eadaf26df948f0fd541f297e2f0bad435aa4bee5c97e4324ad767dacca77e29d

max time kernel
149s
max time network
182s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-05-2023 19:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trojan-leaks-main/Halloware (BerkayV).exe
Size

23.1MB
MD5

2701cf0c52d8d8d961f21f9952af15e7
SHA1

d8b9de327f95ba090e5606862003419388fc3dc7
SHA256

616830e93c33240ff157b4eeeab1d1a3e9891d6410139afdbd4d01f075da0933
SHA512

b4798cd526b116e943f3cba6f58175185898e374efd4ab7afe012495858c7997fb1fba1dac284ae4aa484dfc5f70b6240ad1281d90c9a3642e49edd95ab39110
SSDEEP

196608:puv1iLrYSZWLN0dLeGyI8bMU+Ns3tlHO8:UdiHZZWLN1cu3tlHF

Score

10^/10

discovery evasion exploit persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\Halloware\\permaban.vbs\""	wscript.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	wscript.exe

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 20 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
656	takeown.exe
4956	icacls.exe
3388	icacls.exe
4980	takeown.exe
4964	takeown.exe
4428	takeown.exe
5024	takeown.exe
5020	icacls.exe
4936	icacls.exe
4928	icacls.exe
660	icacls.exe
4748	icacls.exe
3372	takeown.exe
4768	icacls.exe
4900	takeown.exe
5116	takeown.exe
4052	icacls.exe
5012	takeown.exe
4776	takeown.exe
5004	icacls.exe

Executes dropped EXE 5 IoCs

Processes:

LogonUI.exekosuyorum.exeHware.exeLogonUI.exeLogonUI.exe

pid process

920 LogonUI.exe
4792 kosuyorum.exe
1076 Hware.exe
1560 LogonUI.exe
4684 LogonUI.exe

pid	process
920	LogonUI.exe
4792	kosuyorum.exe
1076	Hware.exe
1560	LogonUI.exe
4684	LogonUI.exe

Modifies file permissions 1 TTPs 20 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
4428	takeown.exe
3372	takeown.exe
4936	icacls.exe
5116	takeown.exe
660	icacls.exe
4768	icacls.exe
5024	takeown.exe
5020	icacls.exe
4964	takeown.exe
4052	icacls.exe
4956	icacls.exe
4748	icacls.exe
4980	takeown.exe
4900	takeown.exe
4928	icacls.exe
5012	takeown.exe
4776	takeown.exe
3388	icacls.exe
5004	icacls.exe
656	takeown.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\logonUI.exe	cmd.exe
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe

Drops file in Program Files directory 38 IoCs

Processes:

wscript.execmd.exe

description	ioc	process
File created	C:\Program Files\Halloware\fakelogon.vbs	wscript.exe
File created	C:\Program Files\Halloware\Hware.exe	wscript.exe
File created	C:\Program Files\Halloware\data\fakelogon.exe	wscript.exe
File opened for modification	C:\Program Files\Halloware\backup\csrss.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\winload.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\logonUI.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\rundll32.bak	cmd.exe
File created	C:\Program Files\Halloware\bin\@tile@@.jpg	wscript.exe
File created	C:\Program Files\Halloware\inyer.wav	wscript.exe
File created	C:\Program Files\Halloware\takeact.vbs	wscript.exe
File opened for modification	C:\Program Files\Halloware\backup\logonUI.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\notepad.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\regedit.bak	cmd.exe
File created	C:\Program Files\Halloware\bin\pump.ico	wscript.exe
File created	C:\Program Files\Halloware\permaban.vbs	wscript.exe
File created	C:\Program Files\Halloware\screwup.vbs	wscript.exe
File created	C:\Program Files\Halloware\template.vbs	wscript.exe
File created	C:\Program Files\Halloware\backup\sethc.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\bcdedit.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\bcdedit.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\taskmgr.bak	cmd.exe
File created	C:\Program Files\Halloware\intf.wav	wscript.exe
File created	C:\Program Files\Halloware\kosuyorum.exe	wscript.exe
File opened for modification	C:\Program Files\Halloware\backup\winload.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\explorer.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\notepad.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\regedit.bak	cmd.exe
File created	C:\Program Files\Halloware\delc.bat	wscript.exe
File created	C:\Program Files\Halloware\findit.bat	wscript.exe
File created	C:\Program Files\Halloware\takeown.bat	wscript.exe
File opened for modification	C:\Program Files\Halloware\backup\sethc.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\rundll32.bak	cmd.exe
File created	C:\Program Files\Halloware\bin\pumpcur.cur	wscript.exe
File created	C:\Program Files\Halloware\iQShell.vbs	wscript.exe
File created	C:\Program Files\Halloware\backup\csrss.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\backup\explorer.bak	cmd.exe
File created	C:\Program Files\Halloware\backup\taskmgr.bak	cmd.exe
File opened for modification	C:\Program Files\Halloware\bin\@tile@@.jpg	wscript.exe

Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\explorer.exe cmd.exe
File created C:\Windows\notepad.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

2516 tasklist.exe
2624 tasklist.exe
4784 tasklist.exe
4436 tasklist.exe

description	ioc	process
File created	C:\Windows\explorer.exe	cmd.exe
File created	C:\Windows\notepad.exe	cmd.exe

pid	process
2516	tasklist.exe
2624	tasklist.exe
4784	tasklist.exe
4436	tasklist.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\Halloware\\bin\\pumpcur.cur"	wscript.exe

Modifies data under HKEY_USERS 59 IoCs

Processes:

wscript.exewscript.exewscript.exeLogonUI.exekosuyorum.exeHware.exeLogonUI.exeLogonUI.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	kosuyorum.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties	Hware.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm	Hware.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	kosuyorum.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties	Hware.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	Hware.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	kosuyorum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	kosuyorum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick	Hware.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\System	Hware.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	kosuyorum.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1"	Hware.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	Hware.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe

Modifies registry class 12 IoCs

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\Halloware\\bin\\pump.ico"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon	wscript.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

takeown.exetasklist.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeshutdown.exetasklist.exeAUDIODG.EXEtasklist.exetasklist.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4428	takeown.exe
Token: SeDebugPrivilege	4436	tasklist.exe
Token: SeTakeOwnershipPrivilege	5012	takeown.exe
Token: SeTakeOwnershipPrivilege	4776	takeown.exe
Token: SeTakeOwnershipPrivilege	3372	takeown.exe
Token: SeTakeOwnershipPrivilege	5024	takeown.exe
Token: SeTakeOwnershipPrivilege	4980	takeown.exe
Token: SeTakeOwnershipPrivilege	4900	takeown.exe
Token: SeTakeOwnershipPrivilege	4964	takeown.exe
Token: SeTakeOwnershipPrivilege	5116	takeown.exe
Token: SeTakeOwnershipPrivilege	656	takeown.exe
Token: SeShutdownPrivilege	1200	shutdown.exe
Token: SeRemoteShutdownPrivilege	1200	shutdown.exe
Token: SeDebugPrivilege	2516	tasklist.exe
Token: 33	4144	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4144	AUDIODG.EXE
Token: SeDebugPrivilege	2624	tasklist.exe
Token: SeDebugPrivilege	4784	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Halloware (BerkayV).exewscript.execmd.exewscript.execmd.execmd.exeLogonUI.exewscript.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 2424	4892	Halloware (BerkayV).exe	wscript.exe
PID 4892 wrote to memory of 2424	4892	Halloware (BerkayV).exe	wscript.exe
PID 2424 wrote to memory of 3756	2424	wscript.exe	cmd.exe
PID 2424 wrote to memory of 3756	2424	wscript.exe	cmd.exe
PID 3756 wrote to memory of 2248	3756	cmd.exe	wscript.exe
PID 3756 wrote to memory of 2248	3756	cmd.exe	wscript.exe
PID 2424 wrote to memory of 4168	2424	wscript.exe	wscript.exe
PID 2424 wrote to memory of 4168	2424	wscript.exe	wscript.exe
PID 4168 wrote to memory of 1636	4168	wscript.exe	cmd.exe
PID 4168 wrote to memory of 1636	4168	wscript.exe	cmd.exe
PID 4168 wrote to memory of 1784	4168	wscript.exe	cmd.exe
PID 4168 wrote to memory of 1784	4168	wscript.exe	cmd.exe
PID 1636 wrote to memory of 4428	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4428	1636	cmd.exe	takeown.exe
PID 1784 wrote to memory of 4436	1784	cmd.exe	tasklist.exe
PID 1784 wrote to memory of 4436	1784	cmd.exe	tasklist.exe
PID 1636 wrote to memory of 4956	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4956	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 5012	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 5012	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4748	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4748	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4776	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4776	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 3388	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 3388	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 3372	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 3372	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4768	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4768	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 5024	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 5024	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 5004	