eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
148s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2023 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan-leaks-main/Halloware (BerkayV).exe
Size

23.1MB
MD5

2701cf0c52d8d8d961f21f9952af15e7
SHA1

d8b9de327f95ba090e5606862003419388fc3dc7
SHA256

616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933
SHA512

b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110
SSDEEP

196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\Halloware\\permaban.vbs\""	wscript.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 20 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid	process
4872	takeown.exe
4488	icacls.exe
1344	icacls.exe
1920	takeown.exe
2816	icacls.exe
3332	icacls.exe
264	icacls.exe
4756	takeown.exe
3972	takeown.exe
3856	icacls.exe
3940	takeown.exe
2964	icacls.exe
4584	takeown.exe
4412	takeown.exe
2116	takeown.exe
4524	takeown.exe
1864	icacls.exe
1620	takeown.exe
1768	icacls.exe
4052	icacls.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Halloware (BerkayV).exewscript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Halloware (BerkayV).exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 5 IoCs

Processes:

LogonUI.exekosuyorum.exeHware.exeLogonUI.exeLogonUI.exe

pid process

4836 LogonUI.exe
4628 kosuyorum.exe
3372 Hware.exe
948 LogonUI.exe
3364 LogonUI.exe

pid	process
4836	LogonUI.exe
4628	kosuyorum.exe
3372	Hware.exe
948	LogonUI.exe
3364	LogonUI.exe

Modifies file permissions 1 TTPs 20 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
264	icacls.exe
3856	icacls.exe
4488	icacls.exe
1620	takeown.exe
2116	takeown.exe
1920	takeown.exe
2816	icacls.exe
1344	icacls.exe
1864	icacls.exe
4584	takeown.exe
4756	takeown.exe
4052	icacls.exe
4872	takeown.exe
3940	takeown.exe
2964	icacls.exe
3332	icacls.exe
3972	takeown.exe
1768	icacls.exe
4412	takeown.exe
4524	takeown.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\logonUI.exe	cmd.exe
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe

Drops file in Program Files directory 38 IoCs

Processes:

wscript.execmd.exe

description	ioc	process
File created	C:\Program Files\Halloware\permaban.vbs	wscript.exe
File opened for modification	C:\Program Files\Halloware\backup\sethc.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\logonUI.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\explorer.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\explorer.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\rundll32.bak	cmd.exe
File created	C:\Program Files\Halloware\bin\pump.ico	wscript.exe
File created	C:\Program Files\Halloware\takeown.bat	wscript.exe
File created	C:\Program Files\Halloware\backup\bcdedit.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\notepad.bak	cmd.exe
File created	C:\Program Files\Halloware\intf.wav	wscript.exe
File created	C:\Program Files\Halloware\Hware.exe	wscript.exe
File created	C:\Program Files\Halloware\backup\regedit.bak	cmd.exe
File created	C:\Program Files\Halloware\data\fakelogon.exe	wscript.exe
File created	C:\Program Files\Halloware\fakelogon.vbs	wscript.exe
File created	C:\Program Files\Halloware\backup\notepad.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\regedit.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\bin\@tile@@.jpg	wscript.exe
File created	C:\Program Files\Halloware\findit.bat	wscript.exe
File created	C:\Program Files\Halloware\inyer.wav	wscript.exe
File created	C:\Program Files\Halloware\takeact.vbs	wscript.exe
File opened for modification	C:\Program Files\Halloware\backup\rundll32.bak	cmd.exe
File created	C:\Program Files\Halloware\bin\@tile@@.jpg	wscript.exe
File created	C:\Program Files\Halloware\kosuyorum.exe	wscript.exe
File opened for modification	C:\Program Files\Halloware\backup\csrss.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\logonUI.bak	cmd.exe
File created	C:\Program Files\Halloware\delc.bat	wscript.exe
File created	C:\Program Files\Halloware\screwup.vbs	wscript.exe
File created	C:\Program Files\Halloware\backup\sethc.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\csrss.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\taskmgr.bak	cmd.exe
File created	C:\Program Files\Halloware\iQShell.vbs	wscript.exe
File created	C:\Program Files\Halloware\template.vbs	wscript.exe
File created	C:\Program Files\Halloware\backup\winload.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\winload.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\bcdedit.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\taskmgr.bak	cmd.exe
File created	C:\Program Files\Halloware\bin\pumpcur.cur	wscript.exe

Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\explorer.exe cmd.exe
File created C:\Windows\notepad.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3340 tasklist.exe
924 tasklist.exe
3940 tasklist.exe
464 tasklist.exe

description	ioc	process
File created	C:\Windows\explorer.exe	cmd.exe
File created	C:\Windows\notepad.exe	cmd.exe

pid	process
3340	tasklist.exe
924	tasklist.exe
3940	tasklist.exe
464	tasklist.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur"	wscript.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

LogonUI.exewscript.exeLogonUI.exewscript.exeLogonUI.exewscript.exewscript.exekosuyorum.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kosuyorum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kosuyorum.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kosuyorum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kosuyorum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kosuyorum.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe

Modifies registry class 12 IoCs

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

takeown.exetasklist.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeshutdown.exetasklist.exeAUDIODG.EXEtasklist.exetasklist.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4584	takeown.exe
Token: SeDebugPrivilege	3340	tasklist.exe
Token: SeTakeOwnershipPrivilege	4756	takeown.exe
Token: SeTakeOwnershipPrivilege	3972	takeown.exe
Token: SeTakeOwnershipPrivilege	4412	takeown.exe
Token: SeTakeOwnershipPrivilege	4872	takeown.exe
Token: SeTakeOwnershipPrivilege	3940	takeown.exe
Token: SeTakeOwnershipPrivilege	2116	takeown.exe
Token: SeTakeOwnershipPrivilege	1920	takeown.exe
Token: SeTakeOwnershipPrivilege	4524	takeown.exe
Token: SeTakeOwnershipPrivilege	1620	takeown.exe
Token: SeShutdownPrivilege	3436	shutdown.exe
Token: SeRemoteShutdownPrivilege	3436	shutdown.exe
Token: SeDebugPrivilege	924	tasklist.exe
Token: 33	1080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1080	AUDIODG.EXE
Token: SeDebugPrivilege	3940	tasklist.exe
Token: SeDebugPrivilege	464	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Halloware (BerkayV).exewscript.execmd.exewscript.execmd.execmd.exeLogonUI.exewscript.execmd.exe

