fa4c83f90dbcfe2258cd

                    SHA256

                    1e6eeb8f777e1ecf1fa728e64134f979f9451ada735dc03d42c6fdf55de987bc

                    SHA512

                    195b9df9fd49af3b9aa355589219cfa2161c363d979f3b4a6ea9c20e3849f48dbee731f7cde76ca5c4c910f25f89499b4363740897b708acc09b9871b8494d3c

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\fakelogon.vbs

                    Filesize

                    572B

                    MD5

                    2ee899c0289cb575bf4852ac5d164f9d

                    SHA1

                    33e1e4c5a6facd78736998c6673ca6ec88e62fe7

                    SHA256

                    164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

                    SHA512

                    1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\findit.bat

                    Filesize

                    85B

                    MD5

                    54de83a183d4520fad36ad02d9747e63

                    SHA1

                    15caddac8a52ae3632510292e6eb6bf9a728ae45

                    SHA256

                    165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

                    SHA512

                    fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\iQShell.vbs

                    Filesize

                    1KB

                    MD5

                    889a8f5bb195b72c33c48448fd516a1c

                    SHA1

                    744b4c40d2527a98e589cc8a04735cfdb92f5079

                    SHA256

                    45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

                    SHA512

                    3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\intf.wav

                    Filesize

                    7.5MB

                    MD5

                    5794a32dfeb072f764ab82fffa4d309d

                    SHA1

                    36d2dbdddd3b5ebc7d7bbd04d5fe3c46e4be39d0

                    SHA256

                    1eeee51a2b501f8b2f77d4f75fb415b7d0b99355fd80e8b4740a4e768996e400

                    SHA512

                    c2a2602257b86af9729a64c362b8e8711867e6cf2c0bb02d44711ccdac1514d4d80baefc7f16e595390bfe04d66a2aada88dab2d5442e390633123db6e4104f7

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\inyer.wav

                    Filesize

                    7.5MB

                    MD5

                    c1c8536e675d25027c962abe0d3faf43

                    SHA1

                    13e6375da0162b19db7f8ad74640ce80b8aa73c4

                    SHA256

                    f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

                    SHA512

                    c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\kosuyorum.exe

                    Filesize

                    58KB

                    MD5

                    7eba5d99235b23ca60597c8aa970f47f

                    SHA1

                    7d0c86680e2c32e709baa4907e9e4eeba51bedad

                    SHA256

                    5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

                    SHA512

                    80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\permaban.vbs

                    Filesize

                    357B

                    MD5

                    b343125051c1c6e3089b4820446bafab

                    SHA1

                    ee1d90b463d9f911d032a520df6b5066aca7fa50

                    SHA256

                    a78161a3b89248d65ae00630eb33d3c934b6c7c3086f373fdd52d58756b20a8a

                    SHA512

                    ecc6f407892dfa438eab22a67c004760599b8b5fea747ac5c7274180424d2ea95e1e13b10dd8026d641537ef666b74ca5251428eb567cd55241d6334ae64d881

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\screwup.vbs

                    Filesize

                    61B

                    MD5

                    6a51becc27363870d2e17a43a9bb4bf0

                    SHA1

                    201a12e580cfa5bfac8cbc0c6936fd9cd60a349a

                    SHA256

                    778cb71c42d697f365084ba1c0f499324bfdcdd67054644d8ff336af9c3e7f80

                    SHA512

                    ca843d2b3072a7c3b939207c60069e5f4a0fd7a17d7bfb513b9739d9d25fd24148f17540867037e5793aab067dbbcf760df22d865fc5e511d7617f1f56c4efc4