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 5004	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4980	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4980	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 5020	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 5020	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4900	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4900	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4936	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4936	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4964	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4964	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4928	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4928	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 5116	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 5116	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 660	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 660	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 656	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 656	1636	cmd.exe	takeown.exe
PID 1636 wrote to memory of 4052	1636	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4052	1636	cmd.exe	icacls.exe
PID 4168 wrote to memory of 1200	4168	wscript.exe	shutdown.exe
PID 4168 wrote to memory of 1200	4168	wscript.exe	shutdown.exe
PID 920 wrote to memory of 2032	920	LogonUI.exe	wscript.exe
PID 920 wrote to memory of 2032	920	LogonUI.exe	wscript.exe
PID 2032 wrote to memory of 1484	2032	wscript.exe	cmd.exe
PID 2032 wrote to memory of 1484	2032	wscript.exe	cmd.exe
PID 1484 wrote to memory of 2516	1484	cmd.exe	tasklist.exe
PID 1484 wrote to memory of 2516	1484	cmd.exe	tasklist.exe
PID 2032 wrote to memory of 208	2032	wscript.exe	cmd.exe
PID 2032 wrote to memory of 208	2032	wscript.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe
"C:\Users\Admin\AppData\Local\Temp\trojan-leaks-main\Halloware (BerkayV).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2635.tmp\2636.vbs
2⤵
- UAC bypass
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\waitdude.vbs"
4⤵
PID:2248

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator
3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Modifies Control Panel
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat"
4⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\System32\takeown.exe
takeown /f sethc.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\System32\icacls.exe
icacls sethc.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4956

C:\Windows\System32\takeown.exe
takeown /f csrss.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\icacls.exe
icacls csrss.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4748

C:\Windows\System32\takeown.exe
takeown /f winload.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\icacls.exe
icacls winload.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3388

C:\Windows\System32\takeown.exe
takeown /f logonUI.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\icacls.exe
icacls logonUI.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4768

C:\Windows\System32\takeown.exe
takeown /f bcdedit.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\icacls.exe
icacls bcdedit.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5004

C:\Windows\system32\takeown.exe
takeown /f explorer.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\icacls.exe
icacls explorer.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5020

C:\Windows\system32\takeown.exe
takeown /f notepad.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\icacls.exe
icacls sethc.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4936

C:\Windows\system32\takeown.exe
takeown /f regedit.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\icacls.exe
icacls regedit.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4928

C:\Windows\System32\takeown.exe
takeown /f taskmgr.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\icacls.exe
icacls taskmgr.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:660

C:\Windows\System32\takeown.exe
takeown /f rundll32.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\System32\icacls.exe
icacls rundll32.exe /granted "Admin":F /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq kosuyorum.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 00
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\System32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\6784.tmp\6785.vbs /flags:0x0 /state0:0xa3ad7055 /state1:0x41c64e6d
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq kosuyorum.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\ & cd "Program Files"& cd Halloware & Kosuyorum.exe
3⤵
PID:208

C:\Program Files\Halloware\kosuyorum.exe
Kosuyorum.exe
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4792

