Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/10/2022, 06:16
Static task
static1
Behavioral task
behavioral1
Sample
b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe
Resource
win10v2004-20220812-en
General
-
Target
b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe
-
Size
70KB
-
MD5
54d2368d604ac5852507b39ade0941f2
-
SHA1
6d9e4c37a6c6f9d893e3e8778122a1d466c5954e
-
SHA256
b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99
-
SHA512
2a0ca14b52aa10f252be724b065154a823aec86b16310d69bdce7e63052edd8c7e4aa510da19e8510a3f1ea08592b65a8471efd44b280401c54c72bc27a8c54e
-
SSDEEP
768:1iCHI1nffAkGisSQ6KRcJZOYoBudWaDyqzlL49FLdS5yA+jz+CEt+R5nOwekfZUW:1LHIlfH7Q6qRBwWa2qxQFZA+j6wWw+9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" WINLOGON.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 19 IoCs
pid Process 1360 Black Hole.exe 320 Lubang Hitam.exe 848 WINLOGON.EXE 672 CSRSS.EXE 1692 Black Hole.exe 1404 Black Hole.exe 1644 SERVICES.EXE 1952 Lubang Hitam.exe 1028 LSASS.EXE 616 Black Hole.exe 592 WINLOGON.EXE 1964 SMSS.EXE 1208 Lubang Hitam.exe 1268 CSRSS.EXE 1184 Black Hole.exe 1892 Black Hole.exe 1472 WINLOGON.EXE 300 SERVICES.EXE 1448 Black Hole.exe -
Loads dropped DLL 25 IoCs
pid Process 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 848 WINLOGON.EXE 848 WINLOGON.EXE 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 848 WINLOGON.EXE 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 672 CSRSS.EXE 672 CSRSS.EXE 848 WINLOGON.EXE 848 WINLOGON.EXE 672 CSRSS.EXE 672 CSRSS.EXE 848 WINLOGON.EXE 848 WINLOGON.EXE 1644 SERVICES.EXE 1028 LSASS.EXE -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe -
Adds Run key to start application 2 TTPs 56 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SERVICES.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: LSASS.EXE File opened (read-only) \??\I: b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened (read-only) \??\J: Lubang Hitam.exe File opened (read-only) \??\Q: Lubang Hitam.exe File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\P: LSASS.EXE File opened (read-only) \??\U: SERVICES.EXE File opened (read-only) \??\N: SMSS.EXE File opened (read-only) \??\G: Lubang Hitam.exe File opened (read-only) \??\K: Lubang Hitam.exe File opened (read-only) \??\E: WINLOGON.EXE File opened (read-only) \??\P: CSRSS.EXE File opened (read-only) \??\T: Lubang Hitam.exe File opened (read-only) \??\U: Lubang Hitam.exe File opened (read-only) \??\W: SMSS.EXE File opened (read-only) \??\R: CSRSS.EXE File opened (read-only) \??\S: LSASS.EXE File opened (read-only) \??\X: LSASS.EXE File opened (read-only) \??\T: b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened (read-only) \??\H: Lubang Hitam.exe File opened (read-only) \??\G: CSRSS.EXE File opened (read-only) \??\H: CSRSS.EXE File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\U: CSRSS.EXE File opened (read-only) \??\L: SERVICES.EXE File opened (read-only) \??\K: b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened (read-only) \??\E: Lubang Hitam.exe File opened (read-only) \??\S: Lubang Hitam.exe File opened (read-only) \??\I: WINLOGON.EXE File opened (read-only) \??\E: SMSS.EXE File opened (read-only) \??\T: SMSS.EXE File opened (read-only) \??\J: SMSS.EXE File opened (read-only) \??\X: WINLOGON.EXE File opened (read-only) \??\G: LSASS.EXE File opened (read-only) \??\W: LSASS.EXE File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\Y: LSASS.EXE File opened (read-only) \??\F: SERVICES.EXE File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\K: SMSS.EXE File opened (read-only) \??\Z: SMSS.EXE File opened (read-only) \??\U: b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\F: CSRSS.EXE File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\P: SMSS.EXE File opened (read-only) \??\B: Lubang Hitam.exe File opened (read-only) \??\B: CSRSS.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\O: SMSS.EXE File opened (read-only) \??\B: b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened (read-only) \??\M: SMSS.EXE File opened (read-only) \??\I: CSRSS.EXE File opened (read-only) \??\T: CSRSS.EXE File opened (read-only) \??\Z: CSRSS.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\Y: b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened (read-only) \??\N: Lubang Hitam.exe File opened (read-only) \??\P: Lubang Hitam.exe File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\M: SERVICES.EXE -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\Autorun.inf b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Autorun.inf b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe -
Drops file in System32 directory 36 IoCs
description ioc Process File created C:\Windows\SysWOW64\Shell.exe b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\SysWOW64\Shell.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe CSRSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr SERVICES.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr LSASS.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe LSASS.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr SMSS.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Destruction.scr b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr WINLOGON.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\Black Hole.exe LSASS.EXE File created C:\WINDOWS\Black Hole.txt b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\Black Hole.exe Lubang Hitam.exe File created C:\Windows\Black Hole.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\WINDOWS\Black Hole.txt Lubang Hitam.exe File created C:\Windows\Black Hole.exe WINLOGON.EXE File created C:\Windows\Black Hole.exe LSASS.EXE File opened for modification C:\WINDOWS\Black Hole.txt LSASS.EXE File opened for modification C:\Windows\Black Hole.exe SMSS.EXE File opened for modification C:\WINDOWS\Black Hole.txt SMSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt SMSS.EXE File created C:\Windows\Black Hole.exe b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\WINDOWS\Black Hole.txt WINLOGON.EXE File opened for modification C:\WINDOWS\Black Hole.txt SERVICES.EXE File created C:\Windows\Black Hole.exe SMSS.EXE File opened for modification C:\Windows\Black Hole.exe b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File created C:\WINDOWS\Hacked By Gerry.txt b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt LSASS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt WINLOGON.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt CSRSS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe CSRSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt SERVICES.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt CSRSS.EXE File opened for modification C:\Windows\Black Hole.exe SERVICES.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt Lubang Hitam.exe File created C:\Windows\Black Hole.exe CSRSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 48 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Mouse\SwapMouseButtons = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1360 Black Hole.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeShutdownPrivilege 1712 shutdown.exe Token: SeRemoteShutdownPrivilege 1712 shutdown.exe Token: SeShutdownPrivilege 1076 shutdown.exe Token: SeRemoteShutdownPrivilege 1076 shutdown.exe Token: SeShutdownPrivilege 316 shutdown.exe Token: SeRemoteShutdownPrivilege 316 shutdown.exe Token: SeShutdownPrivilege 1296 shutdown.exe Token: SeRemoteShutdownPrivilege 1296 shutdown.exe Token: SeShutdownPrivilege 1488 shutdown.exe Token: SeRemoteShutdownPrivilege 1488 shutdown.exe Token: SeShutdownPrivilege 1744 shutdown.exe Token: SeRemoteShutdownPrivilege 1744 shutdown.exe Token: SeShutdownPrivilege 1748 shutdown.exe Token: SeRemoteShutdownPrivilege 1748 shutdown.exe Token: SeShutdownPrivilege 1508 shutdown.exe Token: SeRemoteShutdownPrivilege 1508 shutdown.exe Token: SeShutdownPrivilege 1900 shutdown.exe Token: SeRemoteShutdownPrivilege 1900 shutdown.exe Token: SeShutdownPrivilege 564 shutdown.exe Token: SeRemoteShutdownPrivilege 564 shutdown.exe Token: SeShutdownPrivilege 840 shutdown.exe Token: SeRemoteShutdownPrivilege 840 shutdown.exe Token: SeShutdownPrivilege 1648 shutdown.exe Token: SeRemoteShutdownPrivilege 1648 shutdown.exe Token: SeShutdownPrivilege 1736 shutdown.exe Token: SeRemoteShutdownPrivilege 1736 shutdown.exe Token: SeShutdownPrivilege 524 shutdown.exe Token: SeRemoteShutdownPrivilege 524 shutdown.