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\takeact.vbs

                    Filesize

                    2KB

                    MD5

                    cfad575eb56b1059f428ed81fc4194d5

                    SHA1

                    ff91f34a63f7fa01090643191b39d5742ef8ffe0

                    SHA256

                    43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

                    SHA512

                    c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\takeown.bat

                    Filesize

                    1KB

                    MD5

                    d477e71d1d7080cf90aba3100b9c761a

                    SHA1

                    7642aa8aeabd847519cfd20ae7d7f2d8edb83914

                    SHA256

                    3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

                    SHA512

                    cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

                  • C:\Users\Admin\AppData\Local\Temp\FA28.tmp\fileler\template.vbs

                    Filesize

                    402B

                    MD5

                    1c04a184e8ba8025bb98cd1734a93b68

                    SHA1

                    55f09dde9ae0cebdbe23893c6dbc42549a23a912

                    SHA256

                    98ddf649d3cafb5130069be87e569082d9dc780ce11f0dc0208348acff0baa55

                    SHA512

                    60bbfe5cab8e10589a6e24a46d86138f5161579b207b9b8349a8680a84996d94430ef65afdc1bfa124b8b8c93ae68b932a3dfc6a45a418a89453d784670fd296

                  • C:\Users\Admin\AppData\Local\Temp\waitdude.vbs

                    Filesize

                    76B

                    MD5

                    f1fbb313731d2b699a48c588486e7f0d

                    SHA1

                    d70c472a451b074ebd1cf55a42bc8843fa9cfd2f

                    SHA256

                    c1430e747ddc860d216c77a7445dbc8cf5fc4bee4bca47521333148dd93a3e6a

                    SHA512

                    12d10b8ac14327b2874dd68b9b0b3d29add7fc96cd371e7ab74e25cb69b42b7a79a16b4ac489cb51214014035baf6ba0c48ec1a123b265c57b57d25939e6bf2e