description	pid	process	target process
PID 3744 wrote to memory of 4984	3744	Halloware (BerkayV).exe	wscript.exe
PID 3744 wrote to memory of 4984	3744	Halloware (BerkayV).exe	wscript.exe
PID 4984 wrote to memory of 960	4984	wscript.exe	cmd.exe
PID 4984 wrote to memory of 960	4984	wscript.exe	cmd.exe
PID 960 wrote to memory of 4108	960	cmd.exe	wscript.exe
PID 960 wrote to memory of 4108	960	cmd.exe	wscript.exe
PID 4984 wrote to memory of 1668	4984	wscript.exe	wscript.exe
PID 4984 wrote to memory of 1668	4984	wscript.exe	wscript.exe
PID 1668 wrote to memory of 2244	1668	wscript.exe	cmd.exe
PID 1668 wrote to memory of 2244	1668	wscript.exe	cmd.exe
PID 1668 wrote to memory of 2056	1668	wscript.exe	cmd.exe
PID 1668 wrote to memory of 2056	1668	wscript.exe	cmd.exe
PID 2244 wrote to memory of 4584	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 4584	2244	cmd.exe	takeown.exe
PID 2056 wrote to memory of 3340	2056	cmd.exe	tasklist.exe
PID 2056 wrote to memory of 3340	2056	cmd.exe	tasklist.exe
PID 2244 wrote to memory of 3332	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 3332	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 4756	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 4756	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 264	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 264	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 3972	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 3972	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 1768	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 1768	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 4412	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 4412	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 4052	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 4052	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 4872	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 4872	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 3856	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 3856	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 3940	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 3940	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 4488	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 4488	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 2116	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 2116	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 1344	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 1344	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 1920	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 1920	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 2816	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 2816	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 4524	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 4524	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 1864	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 1864	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 1620	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 1620	2244	cmd.exe	takeown.exe
PID 2244 wrote to memory of 2964	2244	cmd.exe	icacls.exe
PID 2244 wrote to memory of 2964	2244	cmd.exe	icacls.exe
PID 1668 wrote to memory of 3436	1668	wscript.exe	shutdown.exe
PID 1668 wrote to memory of 3436	1668	wscript.exe	shutdown.exe
PID 4836 wrote to memory of 2080	4836	LogonUI.exe	wscript.exe
PID 4836 wrote to memory of 2080	4836	LogonUI.exe	wscript.exe
PID 2080 wrote to memory of 1888	2080	wscript.exe	cmd.exe
PID 2080 wrote to memory of 1888	2080	wscript.exe	cmd.exe
PID 1888 wrote to memory of 924	1888	cmd.exe	tasklist.exe
PID 1888 wrote to memory of 924	1888	cmd.exe	tasklist.exe
PID 2080 wrote to memory of 1724	2080	wscript.exe	cmd.exe
PID 2080 wrote to memory of 1724	2080	wscript.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\EBAE.vbs
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4984
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\system32\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
      4⤵
      PID:4108
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Checks computer location settings
    - Modifies system executable filetype association
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1668
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat"
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\System32\takeown.exe
        
        takeown /f sethc.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4584
    - - C:\Windows\System32\icacls.exe
        
        icacls sethc.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3332
    - - C:\Windows\System32\takeown.exe
        
        takeown /f csrss.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\icacls.exe
        
        icacls csrss.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:264
    - - C:\Windows\System32\takeown.exe
        
        takeown /f winload.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
    - - C:\Windows\System32\icacls.exe
        
        icacls winload.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1768
    - - C:\Windows\System32\takeown.exe
        
        takeown /f logonUI.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
    - - C:\Windows\System32\icacls.exe
        
        icacls logonUI.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4052
    - - C:\Windows\System32\takeown.exe
        
        takeown /f bcdedit.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\Windows\System32\icacls.exe
        
        icacls bcdedit.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3856
    - - C:\Windows\system32\takeown.exe
        
        takeown /f explorer.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
    - - C:\Windows\system32\icacls.exe
        
        icacls explorer.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4488
    - - C:\Windows\system32\takeown.exe
        
        takeown /f notepad.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\system32\icacls.exe
        
        icacls sethc.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1344
    - - C:\Windows\system32\takeown.exe
        
        takeown /f regedit.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\system32\icacls.exe
        
        icacls regedit.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2816
    - - C:\Windows\System32\takeown.exe
        
        takeown /f taskmgr.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
    - - C:\Windows\System32\icacls.exe
        
        icacls taskmgr.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1864
    - - C:\Windows\System32\takeown.exe
        
        takeown /f rundll32.exe
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\icacls.exe
        
        icacls rundll32.exe /granted "Admin":F /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq kosuyorum.exe"
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
  - - C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -r -t 00
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3436

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3981055 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\2F6C.tmp\2F6D.vbs /flags:0x4 /state0:0xa3981055 /state1:0x41c64e6d
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq kosuyorum.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:924
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe
    3⤵
    PID:1724
  - - C:\Program Files\Halloware\kosuyorum.exe
      Kosuyorum.exe
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:4628
    - - C:\Windows\system32\wscript.exe
        
        "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3A2A.tmp\3A2B.vbs
        5⤵
        Modifies data under HKEY_USERS
        