C:\Windows\System32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\71F4.tmp\71F5.vbs
5⤵
- Modifies data under HKEY_USERS
PID:2144

C:\Program Files\halloware\Hware.exe
"C:\Program Files\halloware\Hware.exe"
6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1560

C:\Windows\System32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\5138.tmp\5139.vbs /flags:0x0 /state0:0xa3ae9855 /state1:0x41c64e6d
2⤵
- Modifies data under HKEY_USERS
PID:356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
3⤵
PID:2904

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq kosuyorum.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af8055 /state1:0x41c64e6d
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4684

C:\Windows\System32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Windows\Temp\3BA8.tmp\3BA9.vbs /flags:0x0 /state0:0xa3af8055 /state1:0x41c64e6d
2⤵
- Modifies data under HKEY_USERS
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\halloware\findit.bat" "
3⤵
PID:4336

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq kosuyorum.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Halloware\Hware.exe
Filesize
7.5MB

MD5
5b457c190f21d6dace76b0495f4aa07c

SHA1
289ec2d9541eb6734d187556955f1386196508e2

SHA256
a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

SHA512
a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

Download Submit
C:\Program Files\Halloware\inyer.wav
Filesize
7.5MB

MD5
c1c8536e675d25027c962abe0d3faf43

SHA1
13e6375da0162b19db7f8ad74640ce80b8aa73c4

SHA256
f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

SHA512
c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

Download Submit
C:\Program Files\Halloware\kosuyorum.exe
Filesize
58KB

MD5
7eba5d99235b23ca60597c8aa970f47f

SHA1
7d0c86680e2c32e709baa4907e9e4eeba51bedad

SHA256
5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

SHA512
80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

Download Submit
C:\Program Files\Halloware\kosuyorum.exe
Filesize
58KB

MD5
7eba5d99235b23ca60597c8aa970f47f

SHA1
7d0c86680e2c32e709baa4907e9e4eeba51bedad

SHA256
5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

SHA512
80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

Download Submit
C:\Program Files\Halloware\takeown.bat
Filesize
1KB

MD5
d477e71d1d7080cf90aba3100b9c761a

SHA1
7642aa8aeabd847519cfd20ae7d7f2d8edb83914

SHA256
3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

SHA512
cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

Download Submit
C:\Program Files\halloware\Hware.exe
Filesize
7.5MB

MD5
5b457c190f21d6dace76b0495f4aa07c

SHA1
289ec2d9541eb6734d187556955f1386196508e2

SHA256
a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

SHA512
a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

Download Submit
C:\Program Files\halloware\data\fakelogon.exe
Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Program Files\halloware\findit.bat
Filesize
85B

MD5
54de83a183d4520fad36ad02d9747e63

SHA1
15caddac8a52ae3632510292e6eb6bf9a728ae45

SHA256
165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

SHA512
fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

Download Submit
C:\Program files\halloware\takeact.vbs
Filesize
2KB

MD5
cfad575eb56b1059f428ed81fc4194d5

SHA1
ff91f34a63f7fa01090643191b39d5742ef8ffe0

SHA256
43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

SHA512
c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\2636.vbs
Filesize
1KB

MD5
889a8f5bb195b72c33c48448fd516a1c

SHA1
744b4c40d2527a98e589cc8a04735cfdb92f5079

SHA256
45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

SHA512
3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\Hware.exe
Filesize
7.5MB

MD5
5b457c190f21d6dace76b0495f4aa07c

SHA1
289ec2d9541eb6734d187556955f1386196508e2

SHA256
a516f678551bdd89e8543483700c329dd5b1f661dea8fdbb6421a57824906c4e

SHA512
a9b315835b68ac4ffe3a4e5eb720d8cacae62fb01377b0d47b86b7b10b526e03fbecbe41140140c305a99e6c00020b6bf1562b09495ae4ba7133616351e78527

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\bin\@tile@@.jpg
Filesize
17KB

