Date | Operation | Detail | Rating |
2019-3-24 08:36:56 | This file spawned process(es) | FilePath: %SYSTEMROOT%\System32\shutdown.exe; Company: Microsoft Corporation; TargetPid: 3656; CmdLine: "C:\Windows\System32\shutdown.exe" -r -t 00; Version: 6.1.7600.16385 (win7_rtm.090713-1255); FileSize: 30720; Signer: Microsoft Windows; Icon: backup\7d3c7514cc9d0c828524db9622db215a.ico; | Low Risk |
2019-3-24 08:36:48 | This file modified files | FilePath: %SYSTEMROOT%\System32\LogonUI.exe; | High Risk |
2019-3-24 08:36:45 | This file spawned process(es) | FilePath: %SYSTEMROOT%\System32\cmd.exe; Company: Microsoft Corporation; TargetPid: 2692; CmdLine: "C:\Windows\System32\cmd.exe" /C "C:\Program Files\Halloware\takeown.bat" ; Version: 6.1.7600.16385 (win7_rtm.090713-1255); FileSize: 301568; Signer: Microsoft Windows; Icon: backup\025ba5ef2cd0a38da0897cfcc8d21451.ico; | High Risk |
2019-3-24 08:36:44 | This file spawned process(es) | FilePath: %SYSTEMROOT%\System32\wscript.exe; Company: Microsoft Corporation; TargetPid: 2804; CmdLine: "C:\Windows\System32\wscript.exe" "C:\Program files\halloware\takeact.vbs" RunAsAdministrator; Version: 5.8.7600.16385; FileSize: 141824; Signer: Microsoft Windows; Icon: backup\0799cf41d3ae7b80f4757af9734c570d.ico; | High Risk |
2019-3-24 08:36:42 | This file spawned process(es) | FilePath: %SYSTEMROOT%\System32\cmd.exe; Company: Microsoft Corporation; TargetPid: 2568; CmdLine: "C:\Windows\System32\cmd.exe" /c echo msgbox"Please wait while halloware infecting your computer",1+48,"Alert" > "C:\Users\ADMINI~1\AppData\Local\Temp\waitdude.vbs" & wscript.exe "C:\Users\ADMINI~1\AppData\Local\Temp\waitdude.vbs"; Version: 6.1.7600.16385 (win7_rtm.090713-1255); FileSize: 301568; Signer: Microsoft Windows; Icon: backup\025ba5ef2cd0a38da0897cfcc8d21451.ico; | Medium Risk |
2019-3-24 08:36:42 | This file modified files | FilePath: %PROGRAMFILES%\Halloware\takeact.vbs; | Medium Risk |
2019-3-24 08:36:42 | This file modified files | FilePath: %PROGRAMFILES%\Halloware\iQShell.vbs; | Medium Risk |
2019-3-24 08:36:38 | This file modified files | FilePath: %PROGRAMFILES%\Halloware\fakelogon.vbs; | Medium Risk |
2019-3-24 08:36:38 | This file modified files | FilePath: %PROGRAMFILES%\Halloware\data\fakelogon.exe; | High Risk |
2019-3-24 08:36:36 | This file spawned process(es) | FilePath: %SYSTEMROOT%\System32\wscript.exe; Company: Microsoft Corporation; TargetPid: 2544; CmdLine: "C:\Windows\system32\wscript.exe" C:\Users\Administrator\AppData\Local\Temp\C1F8.tmp\C1F9.vbs ; Version: 5.8.7600.16385; FileSize: 141824; Signer: Microsoft Windows; Icon: backup\0799cf41d3ae7b80f4757af9734c570d.ico; | High Risk |
2019-3-24 08:36:36 | This file modified files | FilePath: %TEMP%\C1F8.tmp\fileler\takeact.vbs; | Medium Risk |
2019-3-24 08:36:36 | This file modified files | FilePath: %TEMP%\C1F8.tmp\fileler\iQShell.vbs; | Medium Risk |
2019-3-24 08:36:34 | This file modified files | FilePath: %TEMP%\C1F8.tmp\fileler\fakelogon.vbs; | Medium Risk |
2019-3-24 08:36:34 | This file modified files | FilePath: %TEMP%\C1F8.tmp\fileler\data\fakelogon.exe; | High Risk |
2019-3-24 08:36:34 | This file modified files | FilePath: %TEMP%\C1F8.tmp\C1F9.vbs; | Medium Risk |