        PID:1104
      - C:\Program Files\halloware\Hware.exe
        
        "C:\Program Files\halloware\Hware.exe"
        6⤵
        Executes dropped EXE
        
        PID:3372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39a9055 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:948
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\1930.tmp\1931.vbs /flags:0x0 /state0:0xa39a9055 /state1:0x41c64e6d
  2⤵
  - Modifies data under HKEY_USERS
  PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
    3⤵
    PID:4760
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq kosuyorum.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394a055 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3364
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\381.tmp\382.vbs /flags:0x0 /state0:0xa394a055 /state1:0x41c64e6d
  2⤵
  - Modifies data under HKEY_USERS
  PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
    3⤵
    PID:3392
  - - C:\Windows\system32\tasklist.exe
      tasklist /FI "IMAGENAME eq kosuyorum.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Halloware\Hware.exe

Filesize
7.5MB

MD5
5b457c190f21d6dace76b0495f4aa07c

SHA1
289ec2d9541eb6734d187556955f1386196508e2

SHA256
a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

SHA512
a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

Download Submit
C:\Program Files\Halloware\inyer.wav

Filesize
7.5MB

MD5
c1c8536e675d25027c962abe0d3faf43

SHA1
13e6375da0162b19db7f8ad74640ce80b8aa73c4

SHA256
f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

SHA512
c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

Download Submit
C:\Program Files\Halloware\kosuyorum.exe

Filesize
58KB

MD5
7eba5d99235b23ca60597c8aa970f47f

SHA1
7d0c86680e2c32e709baa4907e9e4eeba51bedad

SHA256
5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

SHA512
80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

Download Submit
C:\Program Files\Halloware\takeown.bat

Filesize
1KB

MD5
d477e71d1d7080cf90aba3100b9c761a

SHA1
7642aa8aeabd847519cfd20ae7d7f2d8edb83914

SHA256
3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

SHA512
cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

Download Submit
C:\Program Files\halloware\Hware.exe

Filesize
7.5MB

MD5
5b457c190f21d6dace76b0495f4aa07c

SHA1
289ec2d9541eb6734d187556955f1386196508e2

SHA256
a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

SHA512
a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

Download Submit
C:\Program Files\halloware\data\fakelogon.exe

Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Program Files\halloware\findit.bat

Filesize
85B

MD5
54de83a183d4520fad36ad02d9747e63

SHA1
15caddac8a52ae3632510292e6eb6bf9a728ae45

SHA256
165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

SHA512
fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

Download Submit
C:\Program files\halloware\takeact.vbs

Filesize
2KB

MD5
cfad575eb56b1059f428ed81fc4194d5

SHA1
ff91f34a63f7fa01090643191b39d5742ef8ffe0

SHA256
43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

SHA512
c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\EBAE.vbs

Filesize
1KB

MD5
889a8f5bb195b72c33c48448fd516a1c

SHA1
744b4c40d2527a98e589cc8a04735cfdb92f5079

SHA256
45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

SHA512
3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\Hware.exe

Filesize
7.5MB

MD5
5b457c190f21d6dace76b0495f4aa07c

SHA1
289ec2d9541eb6734d187556955f1386196508e2

SHA256
a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

SHA512
a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\bin\@tile@@.jpg

Filesize
17KB

MD5
bfd5ee0327c8d108bd8e2d851a9ed06a

SHA1
55221d5e1d383cdff5bf0d7694d57bcde09d2faf

SHA256
25f194995cf4073a0c2e6625c3ad0514848cc5e4224f5c726e5d73bc81b694d1

SHA512
1c456da1da57c0711a2277ffd02e7136d2c1b3d16a3d36dfc66ac67e3f4e9c1d3ca7b536e057da7cd4c37a59c0ded2ea9d5d2ac6cf729d1ccd50d91017ede219