MD5
bfd5ee0327c8d108bd8e2d851a9ed06a

SHA1
55221d5e1d383cdff5bf0d7694d57bcde09d2faf

SHA256
25f194995cf4073a0c2e6625c3ad0514848cc5e4224f5c726e5d73bc81b694d1

SHA512
1c456da1da57c0711a2277ffd02e7136d2c1b3d16a3d36dfc66ac67e3f4e9c1d3ca7b536e057da7cd4c37a59c0ded2ea9d5d2ac6cf729d1ccd50d91017ede219

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\bin\pump.ico
Filesize
178KB

MD5
5df1f3790dd3b9df63f12a6f13277338

SHA1
7de32dc31c5360aea9024cd02bd4643e11fe2119

SHA256
c1d88f290da08027adc76649f54db6b352b76149dc2b3d9cddb7cf50d8af0cff

SHA512
fe858c60c3312a40a88cb5aa9a8ee9483d38973cecb356f55ab6dfa422eed25820dbe75bb40301849c9931e0ab8571af5b8102c082b518116343e50ff40c3d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\bin\pumpcur.cur
Filesize
4KB

MD5
d7197b2f55db9bd83c859a5e8b46a0d7

SHA1
598af4d8bcc14c411c48454dfb0caa2e79c1728d

SHA256
6cee1cb2cf41b5c0fd969ed062b9d4e2c1f7c921cd886d1df1b0725a301074f0

SHA512
7f55208ee395bf6d063ab0af26b0a8e64e3d4fcacf4958db8577183c7588e7be51b6a7144e28f067d8bab7fca34e1100b0e37750bb8b16b5c02492f4d315a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\data\fakelogon.exe
Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\delc.bat
Filesize
258B

MD5
40e381411edd280ece4372ff39f721c5

SHA1
6d90aada218e0cdeadf0fa4c83f90dbcfe2258cd

SHA256
1e6eeb8f777e1ecf1fa728e64134f979f9451ada735dc03d42c6fdf55de987bc

SHA512
195b9df9fd49af3b9aa355589219cfa2161c363d979f3b4a6ea9c20e3849f48dbee731f7cde76ca5c4c910f25f89499b4363740897b708acc09b9871b8494d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\fakelogon.vbs
Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\findit.bat
Filesize
85B

MD5
54de83a183d4520fad36ad02d9747e63

SHA1
15caddac8a52ae3632510292e6eb6bf9a728ae45

SHA256
165141a4cd207304eb0d0e49cb33364ca74acf521a2f0a002bc60f14fe19378e

SHA512
fa5a20b2ec169f4573a859e1cef294330fe0ce700f043de634b2d6f8832ac67a17185dc48ce433b5b9ba43eb2d703f9b0a3ac37014cbc55e467125674d09707e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\iQShell.vbs
Filesize
1KB

MD5
889a8f5bb195b72c33c48448fd516a1c

SHA1
744b4c40d2527a98e589cc8a04735cfdb92f5079

SHA256
45ebca60ff5d7e0cb71bc0e310b34fd4aeee5de0c7aba895d979742bcfa0559a

SHA512
3251f61b5a4c9daaae9c9725aaea8d6b7cdfaa4523711f742046f7c78473d9b554932e38a4e3eaa4f4c4bcf87ff562ea2599c7ec4781e67e8f2c499b0cafe367

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\intf.wav
Filesize
7.5MB

MD5
5794a32dfeb072f764ab82fffa4d309d

SHA1
36d2dbdddd3b5ebc7d7bbd04d5fe3c46e4be39d0

SHA256
1eeee51a2b501f8b2f77d4f75fb415b7d0b99355fd80e8b4740a4e768996e400

SHA512
c2a2602257b86af9729a64c362b8e8711867e6cf2c0bb02d44711ccdac1514d4d80baefc7f16e595390bfe04d66a2aada88dab2d5442e390633123db6e4104f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\inyer.wav
Filesize
7.5MB

