Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe
Resource
win10v2004-20220812-en
General
-
Target
a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe
-
Size
70KB
-
MD5
1513923d09c7328ffbecdef07658e7a4
-
SHA1
c0c166a46e924c9e507c7ea73488bf970659dba1
-
SHA256
a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9
-
SHA512
7877e101ece8a95e1cb61abc8581f137434742763b8d9711f0617231d62e5d323fa445a3c514a98597838bd2cb8bd015f75d9d6163cf0e7d8f8c4c7e2e4197a8
-
SSDEEP
768:1iCHI1nffAkGisSQ6KRcJZOYoBudWaDyqzlL49FLdS5yA+jz+CE4+R5nOwekfZUW:1LHIlfH7Q6qRBwWa2qxQFZA+j6PWw+9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SERVICES.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Lubang Hitam.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe -
Disables RegEdit via registry modification 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 63 IoCs
pid Process 1124 Black Hole.exe 3308 Lubang Hitam.exe 3116 WINLOGON.EXE 3312 Black Hole.exe 2948 Lubang Hitam.exe 3012 SERVICES.EXE 216 CSRSS.EXE 4472 Process not Found 2356 SERVICES.EXE 3012 SERVICES.EXE 496 LSASS.EXE 3140 shutdown.exe 2848 SMSS.EXE 3064 SMSS.EXE 4996 Lubang Hitam.exe 2716 Conhost.exe 1316 WINLOGON.EXE 2424 Conhost.exe 3276 Conhost.exe 4764 Conhost.exe 4788 Lubang Hitam.exe 2036 SERVICES.EXE 3916 WINLOGON.EXE 3748 SMSS.EXE 4884 Conhost.exe 1536 Black Hole.exe 3716 Black Hole.exe 4996 Lubang Hitam.exe 5112 Conhost.exe 1076 Conhost.exe 3720 Conhost.exe 2480 Black Hole.exe 2324 LSASS.EXE 4396 WINLOGON.EXE 2420 CSRSS.EXE 5068 Lubang Hitam.exe 3808 CSRSS.EXE 4552 SMSS.EXE 228 LSASS.EXE 2440 WINLOGON.EXE 1504 CSRSS.EXE 1244 LSASS.EXE 1964 SMSS.EXE 1768 CSRSS.EXE 548 LSASS.EXE 3596 SMSS.EXE 4436 SERVICES.EXE 3548 cmd.exe 1124 Conhost.exe 3960 Lubang Hitam.exe 2448 SMSS.EXE 2268 WINLOGON.EXE 1504 Conhost.exe 2036 SERVICES.EXE 2408 LSASS.EXE 4344 SMSS.EXE 4012 Black Hole.exe 1968 Lubang Hitam.exe 1312 WINLOGON.EXE 3560 CSRSS.EXE 4008 SERVICES.EXE 228 LSASS.EXE 4792 SMSS.EXE -
Loads dropped DLL 8 IoCs
pid Process 3312 Black Hole.exe 4996 Lubang Hitam.exe 4764 Conhost.exe 1536 Black Hole.exe 3716 Black Hole.exe 2480 Black Hole.exe 3548 cmd.exe 4012 Black Hole.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe -
Adds Run key to start application 2 TTPs 63 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Black Hole.exe File opened (read-only) \??\G: Black Hole.exe File opened (read-only) \??\T: Black Hole.exe File opened (read-only) \??\X: Black Hole.exe File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\V: WINLOGON.EXE File opened (read-only) \??\U: a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened (read-only) \??\Q: Lubang Hitam.exe File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\H: CSRSS.EXE File opened (read-only) \??\I: CSRSS.EXE File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\V: SMSS.EXE File opened (read-only) \??\K: a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened (read-only) \??\P: a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened (read-only) \??\W: Black Hole.exe File opened (read-only) \??\R: WINLOGON.EXE File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\V: CSRSS.EXE File opened (read-only) \??\K: LSASS.EXE File opened (read-only) \??\O: LSASS.EXE File opened (read-only) \??\S: Lubang Hitam.exe File opened (read-only) \??\X: Lubang Hitam.exe File opened (read-only) \??\L: SMSS.EXE File opened (read-only) \??\W: SMSS.EXE File opened (read-only) \??\L: a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened (read-only) \??\L: Black Hole.exe File opened (read-only) \??\E: Lubang Hitam.exe File opened (read-only) \??\H: SERVICES.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\N: a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened (read-only) \??\B: Lubang Hitam.exe File opened (read-only) \??\G: Lubang Hitam.exe File opened (read-only) \??\Y: SERVICES.EXE File opened (read-only) \??\E: CSRSS.EXE File opened (read-only) \??\G: SMSS.EXE File opened (read-only) \??\S: SMSS.EXE File opened (read-only) \??\O: a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened (read-only) \??\S: a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened (read-only) \??\Z: Black Hole.exe File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\Y: CSRSS.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\M: Lubang Hitam.exe File opened (read-only) \??\N: Black Hole.exe File opened (read-only) \??\F: SMSS.EXE File opened (read-only) \??\M: SMSS.EXE File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\U: CSRSS.EXE File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\R: LSASS.EXE File opened (read-only) \??\E: WINLOGON.EXE File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\T: CSRSS.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\I: Lubang Hitam.exe File opened (read-only) \??\Y: Lubang Hitam.exe File opened (read-only) \??\J: Lubang Hitam.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\Autorun.inf a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Autorun.inf a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe -
Drops file in System32 directory 52 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe Black Hole.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe Black Hole.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Conhost.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr SERVICES.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Black Hole.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Conhost.exe File created C:\Windows\SysWOW64\Shell.exe a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Conhost.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\SysWOW64\Shell.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr LSASS.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File created C:\Windows\SysWOW64\Destruction.scr a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr WINLOGON.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Conhost.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr Black Hole.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE -
