Resubmissions

09-05-2023 19:22

230509-x3fn4adg58 10

09-05-2023 19:14

230509-xxsrgaff7x 10

09-05-2023 19:14

230509-xxr5yadg42 7

09-05-2023 19:14

230509-xxrt6sff7w 8

09-05-2023 19:14

230509-xxrjeaff7v 8

09-05-2023 19:14

230509-xxqxwadg39 7

09-05-2023 19:14

230509-xxql4sff7t 10

09-05-2023 19:14

230509-xxqbcadg38 7

09-05-2023 19:10

230509-xvl6xadf64 10

Analysis

  • max time kernel
    149s
  • max time network
    182s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-05-2023 19:14

General

  • Target

    trojan-leaks-main/Halloware (BerkayV).exe

  • Size

    23.1MB

  • MD5

    2701cf0c52d8d8d961f21f9952af15e7

  • SHA1

    d8b9de327f95ba090e5606862003419388fc3dc7

  • SHA256

    616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933

  • SHA512

    b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110

  • SSDEEP

    196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 2 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 20 IoCs
  • Executes dropped EXE 5 IoCs
  • Modifies file permissions 1 TTPs 20 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 4 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies data under HKEY_USERS 59 IoCs
  • Modifies registry class 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe
    "C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4892
    • C:\Windows\System32\wscript.exe
      "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2635.tmp\2636.vbs
      2⤵
      • UAC bypass
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2424
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Windows\system32\wscript.exe
          wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
          4⤵
            PID:2248
        • C:\Windows\System32\wscript.exe
          "C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator
          3⤵
          • Modifies WinLogon for persistence
          • UAC bypass
          • Disables RegEdit via registry modification
          • Modifies system executable filetype association
          • Modifies Control Panel
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4168
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat"
            4⤵
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\Windows\System32\takeown.exe
              takeown /f sethc.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:4428
            • C:\Windows\System32\icacls.exe
              icacls sethc.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4956
            • C:\Windows\System32\takeown.exe
              takeown /f csrss.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:5012
            • C:\Windows\System32\icacls.exe
              icacls csrss.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4748
            • C:\Windows\System32\takeown.exe
              takeown /f winload.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:4776
            • C:\Windows\System32\icacls.exe
              icacls winload.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:3388
            • C:\Windows\System32\takeown.exe
              takeown /f logonUI.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:3372
            • C:\Windows\System32\icacls.exe
              icacls logonUI.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4768
            • C:\Windows\System32\takeown.exe
              takeown /f bcdedit.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:5024
            • C:\Windows\System32\icacls.exe
              icacls bcdedit.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:5004
            • C:\Windows\system32\takeown.exe
              takeown /f explorer.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:4980
            • C:\Windows\system32\icacls.exe
              icacls explorer.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:5020
            • C:\Windows\system32\takeown.exe
              takeown /f notepad.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:4900
            • C:\Windows\system32\icacls.exe
              icacls sethc.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4936
            • C:\Windows\system32\takeown.exe
              takeown /f regedit.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:4964
            • C:\Windows\system32\icacls.exe
              icacls regedit.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4928
            • C:\Windows\System32\takeown.exe
              takeown /f taskmgr.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:5116
            • C:\Windows\System32\icacls.exe
              icacls taskmgr.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:660
            • C:\Windows\System32\takeown.exe
              takeown /f rundll32.exe
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:656
            • C:\Windows\System32\icacls.exe
              icacls rundll32.exe /granted "Admin":F /q
              5⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:4052
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Windows\system32\tasklist.exe
              tasklist /FI "IMAGENAME eq kosuyorum.exe"
              5⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4436
          • C:\Windows\System32\shutdown.exe
            "C:\Windows\System32\shutdown.exe" -r -t 00
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1200
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\Windows\System32\wscript.exe
        "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\6784.tmp\6785.vbs /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1484
          • C:\Windows\system32\tasklist.exe
            tasklist /FI "IMAGENAME eq kosuyorum.exe"
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2516
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe
          3⤵
            PID:208
            • C:\Program Files\Halloware\kosuyorum.exe
              Kosuyorum.exe
              4⤵
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              PID:4792
              • C:\Windows\System32\wscript.exe
                "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\71F4.tmp\71F5.vbs
                5⤵
                • Modifies data under HKEY_USERS
                PID:2144
                • C:\Program Files\halloware\Hware.exe
                  "C:\Program Files\halloware\Hware.exe"
                  6⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  PID:1076
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x200
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4144
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d
        1⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:1560
        • C:\Windows\System32\wscript.exe
          "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\5138.tmp\5139.vbs /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d
          2⤵
          • Modifies data under HKEY_USERS
          PID:356
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
            3⤵
              PID:2904
              • C:\Windows\system32\tasklist.exe
                tasklist /FI "IMAGENAME eq kosuyorum.exe"
                4⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:2624
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x0 /state0:0xa3af8055 /state1:0x41c64e6d
          1⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          PID:4684
          • C:\Windows\System32\wscript.exe
            "C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3BA8.tmp\3BA9.vbs /flags:0x0 /state0:0xa3af8055 /state1:0x41c64e6d
            2⤵
            • Modifies data under HKEY_USERS
            PID:2596
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
              3⤵
                PID:4336
                • C:\Windows\system32\tasklist.exe
                  tasklist /FI "IMAGENAME eq kosuyorum.exe"
                  4⤵
                  • Enumerates processes with tasklist
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4784