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 1360 Black Hole.exe 320 Lubang Hitam.exe 848 WINLOGON.EXE 672 CSRSS.EXE 1692 Black Hole.exe 1404 Black Hole.exe 1644 SERVICES.EXE 1952 Lubang Hitam.exe 1028 LSASS.EXE 592 WINLOGON.EXE 616 Black Hole.exe 1964 SMSS.EXE 1208 Lubang Hitam.exe 1268 CSRSS.EXE 1184 Black Hole.exe 1892 Black Hole.exe 1472 WINLOGON.EXE 300 SERVICES.EXE 1448 Black Hole.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1712 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 28 PID 1788 wrote to memory of 1712 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 28 PID 1788 wrote to memory of 1712 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 28 PID 1788 wrote to memory of 1712 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 28 PID 1788 wrote to memory of 1360 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 32 PID 1788 wrote to memory of 1360 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 32 PID 1788 wrote to memory of 1360 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 32 PID 1788 wrote to memory of 1360 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 32 PID 1360 wrote to memory of 1076 1360 Black Hole.exe 33 PID 1360 wrote to memory of 1076 1360 Black Hole.exe 33 PID 1360 wrote to memory of 1076 1360 Black Hole.exe 33 PID 1360 wrote to memory of 1076 1360 Black Hole.exe 33 PID 1788 wrote to memory of 320 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 35 PID 1788 wrote to memory of 320 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 35 PID 1788 wrote to memory of 320 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 35 PID 1788 wrote to memory of 320 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 35 PID 320 wrote to memory of 316 320 Lubang Hitam.exe 36 PID 320 wrote to memory of 316 320 Lubang Hitam.exe 36 PID 320 wrote to memory of 316 320 Lubang Hitam.exe 36 PID 320 wrote to memory of 316 320 Lubang Hitam.exe 36 PID 1788 wrote to memory of 848 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 38 PID 1788 wrote to memory of 848 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 38 PID 1788 wrote to memory of 848 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 38 PID 1788 wrote to memory of 848 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 38 PID 848 wrote to memory of 1296 848 WINLOGON.EXE 39 PID 848 wrote to memory of 1296 848 WINLOGON.EXE 39 PID 848 wrote to memory of 1296 848 WINLOGON.EXE 39 PID 848 wrote to memory of 1296 848 WINLOGON.EXE 39 PID 1788 wrote to memory of 672 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 41 PID 1788 wrote to memory of 672 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 41 PID 1788 wrote to memory of 672 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 41 PID 1788 wrote to memory of 672 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 41 PID 320 wrote to memory of 1692 320 Lubang Hitam.exe 42 PID 320 wrote to memory of 1692 320 Lubang Hitam.exe 42 PID 320 wrote to memory of 1692 320 Lubang Hitam.exe 42 PID 320 wrote to memory of 1692 320 Lubang Hitam.exe 42 PID 672 wrote to memory of 1488 672 CSRSS.EXE 43 PID 672 wrote to memory of 1488 672 CSRSS.EXE 43 PID 672 wrote to memory of 1488 672 CSRSS.EXE 43 PID 672 wrote to memory of 1488 672 CSRSS.EXE 43 PID 848 wrote to memory of 1404 848 WINLOGON.EXE 44 PID 848 wrote to memory of 1404 848 WINLOGON.EXE 44 PID 848 wrote to memory of 1404 848 WINLOGON.EXE 44 PID 848 wrote to memory of 1404 848 WINLOGON.EXE 44 PID 1404 wrote to memory of 1744 1404 Black Hole.exe 47 PID 1404 wrote to memory of 1744 1404 Black Hole.exe 47 PID 1404 wrote to memory of 1744 1404 Black Hole.exe 47 PID 1404 wrote to memory of 1744 1404 Black Hole.exe 47 PID 1788 wrote to memory of 1644 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 46 PID 1788 wrote to memory of 1644 