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\bin\pump.ico

Filesize
178KB

MD5
5df1f3790dd3b9df63f12a6f13277338

SHA1
7de32dc31c5360aea9024cd02bd4643e11fe2119

SHA256
c1d88f290da08027adc76649f54db6b352b76149dc2b3d9cddb7cf50d8af0cff

SHA512
fe858c60c3312a40a88cb5aa9a8ee9483d38973cecb356f55ab6dfa422eed25820dbe75bb40301849c9931e0ab8571af5b8102c082b518116343e50ff40c3d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\bin\pumpcur.cur

Filesize
4KB

MD5
d7197b2f55db9bd83c859a5e8b46a0d7

SHA1
598af4d8bcc14c411c48454dfb0caa2e79c1728d

SHA256
6cee1cb2cf41b5c0fd969ed062b9d4e2c1f7c921cd886d1df1b0725a301074f0

SHA512
7f55208ee395bf6d063ab0af26b0a8e64e3d4fcacf4958db8577183c7588e7be51b6a7144e28f067d8bab7fca34e1100b0e37750bb8b16b5c02492f4d315a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\data\fakelogon.exe

Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\delc.bat

Filesize
258B

MD5
40e381411edd280ece4372ff39f721c5

SHA1
6d90aada218e0cdeadf0fa4c83f90dbcfe2258cd

SHA256
1e6eeb8f777e1ecf1fa728e64134f979f9451ada735dc03d42c6fdf55de987bc

SHA512
195b9df9fd49af3b9aa355589219cfa2161c363d979f3b4a6ea9c20e3849f48dbee731f7cde76ca5c4c910f25f89499b4363740897b708acc09b9871b8494d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\fakelogon.vbs

Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\findit.bat

Filesize
85B

MD5
54de83a183d4520fad36ad02d9747e63

SHA1
15caddac8a52ae3632510292e6eb6bf9a728ae45

SHA256
165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

SHA512
fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\iQShell.vbs

Filesize
1KB

MD5
889a8f5bb195b72c33c48448fd516a1c

SHA1
744b4c40d2527a98e589cc8a04735cfdb92f5079

SHA256
45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

SHA512
3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\intf.wav

Filesize
7.5MB

MD5
5794a32dfeb072f764ab82fffa4d309d

SHA1
36d2dbdddd3b5ebc7d7bbd04d5fe3c46e4be39d0

SHA256
1eeee51a2b501f8b2f77d4f75fb415b7d0b99355fd80e8b4740a4e768996e400

SHA512
c2a2602257b86af9729a64c362b8e8711867e6cf2c0bb02d44711ccdac1514d4d80baefc7f16e595390bfe04d66a2aada88dab2d5442e390633123db6e4104f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\inyer.wav

Filesize
7.5MB

MD5
c1c8536e675d25027c962abe0d3faf43

SHA1
13e6375da0162b19db7f8ad74640ce80b8aa73c4

SHA256
f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

SHA512
c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\kosuyorum.exe

Filesize
58KB

MD5
7eba5d99235b23ca60597c8aa970f47f

SHA1
7d0c86680e2c32e709baa4907e9e4eeba51bedad

SHA256
5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

SHA512
80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\permaban.vbs

Filesize
357B

MD5
b343125051c1c6e3089b4820446bafab

SHA1
ee1d90b463d9f911d032a520df6b5066aca7fa50

SHA256
a78161a3b89248d65ae00630eb33d3c934b6c7c3086f373fdd52d58756b20a8a

SHA512
ecc6f407892dfa438eab22a67c004760599b8b5fea747ac5c7274180424d2ea95e1e13b10dd8026d641537ef666b74ca5251428eb567cd55241d6334ae64d881

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\screwup.vbs

Filesize
61B

MD5
6a51becc27363870d2e17a43a9bb4bf0

SHA1
201a12e580cfa5bfac8cbc0c6936fd9cd60a349a

SHA256
778cb71c42d697f365084ba1c0f499324bfdcdd67054644d8ff336af9c3e7f80

SHA512
ca843d2b3072a7c3b939207c60069e5f4a0fd7a17d7bfb513b9739d9d25fd24148f17540867037e5793aab067dbbcf760df22d865fc5e511d7617f1f56c4efc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\takeact.vbs