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\Halloware\Hware.exe

            Filesize

            7.5MB

            MD5

            5b457c190f21d6dace76b0495f4aa07c

            SHA1

            289ec2d9541eb6734d187556955f1386196508e2

            SHA256

            a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

            SHA512

            a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

          • C:\Program Files\Halloware\inyer.wav

            Filesize

            7.5MB

            MD5

            c1c8536e675d25027c962abe0d3faf43

            SHA1

            13e6375da0162b19db7f8ad74640ce80b8aa73c4

            SHA256

            f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

            SHA512

            c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

          • C:\Program Files\Halloware\kosuyorum.exe

            Filesize

            58KB

            MD5

            7eba5d99235b23ca60597c8aa970f47f

            SHA1

            7d0c86680e2c32e709baa4907e9e4eeba51bedad

            SHA256

            5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

            SHA512

            80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

          • C:\Program Files\Halloware\kosuyorum.exe

            Filesize

            58KB

            MD5

            7eba5d99235b23ca60597c8aa970f47f

            SHA1

            7d0c86680e2c32e709baa4907e9e4eeba51bedad

            SHA256

            5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

            SHA512

            80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

          • C:\Program Files\Halloware\takeown.bat

            Filesize

            1KB

            MD5

            d477e71d1d7080cf90aba3100b9c761a

            SHA1

            7642aa8aeabd847519cfd20ae7d7f2d8edb83914

            SHA256

            3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

            SHA512

            cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

          • C:\Program Files\halloware\Hware.exe

            Filesize

            7.5MB

            MD5

            5b457c190f21d6dace76b0495f4aa07c

            SHA1

            289ec2d9541eb6734d187556955f1386196508e2

            SHA256

            a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

            SHA512

            a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

          • C:\Program Files\halloware\data\fakelogon.exe

            Filesize

            58KB

            MD5

            8f9b8205dba67cf950f20e3a0efbcc3a

            SHA1

            b50651abd1bcc78c374847caa36a44110d87d5cd

            SHA256

            43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

            SHA512

            4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

          • C:\Program Files\halloware\findit.bat

            Filesize

            85B

            MD5

            54de83a183d4520fad36ad02d9747e63

            SHA1

            15caddac8a52ae3632510292e6eb6bf9a728ae45

            SHA256

            165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

            SHA512

            fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

          • C:\Program files\halloware\takeact.vbs

            Filesize

            2KB

            MD5

            cfad575eb56b1059f428ed81fc4194d5

            SHA1

            ff91f34a63f7fa01090643191b39d5742ef8ffe0

            SHA256

            43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

            SHA512

            c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\2636.vbs

            Filesize

            1KB

            MD5

            889a8f5bb195b72c33c48448fd516a1c

            SHA1

            744b4c40d2527a98e589cc8a04735cfdb92f5079

            SHA256

            45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

            SHA512

            3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\Hware.exe

            Filesize

            7.5MB

            MD5

            5b457c190f21d6dace76b0495f4aa07c

            SHA1