Drops file in Windows directory 51 IoCs
description ioc Process File opened for modification C:\WINDOWS\Black Hole.txt SERVICES.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\Black Hole.exe a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File created C:\WINDOWS\Hacked By Gerry.txt a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\Black Hole.exe Black Hole.exe File opened for modification C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\Windows\Black Hole.exe CSRSS.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe Black Hole.exe File opened for modification C:\WINDOWS\Black Hole.txt CSRSS.EXE File created C:\Windows\msvbvm60.dll Conhost.exe File opened for modification C:\Windows\msvbvm60.dll Conhost.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\WINDOWS\Black Hole.txt Black Hole.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt SERVICES.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\Black Hole.exe CSRSS.EXE File created C:\Windows\Black Hole.exe SMSS.EXE File created C:\Windows\msvbvm60.dll Conhost.exe File opened for modification C:\WINDOWS\Black Hole.txt WINLOGON.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt CSRSS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\WINDOWS\Black Hole.txt a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\WINDOWS\Black Hole.txt a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File created C:\Windows\Black Hole.exe LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll Conhost.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt SMSS.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\Windows\Black Hole.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe SERVICES.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt WINLOGON.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt SMSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt LSASS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe File opened for modification C:\Windows\Black Hole.exe Lubang Hitam.exe File created C:\Windows\Black Hole.exe SERVICES.EXE File opened for modification C:\Windows\Black Hole.exe LSASS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt Black Hole.exe File opened for modification C:\WINDOWS\Black Hole.txt LSASS.EXE -
Modifies Control Panel 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\ CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Mouse\SwapMouseButtons = "1" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1124 Black Hole.exe 1124 Black Hole.exe 3312 Black Hole.exe 3312 Black Hole.exe 3312 Black Hole.exe 3312 Black Hole.exe 3312 Black Hole.exe 3312 Black Hole.exe -
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
pid Process 2356 SERVICES.EXE 216 CSRSS.EXE 496 LSASS.EXE 2848 SMSS.EXE 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4960 shutdown.exe Token: SeRemoteShutdownPrivilege 4960 shutdown.exe Token: SeShutdownPrivilege 1652 shutdown.exe Token: SeRemoteShutdownPrivilege 1652 shutdown.exe Token: SeShutdownPrivilege 2084 shutdown.exe Token: SeRemoteShutdownPrivilege 2084 shutdown.exe Token: SeShutdownPrivilege 1240 shutdown.exe Token: SeRemoteShutdownPrivilege 1240 shutdown.exe Token: SeShutdownPrivilege 2596 Conhost.exe Token: SeRemoteShutdownPrivilege 2596 Conhost.exe Token: SeShutdownPrivilege 2220 shutdown.exe Token: SeRemoteShutdownPrivilege 2220 shutdown.exe Token: SeShutdownPrivilege 4860 shutdown.exe Token: SeRemoteShutdownPrivilege 4860 shutdown.exe Token: SeShutdownPrivilege 1504 CSRSS.EXE Token: SeRemoteShutdownPrivilege 1504 CSRSS.EXE Token: SeShutdownPrivilege 1676 Conhost.exe Token: SeRemoteShutdownPrivilege 1676 Conhost.exe Token: SeShutdownPrivilege 1632 Conhost.exe Token: SeRemoteShutdownPrivilege 1632 Conhost.exe Token: SeShutdownPrivilege 4516 shutdown.exe Token: SeRemoteShutdownPrivilege 4516 shutdown.exe Token: SeShutdownPrivilege 1124 Conhost.exe Token: SeRemoteShutdownPrivilege 1124 Conhost.exe Token: SeShutdownPrivilege 4972 shutdown.exe Token: SeRemoteShutdownPrivilege 4972 shutdown.exe Token: SeShutdownPrivilege 2164 shutdown.exe Token: SeRemoteShutdownPrivilege 2164 shutdown.exe Token: SeShutdownPrivilege 928 cmd.exe Token: SeRemoteShutdownPrivilege 928 cmd.exe Token: SeShutdownPrivilege 4148 cmd.exe Token: SeRemoteShutdownPrivilege 4148 cmd.exe Token: SeShutdownPrivilege 4968 shutdown.exe Token: SeRemoteShutdownPrivilege 4968 shutdown.exe Token: SeShutdownPrivilege 3140 shutdown.exe Token: SeRemoteShutdownPrivilege 3140 shutdown.exe Token: SeShutdownPrivilege 4940 shutdown.exe Token: SeRemoteShutdownPrivilege 4940 shutdown.exe Token: SeShutdownPrivilege 560 shutdown.exe Token: SeRemoteShutdownPrivilege 560 shutdown.exe Token: SeShutdownPrivilege 2688 shutdown.exe Token: SeRemoteShutdownPrivilege 2688 shutdown.exe Token: SeShutdownPrivilege 3548 cmd.exe Token: SeRemoteShutdownPrivilege 3548 cmd.exe Token: SeShutdownPrivilege 5032 cmd.exe Token: SeRemoteShutdownPrivilege 5032 cmd.exe Token: SeShutdownPrivilege 1732 Conhost.exe Token: SeRemoteShutdownPrivilege 1732 Conhost.exe Token: SeShutdownPrivilege 4680 shutdown.exe Token: SeRemoteShutdownPrivilege 4680 shutdown.exe Token: SeShutdownPrivilege 4280 shutdown.exe Token: SeRemoteShutdownPrivilege 4280 shutdown.exe Token: SeShutdownPrivilege 4920 Conhost.exe Token: SeRemoteShutdownPrivilege 4920 Conhost.exe Token: SeShutdownPrivilege 4200 Conhost.exe Token: SeRemoteShutdownPrivilege 4200 Conhost.exe Token: SeShutdownPrivilege 1532 shutdown.exe Token: SeRemoteShutdownPrivilege 1532 shutdown.exe Token: SeShutdownPrivilege 3764 shutdown.exe Token: SeRemoteShutdownPrivilege 3764 shutdown.exe Token: SeShutdownPrivilege 1576 Conhost.exe Token: SeRemoteShutdownPrivilege 1576 Conhost.exe Token: SeShutdownPrivilege 1308 shutdown.exe Token: SeRemoteShutdownPrivilege 1308 shutdown.