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 46 PID 1788 wrote to memory of 1644 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 46 PID 1788 wrote to memory of 1644 1788 b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe 46 PID 848 wrote to memory of 1952 848 WINLOGON.EXE 49 PID 848 wrote to memory of 1952 848 WINLOGON.EXE 49 PID 848 wrote to memory of 1952 848 WINLOGON.EXE 49 PID 848 wrote to memory of 1952 848 WINLOGON.EXE 49 PID 1644 wrote to memory of 1748 1644 SERVICES.EXE 50 PID 1644 wrote to memory of 1748 1644 SERVICES.EXE 50 PID 1644 wrote to memory of 1748 1644 SERVICES.EXE 50 PID 1644 wrote to memory of 1748 1644 SERVICES.EXE 50 PID 1952 wrote to memory of 1508 1952 Lubang Hitam.exe 52 PID 1952 wrote to memory of 1508 1952 Lubang Hitam.exe 52 PID 1952 wrote to memory of 1508 1952 Lubang Hitam.exe 52 PID 1952 wrote to memory of 1508 1952 Lubang Hitam.exe 52 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" SERVICES.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe"C:\Users\Admin\AppData\Local\Temp\b15624e44e6de7f3b360623fef5adf40859226c81cb1ddc2540b4e54461cfa99.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1788 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1360 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:320 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1692
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵PID:1936
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:784
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵PID:1140
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1592
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵PID:1124
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1428
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵PID:1492
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:988
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:556
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1844
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵PID:472
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1756
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:848 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:592 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:300 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1764
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:1620
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1360
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵PID:1180
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:672 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:616 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1208 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1584
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵PID:1492
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:2012
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵PID:1784
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1456
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:1268
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:472
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵PID:1556
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1736
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1644 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1792
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵PID:616
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1672
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵PID:1440
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:840
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵PID:1620
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵PID:1504
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1896
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:1848
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1300
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵PID:1440
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1328
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1028 -
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1184 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:432