            289ec2d9541eb6734d187556955f1386196508e2

            SHA256

            a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

            SHA512

            a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\bin\@tile@@.jpg

            Filesize

            17KB

            MD5

            bfd5ee0327c8d108bd8e2d851a9ed06a

            SHA1

            55221d5e1d383cdff5bf0d7694d57bcde09d2faf

            SHA256

            25f194995cf4073a0c2e6625c3ad0514848cc5e4224f5c726e5d73bc81b694d1

            SHA512

            1c456da1da57c0711a2277ffd02e7136d2c1b3d16a3d36dfc66ac67e3f4e9c1d3ca7b536e057da7cd4c37a59c0ded2ea9d5d2ac6cf729d1ccd50d91017ede219

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\bin\pump.ico

            Filesize

            178KB

            MD5

            5df1f3790dd3b9df63f12a6f13277338

            SHA1

            7de32dc31c5360aea9024cd02bd4643e11fe2119

            SHA256

            c1d88f290da08027adc76649f54db6b352b76149dc2b3d9cddb7cf50d8af0cff

            SHA512

            fe858c60c3312a40a88cb5aa9a8ee9483d38973cecb356f55ab6dfa422eed25820dbe75bb40301849c9931e0ab8571af5b8102c082b518116343e50ff40c3d27

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\bin\pumpcur.cur

            Filesize

            4KB

            MD5

            d7197b2f55db9bd83c859a5e8b46a0d7

            SHA1

            598af4d8bcc14c411c48454dfb0caa2e79c1728d

            SHA256

            6cee1cb2cf41b5c0fd969ed062b9d4e2c1f7c921cd886d1df1b0725a301074f0

            SHA512

            7f55208ee395bf6d063ab0af26b0a8e64e3d4fcacf4958db8577183c7588e7be51b6a7144e28f067d8bab7fca34e1100b0e37750bb8b16b5c02492f4d315a366

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\data\fakelogon.exe

            Filesize

            58KB

            MD5

            8f9b8205dba67cf950f20e3a0efbcc3a

            SHA1

            b50651abd1bcc78c374847caa36a44110d87d5cd

            SHA256

            43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

            SHA512

            4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\delc.bat

            Filesize

            258B

            MD5

            40e381411edd280ece4372ff39f721c5

            SHA1

            6d90aada218e0cdeadf0fa4c83f90dbcfe2258cd

            SHA256

            1e6eeb8f777e1ecf1fa728e64134f979f9451ada735dc03d42c6fdf55de987bc

            SHA512

            195b9df9fd49af3b9aa355589219cfa2161c363d979f3b4a6ea9c20e3849f48dbee731f7cde76ca5c4c910f25f89499b4363740897b708acc09b9871b8494d3c

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\fakelogon.vbs

            Filesize

            572B

            MD5

            2ee899c0289cb575bf4852ac5d164f9d

            SHA1

            33e1e4c5a6facd78736998c6673ca6ec88e62fe7

            SHA256

            164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

            SHA512

            1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\findit.bat

            Filesize

            85B

            MD5

            54de83a183d4520fad36ad02d9747e63

            SHA1

            15caddac8a52ae3632510292e6eb6bf9a728ae45

            SHA256

            165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

            SHA512

            fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\iQShell.vbs

            Filesize

            1KB

            MD5

            889a8f5bb195b72c33c48448fd516a1c

            SHA1

            744b4c40d2527a98e589cc8a04735cfdb92f5079

            SHA256

            45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

            SHA512

            3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\intf.wav

            Filesize

            7.5MB

            MD5

            5794a32dfeb072f764ab82fffa4d309d

            SHA1

            36d2dbdddd3b5ebc7d7bbd04d5fe3c46e4be39d0

            SHA256

            1eeee51a2b501f8b2f77d4f75fb415b7d0b99355fd80e8b4740a4e768996e400

            SHA512

            c2a2602257b86af9729a64c362b8e8711867e6cf2c0bb02d44711ccdac1514d4d80baefc7f16e595390bfe04d66a2aada88dab2d5442e390633123db6e4104f7