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 1124 Black Hole.exe 3308 Lubang Hitam.exe 3116 WINLOGON.EXE 3312 Black Hole.exe 2948 Lubang Hitam.exe 3012 SERVICES.EXE 216 CSRSS.EXE 4472 Process not Found 2356 SERVICES.EXE 3012 SERVICES.EXE 496 LSASS.EXE 3140 shutdown.exe 2848 SMSS.EXE 3064 SMSS.EXE 4996 Lubang Hitam.exe 2716 Conhost.exe 1316 WINLOGON.EXE 2424 Conhost.exe 3276 Conhost.exe 4764 Conhost.exe 4788 Lubang Hitam.exe 2036 SERVICES.EXE 3916 WINLOGON.EXE 3748 SMSS.EXE 4884 Conhost.exe 1536 Black Hole.exe 3716 Black Hole.exe 4996 Lubang Hitam.exe 1076 Conhost.exe 5112 Conhost.exe 3720 Conhost.exe 2324 LSASS.EXE 4396 WINLOGON.EXE 2480 Black Hole.exe 2420 CSRSS.EXE 5068 Lubang Hitam.exe 3808 CSRSS.EXE 4552 SMSS.EXE 228 LSASS.EXE 2440 WINLOGON.EXE 1504 CSRSS.EXE 1244 LSASS.EXE 1964 SMSS.EXE 548 LSASS.EXE 1768 CSRSS.EXE 3596 SMSS.EXE 4436 SERVICES.EXE 3548 cmd.exe 1124 Conhost.exe 3960 Lubang Hitam.exe 2268 WINLOGON.EXE 2448 SMSS.EXE 1504 Conhost.exe 2036 SERVICES.EXE 2408 LSASS.EXE 4344 SMSS.EXE 4012 Black Hole.exe 1968 Lubang Hitam.exe 1312 WINLOGON.EXE 3560 CSRSS.EXE 4008 SERVICES.EXE 228 LSASS.EXE 4792 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4432 wrote to memory of 4960 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 76 PID 4432 wrote to memory of 4960 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 76 PID 4432 wrote to memory of 4960 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 76 PID 4432 wrote to memory of 1124 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 80 PID 4432 wrote to memory of 1124 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 80 PID 4432 wrote to memory of 1124 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 80 PID 1124 wrote to memory of 1652 1124 Black Hole.exe 81 PID 1124 wrote to memory of 1652 1124 Black Hole.exe 81 PID 1124 wrote to memory of 1652 1124 Black Hole.exe 81 PID 4432 wrote to memory of 3308 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 83 PID 4432 wrote to memory of 3308 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 83 PID 4432 wrote to memory of 3308 4432 a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe 83 PID 3308 wrote to memory of 2084 3308 Lubang Hitam.exe 84 PID 3308 wrote to memory of 2084 3308 Lubang Hitam.exe 84 PID 3308 wrote to memory of 2084 3308 Lubang Hitam.exe 84 PID 3308 wrote to memory of 3004 3308 Lubang Hitam.exe 86 PID 3308 wrote to memory of 3004 3308 Lubang Hitam.exe 86 PID 3308 wrote to memory of 3004 3308 Lubang Hitam.exe 86 PID 3308 wrote to memory of 3148 3308 Lubang Hitam.exe 87 PID 3308 wrote to memory of 3148 3308 Lubang Hitam.exe 87 PID 3308 wrote to memory of 3148 3308 Lubang Hitam.exe 87 PID 3308 wrote to memory of 3124 3308 Lubang Hitam.exe 88 PID 3308 wrote to memory of 3124 3308 Lubang Hitam.exe 88 PID 3308 wrote to memory of 3124 3308 Lubang Hitam.exe 88 PID 3308 wrote to memory of 4804 3308 Lubang Hitam.exe 92 PID 3308 wrote to memory of 4804 3308 Lubang Hitam.exe 92 PID 3308 wrote to memory of 4804 3308 Lubang Hitam.exe 92 PID 3308 wrote to memory of 4008 3308 Lubang Hitam.exe 93 PID 3308 wrote to memory of 4008 3308 Lubang Hitam.exe 93 PID 3308 wrote to memory of 4008 3308 Lubang Hitam.exe 93 PID 3308 wrote to memory of 4836 3308 Lubang Hitam.exe 96 PID 3308 wrote to memory of 4836 3308 Lubang Hitam.exe 96 PID 3308 wrote to memory of 4836 3308 Lubang Hitam.exe 96 PID 3308 wrote to memory of 3564 3308 Lubang Hitam.exe 101 PID 3308 wrote to memory of 3564 3308 Lubang Hitam.exe 101 PID 3308 wrote to memory of 3564 3308 Lubang Hitam.exe 101 PID 3308 wrote to memory of 404 3308 Lubang Hitam.exe 100 PID 3308 wrote to memory of 404 3308 Lubang Hitam.exe 100 PID 3308 wrote to memory of 404 3308 Lubang Hitam.exe 100 PID 3308 wrote to memory of 4620 3308 Lubang Hitam.exe 98 PID 3308 wrote to memory of 4620 3308 Lubang Hitam.exe 98 PID 3308 wrote to memory of 4620 3308 Lubang Hitam.exe 98 PID 3308 wrote to memory of 5060 3308 Lubang Hitam.exe 102 PID 3308 wrote to memory of 5060 3308 Lubang Hitam.exe 102 PID 3308 wrote to memory of 5060 3308 Lubang Hitam.exe 102 PID 3308 wrote to memory of 4464 3308 Lubang Hitam.exe 104 PID 3308 wrote to memory of 4464 3308 Lubang Hitam.exe 104 PID 3308 wrote to memory of 4464 3308 Lubang Hitam.exe 104 PID 3308 wrote to memory of 4636 3308 Lubang Hitam.exe 108 PID 3308 wrote to memory of 4636 3308 Lubang Hitam.exe 108 PID 3308 wrote to memory of 4636 3308 Lubang Hitam.exe 108 PID 3308 wrote to memory of 2032 3308 Lubang Hitam.exe 109 PID 3308 wrote to memory of 2032 3308 Lubang Hitam.exe 109 PID 3308 wrote to memory of 2032 3308 Lubang Hitam.exe 109 PID 3308 wrote to memory of 3048 3308 Lubang Hitam.exe 110 PID 3308 wrote to memory of 3048 3308 Lubang Hitam.exe 110 PID 3308 wrote to memory of 3048 3308 Lubang Hitam.exe 110 PID 3308 wrote to memory of 5016 3308 Lubang Hitam.exe 112 PID 3308 wrote to memory of 5016 3308 Lubang Hitam.exe 112 PID 3308 wrote to memory of 5016 3308 Lubang Hitam.exe 112 PID 3308 wrote to memory of 4308 3308 Lubang Hitam.exe 115 PID 3308 wrote to memory of 4308 3308 Lubang Hitam.exe 115 PID 3308 wrote to memory of 4308 3308 Lubang Hitam.exe 115 PID 3308 wrote to memory of 100 3308 Lubang Hitam.exe 117 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" SMSS.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe"C:\Users\Admin\AppData\Local\Temp\a18d9a87ea9c31d2a967362abe9553fe325c7b2e243480f45289b415092a7fc9.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4432 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1124 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3308 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:3004