Filesize
2KB

MD5
cfad575eb56b1059f428ed81fc4194d5

SHA1
ff91f34a63f7fa01090643191b39d5742ef8ffe0

SHA256
43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

SHA512
c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\takeown.bat

Filesize
1KB

MD5
d477e71d1d7080cf90aba3100b9c761a

SHA1
7642aa8aeabd847519cfd20ae7d7f2d8edb83914

SHA256
3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

SHA512
cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBAD.tmp\fileler\template.vbs

Filesize
402B

MD5
1c04a184e8ba8025bb98cd1734a93b68

SHA1
55f09dde9ae0cebdbe23893c6dbc42549a23a912

SHA256
98ddf649d3cafb5130069be87e569082d9dc780ce11f0dc0208348acff0baa55

SHA512
60bbfe5cab8e10589a6e24a46d86138f5161579b207b9b8349a8680a84996d94430ef65afdc1bfa124b8b8c93ae68b932a3dfc6a45a418a89453d784670fd296

Download Submit
C:\Users\Admin\AppData\Local\Temp\waitdude.vbs

Filesize
76B

MD5
f1fbb313731d2b699a48c588486e7f0d

SHA1
d70c472a451b074ebd1cf55a42bc8843fa9cfd2f

SHA256
c1430e747ddc860d216c77a7445dbc8cf5fc4bee4bca47521333148dd93a3e6a

SHA512
12d10b8ac14327b2874dd68b9b0b3d29add7fc96cd371e7ab74e25cb69b42b7a79a16b4ac489cb51214014035baf6ba0c48ec1a123b265c57b57d25939e6bf2e

Download Submit
C:\Windows\System32\LogonUI.exe

Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\System32\LogonUI.exe

Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\System32\LogonUI.exe

Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\System32\LogonUI.exe

Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\Temp\1930.tmp\1931.vbs

Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Windows\Temp\1930.tmp\1931.vbs

Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Windows\Temp\2F6C.tmp\2F6D.vbs

Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Windows\Temp\381.tmp\382.vbs

Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\logfilex7\msc.ddd

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\logfilex7\msc.ddd

Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\logfilex7\msc.ddd

Filesize
236B

MD5
a28603e8fa4199a291df6cf3a7ea3b60

SHA1
95665f4f2ffbbb27da4d27e9fa4efb85833d3c85

SHA256
7bf108861ff88bf4d49dcce9b4b6b4c33ada72fe3e3fad7872644af8d34ea1c5

SHA512
64857601dcecbfeeed715f011635462a413806167bd7cd75788601de0304dd8a25faeadabed61edf42b2eaaba7d33c93c1a8c3a81b383410ed7333a3feb1307c

Download Submit
C:\logfilex7\msc.ddd

Filesize
236B

MD5
19fc45d80964f9ba7cd8dfe32194afd9

SHA1
5c21ce2291720cf5a00d0df0ff8a7f3c68d61c7d

SHA256
ef8a532f730b17ceb22740245c55c732fde8015033664034c89217b767775902

SHA512
af8504c70885fb566f78e9d6dba25d0159b926031834b1e207a892d9dcc84f7af238ae34fd0a115167257f0db6cc1fb43bff84f41637c5c72252c8731456844d

Download Submit
memory/3372-249-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/3372-247-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/3372-246-0x00000000049E0000-0x00000000049EA000-memory.dmp

Filesize
40KB

Download
memory/3372-245-0x0000000004840000-0x00000000048D2000-memory.dmp

Filesize
584KB

Download
memory/3372-244-0x0000000004CF0000-0x0000000005294000-memory.dmp

Filesize
5.6MB

Download
memory/3372-243-0x0000000000AD0000-0x0000000001254000-memory.dmp

Filesize
7.5MB

Download