MD5
c1c8536e675d25027c962abe0d3faf43

SHA1
13e6375da0162b19db7f8ad74640ce80b8aa73c4

SHA256
f143806d771cc73065dfe593d23c46fb0d0946c88c0934d6624f79fcc246e4b3

SHA512
c0c6769fa1adccbe616fe24241a93f283aca18acfe7da09ab776b8cd106bbf88811929b8080b85529f3015e70ee54d87c0ff70a636b4494858d9e9504cac6768

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\kosuyorum.exe
Filesize
58KB

MD5
7eba5d99235b23ca60597c8aa970f47f

SHA1
7d0c86680e2c32e709baa4907e9e4eeba51bedad

SHA256
5d8d77501ee9745ede78a2a93d035275b2feffc1f96d2c312ac71cadaa2cf5fb

SHA512
80301c3de8ec2f1ab2e56df73010d5eae73b2fcd0fd31a7b288f282a33807a56073412f9d85b1e5d21635fa9d51fce7615158bf52ae9dea60f14a9ff3fbeae87

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\permaban.vbs
Filesize
357B

MD5
b343125051c1c6e3089b4820446bafab

SHA1
ee1d90b463d9f911d032a520df6b5066aca7fa50

SHA256
a78161a3b89248d65ae00630eb33d3c934b6c7c3086f373fdd52d58756b20a8a

SHA512
ecc6f407892dfa438eab22a67c004760599b8b5fea747ac5c7274180424d2ea95e1e13b10dd8026d641537ef666b74ca5251428eb567cd55241d6334ae64d881

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\screwup.vbs
Filesize
61B

MD5
6a51becc27363870d2e17a43a9bb4bf0

SHA1
201a12e580cfa5bfac8cbc0c6936fd9cd60a349a

SHA256
778cb71c42d697f365084ba1c0f499324bfdcdd67054644d8ff336af9c3e7f80

SHA512
ca843d2b3072a7c3b939207c60069e5f4a0fd7a17d7bfb513b9739d9d25fd24148f17540867037e5793aab067dbbcf760df22d865fc5e511d7617f1f56c4efc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\takeact.vbs
Filesize
2KB

MD5
cfad575eb56b1059f428ed81fc4194d5

SHA1
ff91f34a63f7fa01090643191b39d5742ef8ffe0

SHA256
43f18ae77ca9e61dc76be9ea5aabf81776372a3e26ae03a33af5eecfd8db4e70

SHA512
c9832b50f3545419368ec5c655c9451037cdc3a78546c2306698c27f735bd25dedcbb9579ae482cca41583e58ce990ea10a55c9b12332bccd4694dc3f2f2835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\takeown.bat
Filesize
1KB

MD5
d477e71d1d7080cf90aba3100b9c761a

SHA1
7642aa8aeabd847519cfd20ae7d7f2d8edb83914

SHA256
3482c840695951907b291f979a6f8e98246a3b4ec119c9947d2a9e9676067710

SHA512
cc47c86a904bd2462f1a396ede5f1ea5b0c3eb6f5e6c6e6d966975612249958d9814910450aeff7c6d056bcf9893315a989dbd99b34111db7078592ef325563d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2635.tmp\fileler\template.vbs
Filesize
402B

MD5
1c04a184e8ba8025bb98cd1734a93b68

SHA1
55f09dde9ae0cebdbe23893c6dbc42549a23a912

SHA256
98ddf649d3cafb5130069be87e569082d9dc780ce11f0dc0208348acff0baa55

SHA512
60bbfe5cab8e10589a6e24a46d86138f5161579b207b9b8349a8680a84996d94430ef65afdc1bfa124b8b8c93ae68b932a3dfc6a45a418a89453d784670fd296

Download Submit
C:\Users\Admin\AppData\Local\Temp\waitdude.vbs
Filesize
76B

MD5
f1fbb313731d2b699a48c588486e7f0d

SHA1
d70c472a451b074ebd1cf55a42bc8843fa9cfd2f

SHA256
c1430e747ddc860d216c77a7445dbc8cf5fc4bee4bca47521333148dd93a3e6a

SHA512
12d10b8ac14327b2874dd68b9b0b3d29add7fc96cd371e7ab74e25cb69b42b7a79a16b4ac489cb51214014035baf6ba0c48ec1a123b265c57b57d25939e6bf2e