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵PID:1668
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1712
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵PID:1508
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1752
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵PID:316
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1844
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵PID:268
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1676
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:1040
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1712
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵PID:1428
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1456
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1964 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1448 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:776
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵PID:1488
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1504
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵PID:2028
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1972
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵PID:2008
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵PID:1360
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1448
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:1516
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1404
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵PID:1712
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:912
-
-
-
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!1⤵PID:700
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD59c276663e05f575b2b283b3a53c3f0b3
SHA1b352e903c63372309787d155d1495bf49fdcd90c
SHA256f1cb6044203e12fa8ede58bc8e63f78aca752f30cdeac6f7da0a8da793ed9761
SHA51217229bd7917ed267daf6dfca07715b31209815832ef0cbd279e935000f4c6ba885429f7ffe9ca12470c5cac5104141b32c36cb022c7be4f3623c0549757be1ce
-
Filesize
70KB
MD5d03037ca998df2b7bdc59fd14e7644f1
SHA1973649762754d6c440e522bfe35be773aef56f3a
SHA25696362b09b5484a5a04efa554b19dad1654e43ce7d9ddf2a5c06256634ff591fe
SHA5126c73cfa3b199cafd1e00f163d04f65ed6d5dcb9ce5ae2ae81cfc1e122515c05acb7c9e3f8e20cd11bf75226b810c693414d2907b1881ef8cf62eb55f7b32809b
-
Filesize
70KB
MD5eeda622f2487b4c53bd95d7d7b6c9f9a
SHA18a4c64c84a82d8200f33e48a6cc647bc2a4bc947
SHA256ca895fd4f41bd73429e642a18f0458d8042b5ea6b9a4174d67a26a55c11cb015
SHA51256f885664e91fe65c2b2f79e4d0fd46ff0a4cc775b8d313c0e740e2ba4d9b86577b9a3089ba0c7debdf669b33630e8a2b3fa31aab28601e6b97888dc38c420e2
-
Filesize
70KB
MD52c98faa8e9cf83cf720a234b966e2f1c
SHA13085ce90e810723301a7676401d22636244d79dd
SHA2564356a338f636cb6a376e1ced9db4d1dd069b0808839f6556e7d61f99d6c6899e
SHA512e6ccb501f8d1f4f09dfa4203678ae7e96f261c3e642a6ac9d2d3ab02d54b4605b57bf4015df2e8af12aaec6c47f727949b5d3ad00b3b19cb8fedba4793731bf8
-
Filesize
70KB
MD5aecb5c344fce556c4a7c670029573454
SHA1ff8099934401ec68ca0cdd6d3e2d3dded7b27944
SHA256bcf8669772aefc5221e1a9def9b7791e8ef4c116222f2d1baf89ad50274b53b4
SHA5124b10c09f99937c0eb92a9c7ea459a2184a7f8db7f934fca95aa4cd5692e0a907a6516a3d8614612741e4a21c505df859c21c3b2593cb53e435530eedf2d242c1
-
Filesize
70KB
MD523efd19888ef845ad42fb443ffb1c3df
SHA1fc7d51852efee493c1c2ce43d81091bbad46ebd8
SHA256187e4f1a50b32d3248896b2eacc13f774e3e0233880d1b600b1f6bc1337be7f2
SHA512fec97d04987e23fc4d61fdaafdfbfc3943843879eec2e608aef15033016c8585223066f53031cd6306e3689252eaf1fd0b9d054ee846e3bb550e8c0ce05aa660
-
Filesize
70KB
MD536a9b4aa1b13e264b3977fa843e27d1c
SHA1aee82661a7816add1425b5ec78ea6c30064362a0
SHA2562b846eb4321ef5294836b902e1cdfd6ad53dc6d9a214d2f9b759e6928f5e77d2
SHA512c159a4f9a61802fd315dfe7917bb0b250a2a087d8d659d6f945ed014fe4baa030ad97323195cfc672ab04de47caab4319efe4a4f2c1b1ad375ed5bc6f872fb6a
-
Filesize
70KB
MD561a4ddac7035eda039a1d7a74fc748e8
SHA1cd79fcdeb431447bb01421d5527234f528d3354c
SHA256354623078c107d60f484d37a9dbfa66eaec6b895b8093667ac8e63c9b47a0307
SHA512cc635e7598670bea9e37fc9a8d92d217152dffcf752aa51b71a776e409cb0a4086b43ec2a19c30916b970626862131936f4aaa86a18f0efb80fa4d8841af8f93