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:3148
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:3124
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:4804
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:4008
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:4836
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:4620
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:404
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:3564
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:5060
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:4464
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:4636
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:2032
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:3048
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:5016
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:4308
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:100
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:220
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:1472
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:1744
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:1048
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:4724
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:1792
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:3520
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3312 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:2596
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵PID:4996
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:4148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4832
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵PID:2716
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1316 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3140
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵PID:2424
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:4940
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:3276
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵PID:2036
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:5032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2948 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2716 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵PID:3012
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4860
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:216 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1676
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:4⤵PID:3004
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:4⤵PID:2620
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:4⤵PID:5024
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:4⤵PID:2956
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:4⤵PID:4308
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:4⤵PID:4740
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:4⤵PID:4888
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:4⤵PID:4596
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:4⤵PID:4816
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:4⤵PID:1048
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:4⤵PID:5068
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:4⤵PID:4796
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:4⤵PID:2184
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:4⤵PID:4984
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:4⤵PID:4076
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:4⤵PID:4836
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:4⤵PID:3008
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:4⤵PID:848
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:4⤵PID:1076
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:4⤵PID:260
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:4⤵PID:4084
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:4⤵PID:3764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:4⤵PID:1860
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:4⤵PID:2516
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3716 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:4200
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵PID:5112
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:1576
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4396 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:4116
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3808 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:5008
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵PID:1504
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:548 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:3468
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4304
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:3184
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1124
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:3140
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2848 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:4⤵PID:4832
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:4⤵PID:2416
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:4⤵PID:4488
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:4⤵PID:344
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:4⤵PID:4764
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:4⤵PID:4424
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:4⤵PID:2032
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:4⤵PID:4464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:4⤵PID:1500
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:4⤵PID:1784
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:4⤵PID:4772
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:4⤵PID:448
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:4⤵PID:404