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\inyer.wav

            Filesize

            7.5MB

            MD5

            c1c8536e675d25027c962abe0d3faf43

            SHA1

            13e6375da0162b19db7f8ad74640ce80b8aa73c4

            SHA256

            f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

            SHA512

            c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\kosuyorum.exe

            Filesize

            58KB

            MD5

            7eba5d99235b23ca60597c8aa970f47f

            SHA1

            7d0c86680e2c32e709baa4907e9e4eeba51bedad

            SHA256

            5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

            SHA512

            80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\permaban.vbs

            Filesize

            357B

            MD5

            b343125051c1c6e3089b4820446bafab

            SHA1

            ee1d90b463d9f911d032a520df6b5066aca7fa50

            SHA256

            a78161a3b89248d65ae00630eb33d3c934b6c7c3086f373fdd52d58756b20a8a

            SHA512

            ecc6f407892dfa438eab22a67c004760599b8b5fea747ac5c7274180424d2ea95e1e13b10dd8026d641537ef666b74ca5251428eb567cd55241d6334ae64d881

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\screwup.vbs

            Filesize

            61B

            MD5

            6a51becc27363870d2e17a43a9bb4bf0

            SHA1

            201a12e580cfa5bfac8cbc0c6936fd9cd60a349a

            SHA256

            778cb71c42d697f365084ba1c0f499324bfdcdd67054644d8ff336af9c3e7f80

            SHA512

            ca843d2b3072a7c3b939207c60069e5f4a0fd7a17d7bfb513b9739d9d25fd24148f17540867037e5793aab067dbbcf760df22d865fc5e511d7617f1f56c4efc4

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\takeact.vbs

            Filesize

            2KB

            MD5

            cfad575eb56b1059f428ed81fc4194d5

            SHA1

            ff91f34a63f7fa01090643191b39d5742ef8ffe0

            SHA256

            43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

            SHA512

            c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\takeown.bat

            Filesize

            1KB

            MD5

            d477e71d1d7080cf90aba3100b9c761a

            SHA1

            7642aa8aeabd847519cfd20ae7d7f2d8edb83914

            SHA256

            3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

            SHA512

            cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

          • C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\template.vbs

            Filesize

            402B

            MD5

            1c04a184e8ba8025bb98cd1734a93b68

            SHA1

            55f09dde9ae0cebdbe23893c6dbc42549a23a912

            SHA256

            98ddf649d3cafb5130069be87e569082d9dc780ce11f0dc0208348acff0baa55

            SHA512

            60bbfe5cab8e10589a6e24a46d86138f5161579b207b9b8349a8680a84996d94430ef65afdc1bfa124b8b8c93ae68b932a3dfc6a45a418a89453d784670fd296

          • C:\Users\Admin\AppData\Local\Temp\waitdude.vbs

            Filesize

            76B

            MD5

            f1fbb313731d2b699a48c588486e7f0d

            SHA1

            d70c472a451b074ebd1cf55a42bc8843fa9cfd2f

            SHA256

            c1430e747ddc860d216c77a7445dbc8cf5fc4bee4bca47521333148dd93a3e6a

            SHA512

            12d10b8ac14327b2874dd68b9b0b3d29add7fc96cd371e7ab74e25cb69b42b7a79a16b4ac489cb51214014035baf6ba0c48ec1a123b265c57b57d25939e6bf2e