-
Filesize
70KB
MD561a4ddac7035eda039a1d7a74fc748e8
SHA1cd79fcdeb431447bb01421d5527234f528d3354c
SHA256354623078c107d60f484d37a9dbfa66eaec6b895b8093667ac8e63c9b47a0307
SHA512cc635e7598670bea9e37fc9a8d92d217152dffcf752aa51b71a776e409cb0a4086b43ec2a19c30916b970626862131936f4aaa86a18f0efb80fa4d8841af8f93
-
Filesize
70KB
MD52c98faa8e9cf83cf720a234b966e2f1c
SHA13085ce90e810723301a7676401d22636244d79dd
SHA2564356a338f636cb6a376e1ced9db4d1dd069b0808839f6556e7d61f99d6c6899e
SHA512e6ccb501f8d1f4f09dfa4203678ae7e96f261c3e642a6ac9d2d3ab02d54b4605b57bf4015df2e8af12aaec6c47f727949b5d3ad00b3b19cb8fedba4793731bf8
-
Filesize
70KB
MD5aecb5c344fce556c4a7c670029573454
SHA1ff8099934401ec68ca0cdd6d3e2d3dded7b27944
SHA256bcf8669772aefc5221e1a9def9b7791e8ef4c116222f2d1baf89ad50274b53b4
SHA5124b10c09f99937c0eb92a9c7ea459a2184a7f8db7f934fca95aa4cd5692e0a907a6516a3d8614612741e4a21c505df859c21c3b2593cb53e435530eedf2d242c1
-
Filesize
70KB
MD5aecb5c344fce556c4a7c670029573454
SHA1ff8099934401ec68ca0cdd6d3e2d3dded7b27944
SHA256bcf8669772aefc5221e1a9def9b7791e8ef4c116222f2d1baf89ad50274b53b4
SHA5124b10c09f99937c0eb92a9c7ea459a2184a7f8db7f934fca95aa4cd5692e0a907a6516a3d8614612741e4a21c505df859c21c3b2593cb53e435530eedf2d242c1
-
Filesize
70KB
MD5f1113926030edf4fa417b3d5e489f2f3
SHA1c75edc1551060e0949286924808483feeda1aaac
SHA256a3f8672ac91bc3848cfd6f387d1fe8b786c35c2821318b2e56b2b74356fcd3d6
SHA512d8ddd109c4d05116615df7533fecc317fe811bc4fcfffad661b3a5ad9fb9324c1d829ca2014b902beff6d002a548df56ac9769243997bdcbdd45b2c1a9a6b9a9
-
Filesize
70KB
MD523efd19888ef845ad42fb443ffb1c3df
SHA1fc7d51852efee493c1c2ce43d81091bbad46ebd8
SHA256187e4f1a50b32d3248896b2eacc13f774e3e0233880d1b600b1f6bc1337be7f2
SHA512fec97d04987e23fc4d61fdaafdfbfc3943843879eec2e608aef15033016c8585223066f53031cd6306e3689252eaf1fd0b9d054ee846e3bb550e8c0ce05aa660
-
Filesize
70KB
MD523efd19888ef845ad42fb443ffb1c3df
SHA1fc7d51852efee493c1c2ce43d81091bbad46ebd8
SHA256187e4f1a50b32d3248896b2eacc13f774e3e0233880d1b600b1f6bc1337be7f2
SHA512fec97d04987e23fc4d61fdaafdfbfc3943843879eec2e608aef15033016c8585223066f53031cd6306e3689252eaf1fd0b9d054ee846e3bb550e8c0ce05aa660
-
Filesize
70KB
MD51b3d33d0a5b30db167b3043c8a2d46d7
SHA1fe0f8add96daa2a488569d28e72a48a9ad486231
SHA256a0e5d73c4db13457d38b2872b9c1af0c9d54e6d0130c9ce868fc746347fec763
SHA512861902f6019bdead917cf8ba40adab52792513ee5671331df81832f51aa93d11c5c7a5e435a5ebf2809ec0d9b4d067a2d684d27942ec70a1a50764862b2843b0
-
Filesize
70KB
MD5c93e87e5de11d6250a6e36d846ab2906
SHA1daea3e722aefb0192da726ed1bea11d21796c7a5
SHA2561c60bab3fca131a1126fe439c10e1134650c48f10b323a4e0a8e4d23e01d7627
SHA51278c15183a6f07e79784956fc6eb577a825d4212b7af30ba1970c0b08f51f4a7bca73e2506008564b2ca20338e18e903749da294d38e90273adb255fc652b297a
-
Filesize
70KB
MD536a9b4aa1b13e264b3977fa843e27d1c
SHA1aee82661a7816add1425b5ec78ea6c30064362a0
SHA2562b846eb4321ef5294836b902e1cdfd6ad53dc6d9a214d2f9b759e6928f5e77d2
SHA512c159a4f9a61802fd315dfe7917bb0b250a2a087d8d659d6f945ed014fe4baa030ad97323195cfc672ab04de47caab4319efe4a4f2c1b1ad375ed5bc6f872fb6a
-
Filesize
70KB
MD536a9b4aa1b13e264b3977fa843e27d1c
SHA1aee82661a7816add1425b5ec78ea6c30064362a0
SHA2562b846eb4321ef5294836b902e1cdfd6ad53dc6d9a214d2f9b759e6928f5e77d2
SHA512c159a4f9a61802fd315dfe7917bb0b250a2a087d8d659d6f945ed014fe4baa030ad97323195cfc672ab04de47caab4319efe4a4f2c1b1ad375ed5bc6f872fb6a
-
Filesize
70KB
MD5cc92ff10b27107021f6e6376f929b0cf
SHA1d994b985956c69b676c90a9e4079deb6c2a360e5
SHA25655719544b1cedd11733c5b9e043f0432866a630be94d67f4b7049bb43a0f87ef
SHA512332c0aac177dfd627bd6743d8b572300a6ee3c94c37c2f9454bc1b4277657d0227bed3f44f0e9cb32ede6648c9567e789e45ff2e660840b734026178f17b7351
-
Filesize
70KB
MD561a4ddac7035eda039a1d7a74fc748e8
SHA1cd79fcdeb431447bb01421d5527234f528d3354c
SHA256354623078c107d60f484d37a9dbfa66eaec6b895b8093667ac8e63c9b47a0307
SHA512cc635e7598670bea9e37fc9a8d92d217152dffcf752aa51b71a776e409cb0a4086b43ec2a19c30916b970626862131936f4aaa86a18f0efb80fa4d8841af8f93
-
Filesize
70KB
MD57363a0fec13135979d923ecccab38c68
SHA197f642342dc048a9a59c9c988fbc8625a7ff8f94
SHA25632510923ccbbf0d5075682a4fdc56c89a2bc26c32840f2727212defa86d4f643