                  • C:\Windows\System32\LogonUI.exe

                    Filesize

                    58KB

                    MD5

                    8f9b8205dba67cf950f20e3a0efbcc3a

                    SHA1

                    b50651abd1bcc78c374847caa36a44110d87d5cd

                    SHA256

                    43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

                    SHA512

                    4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

                  • C:\Windows\System32\LogonUI.exe

                    Filesize

                    58KB

                    MD5

                    8f9b8205dba67cf950f20e3a0efbcc3a

                    SHA1

                    b50651abd1bcc78c374847caa36a44110d87d5cd

                    SHA256

                    43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

                    SHA512

                    4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

                  • C:\Windows\System32\LogonUI.exe

                    Filesize

                    58KB

                    MD5

                    8f9b8205dba67cf950f20e3a0efbcc3a

                    SHA1

                    b50651abd1bcc78c374847caa36a44110d87d5cd

                    SHA256

                    43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

                    SHA512

                    4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

                  • C:\Windows\System32\LogonUI.exe

                    Filesize

                    58KB

                    MD5

                    8f9b8205dba67cf950f20e3a0efbcc3a

                    SHA1

                    b50651abd1bcc78c374847caa36a44110d87d5cd

                    SHA256

                    43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

                    SHA512

                    4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

                  • C:\Windows\System32\LogonUI.exe

                    Filesize

                    58KB

                    MD5

                    8f9b8205dba67cf950f20e3a0efbcc3a

                    SHA1

                    b50651abd1bcc78c374847caa36a44110d87d5cd

                    SHA256

                    43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

                    SHA512

                    4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

                  • C:\Windows\Temp\3969.tmp\396A.vbs

                    Filesize

                    572B

                    MD5

                    2ee899c0289cb575bf4852ac5d164f9d

                    SHA1

                    33e1e4c5a6facd78736998c6673ca6ec88e62fe7

                    SHA256

                    164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

                    SHA512

                    1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

                  • C:\Windows\Temp\3B4D.tmp\3B5D.vbs

                    Filesize

                    572B

                    MD5

                    2ee899c0289cb575bf4852ac5d164f9d

                    SHA1

                    33e1e4c5a6facd78736998c6673ca6ec88e62fe7

                    SHA256

                    164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

                    SHA512

                    1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

                  • C:\Windows\Temp\4606.tmp\4607.vbs

                    Filesize

                    117B

                    MD5

                    43ce46af5d7f1ffe2c3914ad9c654fa3

                    SHA1

                    a98dce4efa618334d57a808d766f821d83d2a75d

                    SHA256

                    0f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61

                    SHA512

                    d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942

                  • C:\Windows\Temp\475D.tmp\475E.vbs

                    Filesize

                    117B

                    MD5

                    43ce46af5d7f1ffe2c3914ad9c654fa3

                    SHA1

                    a98dce4efa618334d57a808d766f821d83d2a75d

                    SHA256

                    0f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61

                    SHA512

                    d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942

                  • C:\Windows\Temp\B0F8.tmp\B0F9.vbs

                    Filesize

                    572B

                    MD5

                    2ee899c0289cb575bf4852ac5d164f9d

                    SHA1

                    33e1e4c5a6facd78736998c6673ca6ec88e62fe7

                    SHA256

                    164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

                    SHA512

                    1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

                  • C:\Windows\Temp\BA99.tmp\BA9A.vbs

                    Filesize

                    572B

                    MD5

                    2ee899c0289cb575bf4852ac5d164f9d

                    SHA1

                    33e1e4c5a6facd78736998c6673ca6ec88e62fe7

                    SHA256

                    164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

                    SHA512

                    1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

                  • C:\Windows\Temp\BA99.tmp\BA9A.vbs

                    Filesize

                    572B

                    MD5

                    2ee899c0289cb575bf4852ac5d164f9d

                    SHA1

                    33e1e4c5a6facd78736998c6673ca6ec88e62fe7

                    SHA256

                    164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

                    SHA512

                    1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

                  • C:\Windows\Temp\C820.tmp\C831.vbs

                    Filesize

                    117B

                    MD5

                    43ce46af5d7f1ffe2c3914ad9c654fa3

                    SHA1

                    a98dce4efa618334d57a808d766f821d83d2a75d

                    SHA256

                    0f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61

                    SHA512

                    d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942

                  • C:\logfilex7\msc.ddd

                    MD5

                    d41d8cd98f00b204e9800998ecf8427e

                    SHA1

                    da39a3ee5e6b4b0d3255bfef95601890afd80709

                    SHA256

                    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                    SHA512

                    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  • C:\logfilex7\msc.ddd

                    Filesize

                    64B

                    MD5

                    dea052a2ad11945b1960577c0192f2eb

                    SHA1

                    1d02626a05a546a90c05902b2551f32c20eb3708

                    SHA256

                    943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

                    SHA512

                    5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

                  • C:\logfilex7\msc.ddd

                    Filesize

                    64B

                    MD5

                    dea052a2ad11945b1960577c0192f2eb

                    SHA1

                    1d02626a05a546a90c05902b2551f32c20eb3708

                    SHA256

                    943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

                    SHA512

                    5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

                  • C:\logfilex7\msc.ddd

                    Filesize

                    64B

                    MD5

                    dea052a2ad11945b1960577c0192f2eb

                    SHA1

                    1d02626a05a546a90c05902b2551f32c20eb3708

                    SHA256

                    943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

                    SHA512

                    5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

                  • C:\logfilex7\msc.ddd

                    Filesize

                    236B

                    MD5

                    d6806f02080ee77c1d66a915ff0662e6

                    SHA1

                    51d42c0b2fc04445d3d8c1e96268a4c11de1b2f2

                    SHA256

                    f7f6fdb16690ad83a1cc28ef592e094220ae2c641cbd68b6a08bd978ce0f41fe

                    SHA512

                    fae15439092419e5a357e77d49cd0612761113a7168793b02b2d83437c1386f3bf469a92099e442e35c98453b3ea3873396929ef3a92f92128e48ed157d49b46

                  • memory/1176-181-0x0000000003E40000-0x0000000003E80000-memory.dmp

                    Filesize

                    256KB

                  • memory/1176-180-0x0000000003E40000-0x0000000003E80000-memory.dmp

                    Filesize

                    256KB

                  • memory/1176-179-0x0000000000E00000-0x0000000001584000-memory.dmp

                    Filesize

                    7.5MB

                  • memory/1608-191-0x0000000000190000-0x0000000000914000-memory.dmp

                    Filesize

                    7.5MB

                  • memory/1976-167-0x0000000004090000-0x00000000040D0000-memory.dmp

                    Filesize

                    256KB

                  • memory/1976-169-0x0000000004090000-0x00000000040D0000-memory.dmp

                    Filesize

                    256KB

                  • memory/1976-166-0x0000000000E00000-0x0000000001584000-memory.dmp

                    Filesize

                    7.5MB