          • C:\Windows\System32\LogonUI.exe

            Filesize

            58KB

            MD5

            8f9b8205dba67cf950f20e3a0efbcc3a

            SHA1

            b50651abd1bcc78c374847caa36a44110d87d5cd

            SHA256

            43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

            SHA512

            4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

          • C:\Windows\System32\LogonUI.exe

            Filesize

            58KB

            MD5

            8f9b8205dba67cf950f20e3a0efbcc3a

            SHA1

            b50651abd1bcc78c374847caa36a44110d87d5cd

            SHA256

            43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

            SHA512

            4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

          • C:\Windows\System32\LogonUI.exe

            Filesize

            58KB

            MD5

            8f9b8205dba67cf950f20e3a0efbcc3a

            SHA1

            b50651abd1bcc78c374847caa36a44110d87d5cd

            SHA256

            43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

            SHA512

            4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

          • C:\Windows\System32\LogonUI.exe

            Filesize

            58KB

            MD5

            8f9b8205dba67cf950f20e3a0efbcc3a

            SHA1

            b50651abd1bcc78c374847caa36a44110d87d5cd

            SHA256

            43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

            SHA512

            4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

          • C:\Windows\Temp\3BA8.tmp\3BA9.vbs

            Filesize

            572B

            MD5

            2ee899c0289cb575bf4852ac5d164f9d

            SHA1

            33e1e4c5a6facd78736998c6673ca6ec88e62fe7

            SHA256

            164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

            SHA512

            1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

          • C:\Windows\Temp\5138.tmp\5139.vbs

            Filesize

            572B

            MD5

            2ee899c0289cb575bf4852ac5d164f9d

            SHA1

            33e1e4c5a6facd78736998c6673ca6ec88e62fe7

            SHA256

            164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

            SHA512

            1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

          • C:\Windows\Temp\5138.tmp\5139.vbs

            Filesize

            572B

            MD5

            2ee899c0289cb575bf4852ac5d164f9d

            SHA1

            33e1e4c5a6facd78736998c6673ca6ec88e62fe7

            SHA256

            164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

            SHA512

            1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

          • C:\Windows\Temp\6784.tmp\6785.vbs

            Filesize

            572B

            MD5

            2ee899c0289cb575bf4852ac5d164f9d

            SHA1

            33e1e4c5a6facd78736998c6673ca6ec88e62fe7

            SHA256

            164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

            SHA512

            1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

          • C:\Windows\Temp\71F4.tmp\71F5.vbs

            Filesize

            117B

            MD5

            43ce46af5d7f1ffe2c3914ad9c654fa3

            SHA1

            a98dce4efa618334d57a808d766f821d83d2a75d

            SHA256

            0f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61

            SHA512

            d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942

          • C:\logfilex7\msc.ddd

            MD5

            d41d8cd98f00b204e9800998ecf8427e

            SHA1

            da39a3ee5e6b4b0d3255bfef95601890afd80709

            SHA256

            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

            SHA512

            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          • C:\logfilex7\msc.ddd

            Filesize

            64B

            MD5

            dea052a2ad11945b1960577c0192f2eb

            SHA1

            1d02626a05a546a90c05902b2551f32c20eb3708

            SHA256

            943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

            SHA512

            5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

          • C:\logfilex7\msc.ddd

            Filesize

            236B

            MD5

            d8d746006a960bfbb0c5bfdf487243a8

            SHA1

            59348f25e4af5b09d5637f833bd9357b3721d3ee

            SHA256

            6c23c0de3a9f8d1dd15fd4b218415c2ae0c74d18653ee89f4e092a993397239d

            SHA512

            f8658279be580dae8b639fa558d4203fdd7d7368e35485389e54e81f1720c209edeeb94b6afb25607a15f6b1df372c7c4161ea63fff2224ec034485ee24c4b4a

          • C:\logfilex7\msc.ddd

            Filesize

            236B

            MD5

            a0f72d8df012ee0d81b29688765f5b16

            SHA1

            e0fbbe0e5206c2edd9fe7b7d7a7a61ba8ce911de

            SHA256

            91b5993fcde1444708277508b78d051f3b93055e3f101d9d14d26a3dbd0a5b6f

            SHA512

            fe2a381fd93fe4480310fc0900f4845837fa3d03e3fb7e804806c934dc5cb2c126a6c9abde56197429ea1a37513f6979f29b70f0a615f1abef99f8e45fbd443d

          • memory/1076-230-0x0000000000A30000-0x00000000011B4000-memory.dmp

            Filesize

            7.5MB

          • memory/1076-234-0x0000000004750000-0x000000000475A000-memory.dmp

            Filesize

            40KB

          • memory/1076-233-0x00000000049F0000-0x0000000004A00000-memory.dmp

            Filesize

            64KB

          • memory/1076-232-0x0000000004790000-0x0000000004822000-memory.dmp

            Filesize

            584KB

          • memory/1076-231-0x0000000004C90000-0x000000000518E000-memory.dmp

            Filesize

            5.0MB