SHA51250da531e9e127bda0d18a5682e6f3ba38593b927bf196438e2d15713eb2349da83b057ee80ab351063f2426059768a089e9bb092f7722972d35d9355c661c19c
-
Filesize
70KB
MD5d0e6ac775b10d7f70798734a86aa941e
SHA170cf60edb5b5b43ee535a2ed95b10e60eef27c53
SHA256a5139def5e7fa299199f93e1d000633851e2f8d40a33bfa136fb61183834c0ae
SHA51276ce9c1ea27f3947a54e2c1ad7fe3265c6c9bcfb73ebdba363c8399369f1111e35e8390be0ea08b582de0dc41ad9f52ee927cc9f3ea07b4d99a4ae1ac7923f29
-
Filesize
70KB
MD5df50d1321dcdf363ef5ab29ff75bdf13
SHA1696b18ca8cc5cfc202cbe252a21a3be3e6847ce3
SHA256059f509594c2d1d8e3925231cb79c4fffdc30693a6076dae81fdd99ee393e4e0
SHA5123bf5f992a1ec1ef505fbe4c78d14b8ab5bd7838258effb50e5c22d0a24498e554a62008729dcb9c448c05e16625489bd151f4b0528e889fe27df1343b27a3304
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
70KB
MD5f0b54e59014ab5b53dc5a683520545e4
SHA1854581e4b37a0d382cac0797fbfa57252b2e86ee
SHA25635b6f53ed2d57c0da5666d44f53c3b85074632c1115df51ea77a63945aa27225
SHA512f0c2a9b1642775782e7c2880cc8bc0a8584c9753a7865905c9d3f187cd76e6a55d4a34a223408ea88b67ac2ee9d9b6e41b8dcc24285ac3c2f7aa34190eba2af9
-
Filesize
70KB
MD5f0b54e59014ab5b53dc5a683520545e4
SHA1854581e4b37a0d382cac0797fbfa57252b2e86ee
SHA25635b6f53ed2d57c0da5666d44f53c3b85074632c1115df51ea77a63945aa27225
SHA512f0c2a9b1642775782e7c2880cc8bc0a8584c9753a7865905c9d3f187cd76e6a55d4a34a223408ea88b67ac2ee9d9b6e41b8dcc24285ac3c2f7aa34190eba2af9
-
Filesize
70KB
MD5f0b54e59014ab5b53dc5a683520545e4
SHA1854581e4b37a0d382cac0797fbfa57252b2e86ee
SHA25635b6f53ed2d57c0da5666d44f53c3b85074632c1115df51ea77a63945aa27225
SHA512f0c2a9b1642775782e7c2880cc8bc0a8584c9753a7865905c9d3f187cd76e6a55d4a34a223408ea88b67ac2ee9d9b6e41b8dcc24285ac3c2f7aa34190eba2af9
-
Filesize
70KB
MD5f0b54e59014ab5b53dc5a683520545e4
SHA1854581e4b37a0d382cac0797fbfa57252b2e86ee
SHA25635b6f53ed2d57c0da5666d44f53c3b85074632c1115df51ea77a63945aa27225
SHA512f0c2a9b1642775782e7c2880cc8bc0a8584c9753a7865905c9d3f187cd76e6a55d4a34a223408ea88b67ac2ee9d9b6e41b8dcc24285ac3c2f7aa34190eba2af9
-
Filesize
70KB
MD51df24b70e33d0da987992ca512192623
SHA1a3ddfef06c4ff66cde86ac78a1d33b3be91f4474
SHA25696f5bdb155217af2cc97e4b11fcca31356fff3b4ba8cb059ca5e8b6c7e343653
SHA512626d9d363e1bafdede468d7e8c98766ffb3a94aea5b31ab4a50347f5b938c94683d3012888532620968532ae1c63040d1bf72eff894b2dac31bf4fbad3c326b6
-
Filesize
70KB
MD51df24b70e33d0da987992ca512192623
SHA1a3ddfef06c4ff66cde86ac78a1d33b3be91f4474
SHA25696f5bdb155217af2cc97e4b11fcca31356fff3b4ba8cb059ca5e8b6c7e343653
SHA512626d9d363e1bafdede468d7e8c98766ffb3a94aea5b31ab4a50347f5b938c94683d3012888532620968532ae1c63040d1bf72eff894b2dac31bf4fbad3c326b6
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
70KB
MD5e7dee02a3ca7ee21c70d91cb7b134fcc
SHA1f0caa8595a6415ba46898120cf81cf598c4a35c6
SHA25647ee4b6444b360e306612e6495c47859fe7aca756c76da067564229f2c598274
SHA512691a81937760232c1c954c95a12cfec99bc1ab9aae0ec661e2a045f67e2e53a735bf0c5dfe571f87875451a188808bd8a97b381eb362ebbe86d4cfc8808c5ed4
-
Filesize
70KB
MD5d177bc82a34ffe5d5c8efc8512e2f2ae
SHA18700134f1b6275f24cad0fc57c90f5da86e65c74
SHA25621d7da35e8c526aa295ef0d913e47cad1c635e7922f711619a079a7736909710
SHA5124d7d2b750d3c8768ac25aa1b5b68dea15eda544be3a9113f8483b9b11142983adaa646f3dc665e87e86deb94be4e0176dcd01d961d8dcb96cb3237e605eac403
-
Filesize
70KB
MD54d1df807fbdea1da495f4671b83c5939
SHA177bc33a848fd1a332d98022e5dfbf5052519fc1a
SHA25651e42f07339c0fbee95d9cde005b742dc13b5dfbb9edf4a363f24c6a0b1a33e1
SHA512791326d49e79dc477ce57f1c9578c4ff862dffa70375c1c6be1a99bc12fb4fb3f6e603ac2d15cdae953d90b8b62ccf37f4b662bd48f2acbf46faa8e03ae82587
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5c5471ebc6d7e889fab871118f4f3fc42
SHA1d636d046fece3097421f125aac306439abee86b6
SHA256249d66a9b67c5d7b093bc4a79d241d85ce6eb33d296457f86d0f30d6d78e9aa7
SHA5123247a1a8942cb420e3e246a4ca4920c5f4df168a1583e15cc0612712699edc05aaa8a41a04a6416e077a9c9cd3c7aa76603a312336a845c3bda6adb1228df1da
-
Filesize
70KB
MD5c9f385944a7a123b0e20520feaf71f4e
SHA13581dea2b1e0ff9888e79a056f74b0b4d8d98bea
SHA2562f88d309fe192dccb0f3c28e000f625423f9df865c7f19d21688bedb96291787