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:4⤵PID:2604
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:4⤵PID:3924
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:4⤵PID:1692
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:4⤵PID:4252
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:4⤵PID:2696
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:4⤵PID:544
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:4⤵PID:2036
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:4⤵PID:3916
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:1732
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:4⤵PID:1800
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:4⤵PID:4452
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:4⤵PID:1576
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵PID:3548
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:744
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3960 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:3828
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2268 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:3208
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:2156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1048
-
-
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:4268
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2036 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:3152
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2408 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:2020
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4344 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:4264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4084
-
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3116 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:4700
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:1852
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:4344
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:2224
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:2448
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:3752
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:2240
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:2536
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:1468
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:4116
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:4136
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:3808
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:4960
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:816
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:1964
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:3144
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:2992
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:372
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:3916
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:4464
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:3148
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:492
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:4144
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:4192
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵PID:4764
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3548
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵PID:4884
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3916
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵PID:1076
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2324 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4552 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4504
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵PID:4472
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:1504
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2356 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:1632
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1536 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4920
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4996 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵PID:3720
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3276
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4856
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1244 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:2596
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1964 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1588
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:2400
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:2436
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:4748
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:4336
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:2108
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:1968
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:632
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:1852
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:3036
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:2308
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:3352
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:2948
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:3848
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:3628
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:776
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:1568
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:2748
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:2220
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:1340
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:3964
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:3504
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:4716