Download Submit
C:\Windows\System32\LogonUI.exe
Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\System32\LogonUI.exe
Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\System32\LogonUI.exe
Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\System32\LogonUI.exe
Filesize
58KB

MD5
8f9b8205dba67cf950f20e3a0efbcc3a

SHA1
b50651abd1bcc78c374847caa36a44110d87d5cd

SHA256
43ce074b438577b487f6a7e31a877477d1d294e5c1b9c979b30a23fb12c13fa5

SHA512
4dc26fb94004d3dafeb95126ce07fd51e095b6327375448a70fe3aa9e5ca36d8424ffa572810cf2399afa3c0bc4fccdbb46f51c5fb783729d6fd2faa3044a505

Download Submit
C:\Windows\Temp\3BA8.tmp\3BA9.vbs
Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Windows\Temp\5138.tmp\5139.vbs
Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Windows\Temp\5138.tmp\5139.vbs
Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Windows\Temp\6784.tmp\6785.vbs
Filesize
572B

MD5
2ee899c0289cb575bf4852ac5d164f9d

SHA1
33e1e4c5a6facd78736998c6673ca6ec88e62fe7

SHA256
164c41744381d3ded7d2e95e76313763be9acfc21ea082f7126c149b1c287fe2

SHA512
1edfa4b05cb738a3521918b23c5bd2e621e31ec5d19886d30675c14f9c6f5742ebf6572c14d33726ec1a9d468f324195fd33d3dce2ae1be1185712dab2f20baf

Download Submit
C:\Windows\Temp\71F4.tmp\71F5.vbs
Filesize
117B

MD5
43ce46af5d7f1ffe2c3914ad9c654fa3

SHA1
a98dce4efa618334d57a808d766f821d83d2a75d

SHA256
0f3f6a34bbfe0bf01ef189a50402f560d212a3e74a8867a8a76b70b4f6a25f61

SHA512
d1c59cf92412684bae18b497a5c9dd823073210150e0a18e69649910bc9f9c192298e242e89c04ccd88550e2f0b21881fbc13879d5c07a0e727c13e8d7186942

Download Submit
C:\logfilex7\msc.ddd
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\logfilex7\msc.ddd
Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\logfilex7\msc.ddd
Filesize
236B

MD5
d8d746006a960bfbb0c5bfdf487243a8

SHA1
59348f25e4af5b09d5637f833bd9357b3721d3ee

SHA256
6c23c0de3a9f8d1dd15fd4b218415c2ae0c74d18653ee89f4e092a993397239d

SHA512
f8658279be580dae8b639fa558d4203fdd7d7368e35485389e54e81f1720c209edeeb94b6afb25607a15f6b1df372c7c4161ea63fff2224ec034485ee24c4b4a

Download Submit
C:\logfilex7\msc.ddd
Filesize
236B

MD5
a0f72d8df012ee0d81b29688765f5b16

SHA1
e0fbbe0e5206c2edd9fe7b7d7a7a61ba8ce911de

SHA256
91b5993fcde1444708277508b78d051f3b93055e3f101d9d14d26a3dbd0a5b6f

SHA512
fe2a381fd93fe4480310fc0900f4845837fa3d03e3fb7e804806c934dc5cb2c126a6c9abde56197429ea1a37513f6979f29b70f0a615f1abef99f8e45fbd443d

Download Submit
memory/1076-230-0x0000000000A30000-0x00000000011B4000-memory.dmp

Filesize
7.5MB

Download
memory/1076-234-0x0000000004750000-0x000000000475A000-memory.dmp

Filesize
40KB

Download
memory/1076-233-0x00000000049F0000-0x0000000004A00000-memory.dmp

Filesize
64KB

Download
memory/1076-232-0x0000000004790000-0x0000000004822000-memory.dmp

Filesize
584KB

Download
memory/1076-231-0x0000000004C90000-0x000000000518E000-memory.dmp

Filesize
5.0MB

Download