SHA512cc75406810cdbe6de92b2a6c789e2e60aa6c7ff556437d363b7152da3a86921772808ad41c93bdf225104f77a384b18d3e97d1fcd910f2632b67627fa8234292
-
Filesize
70KB
MD54e0ab9774f471a498dd59b6dfd00278c
SHA1272c3c7c24b6d9fee3a732de4783326c283bbfe9
SHA2563dbc76f415e149c44acf3d2977916f92b96face745caa8f5ef6177131860a645
SHA5122e96d7c7cc05d8da6652c982dd930c74ddf22eb46968a7f7a4aea1d22fa8d4548d3b5b19f95c323fa5c6af1f2192a355f2d9fc682c95e53de7301ea775229ebf
-
Filesize
70KB
MD52c98faa8e9cf83cf720a234b966e2f1c
SHA13085ce90e810723301a7676401d22636244d79dd
SHA2564356a338f636cb6a376e1ced9db4d1dd069b0808839f6556e7d61f99d6c6899e
SHA512e6ccb501f8d1f4f09dfa4203678ae7e96f261c3e642a6ac9d2d3ab02d54b4605b57bf4015df2e8af12aaec6c47f727949b5d3ad00b3b19cb8fedba4793731bf8
-
Filesize
70KB
MD52c98faa8e9cf83cf720a234b966e2f1c
SHA13085ce90e810723301a7676401d22636244d79dd
SHA2564356a338f636cb6a376e1ced9db4d1dd069b0808839f6556e7d61f99d6c6899e
SHA512e6ccb501f8d1f4f09dfa4203678ae7e96f261c3e642a6ac9d2d3ab02d54b4605b57bf4015df2e8af12aaec6c47f727949b5d3ad00b3b19cb8fedba4793731bf8
-
Filesize
70KB
MD5aecb5c344fce556c4a7c670029573454
SHA1ff8099934401ec68ca0cdd6d3e2d3dded7b27944
SHA256bcf8669772aefc5221e1a9def9b7791e8ef4c116222f2d1baf89ad50274b53b4
SHA5124b10c09f99937c0eb92a9c7ea459a2184a7f8db7f934fca95aa4cd5692e0a907a6516a3d8614612741e4a21c505df859c21c3b2593cb53e435530eedf2d242c1
-
Filesize
70KB
MD5aecb5c344fce556c4a7c670029573454
SHA1ff8099934401ec68ca0cdd6d3e2d3dded7b27944
SHA256bcf8669772aefc5221e1a9def9b7791e8ef4c116222f2d1baf89ad50274b53b4
SHA5124b10c09f99937c0eb92a9c7ea459a2184a7f8db7f934fca95aa4cd5692e0a907a6516a3d8614612741e4a21c505df859c21c3b2593cb53e435530eedf2d242c1
-
Filesize
70KB
MD523efd19888ef845ad42fb443ffb1c3df
SHA1fc7d51852efee493c1c2ce43d81091bbad46ebd8
SHA256187e4f1a50b32d3248896b2eacc13f774e3e0233880d1b600b1f6bc1337be7f2
SHA512fec97d04987e23fc4d61fdaafdfbfc3943843879eec2e608aef15033016c8585223066f53031cd6306e3689252eaf1fd0b9d054ee846e3bb550e8c0ce05aa660
-
Filesize
70KB
MD523efd19888ef845ad42fb443ffb1c3df
SHA1fc7d51852efee493c1c2ce43d81091bbad46ebd8
SHA256187e4f1a50b32d3248896b2eacc13f774e3e0233880d1b600b1f6bc1337be7f2
SHA512fec97d04987e23fc4d61fdaafdfbfc3943843879eec2e608aef15033016c8585223066f53031cd6306e3689252eaf1fd0b9d054ee846e3bb550e8c0ce05aa660
-
Filesize
70KB
MD536a9b4aa1b13e264b3977fa843e27d1c
SHA1aee82661a7816add1425b5ec78ea6c30064362a0
SHA2562b846eb4321ef5294836b902e1cdfd6ad53dc6d9a214d2f9b759e6928f5e77d2
SHA512c159a4f9a61802fd315dfe7917bb0b250a2a087d8d659d6f945ed014fe4baa030ad97323195cfc672ab04de47caab4319efe4a4f2c1b1ad375ed5bc6f872fb6a
-
Filesize
70KB
MD536a9b4aa1b13e264b3977fa843e27d1c
SHA1aee82661a7816add1425b5ec78ea6c30064362a0
SHA2562b846eb4321ef5294836b902e1cdfd6ad53dc6d9a214d2f9b759e6928f5e77d2
SHA512c159a4f9a61802fd315dfe7917bb0b250a2a087d8d659d6f945ed014fe4baa030ad97323195cfc672ab04de47caab4319efe4a4f2c1b1ad375ed5bc6f872fb6a
-
Filesize
70KB
MD561a4ddac7035eda039a1d7a74fc748e8
SHA1cd79fcdeb431447bb01421d5527234f528d3354c
SHA256354623078c107d60f484d37a9dbfa66eaec6b895b8093667ac8e63c9b47a0307
SHA512cc635e7598670bea9e37fc9a8d92d217152dffcf752aa51b71a776e409cb0a4086b43ec2a19c30916b970626862131936f4aaa86a18f0efb80fa4d8841af8f93
-
Filesize
70KB
MD561a4ddac7035eda039a1d7a74fc748e8
SHA1cd79fcdeb431447bb01421d5527234f528d3354c
SHA256354623078c107d60f484d37a9dbfa66eaec6b895b8093667ac8e63c9b47a0307
SHA512cc635e7598670bea9e37fc9a8d92d217152dffcf752aa51b71a776e409cb0a4086b43ec2a19c30916b970626862131936f4aaa86a18f0efb80fa4d8841af8f93
-
Filesize
70KB
MD561a4ddac7035eda039a1d7a74fc748e8
SHA1cd79fcdeb431447bb01421d5527234f528d3354c
SHA256354623078c107d60f484d37a9dbfa66eaec6b895b8093667ac8e63c9b47a0307
SHA512cc635e7598670bea9e37fc9a8d92d217152dffcf752aa51b71a776e409cb0a4086b43ec2a19c30916b970626862131936f4aaa86a18f0efb80fa4d8841af8f93
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16
-
Filesize
70KB
MD5a8a9e6e98d3ef86aaaf3167b2db6bb21
SHA17241b210fdbd65241fe2241b6452aec500f36c44
SHA25611098d6536c2b1b5f21c6415a853cd933d9d59690e121adb803ec116a3628ff1
SHA51239b14b23a2e5069155f69cfa920b2302db794f5a0f628d527a7012e82e7fe87f47a09b94db6f808c6245d9f86a644a5566dc4317412c20b5608be013404e3f16