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:4216
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵PID:228
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:496 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2480 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3044
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5068 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:884
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2440 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:2540
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1768 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3540
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4436 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4304
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵PID:1124
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4948
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2448 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:2708
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3548
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:4496
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:4796
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:212
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:3520
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:1692
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:4052
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:1328
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:3540
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:404
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:2548
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:2080
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:3544
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:3332
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:4124
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:3156
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:4272
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:3088
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:3468
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:4820
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:3652
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:2⤵PID:1308
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:2⤵PID:2440
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:2⤵PID:4944
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:2⤵PID:3384
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:2⤵PID:1480
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:2⤵PID:3468
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:2⤵PID:4136
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:2⤵PID:1976
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:2⤵PID:1988
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:2⤵PID:1048
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:2⤵PID:3392
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:2⤵PID:4152
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:2⤵PID:1328
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:2⤵PID:1512
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:2⤵PID:2708
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:2⤵PID:2536
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:2⤵PID:4268
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:2⤵PID:1588
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:2⤵PID:2840
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:2⤵PID:3520
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:2⤵PID:4084
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:2⤵PID:2596
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:2⤵PID:3928
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:2⤵PID:2352
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4012 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:4828
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1968 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:5008
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4984
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1312 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:1516
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4216
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3560 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:2596
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4008 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3036
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:228 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:1120
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4792 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:4140
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4144
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv kS4FgHoZzESEcPimMGNchQ.0.21⤵PID:848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:260
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!1⤵PID:3492
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4884
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5112
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4888
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2620
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1784
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3720
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1076
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2696
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1504
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5c113a5262e0dd235d469f4d8cbffe935
SHA122028f00059d621bf70341824b9958713fa2b011
SHA2567ac5a8f1900d1d2a4722a245b055069e756f242cc41e2a65db4064fdc3ecef4a
SHA512a4594066867a8cc6f4d471b125b1c916b3675d45e735239e7550626747b1552499ac23f54dd5866e3c5c5e855093b1b5c933d3f4979dae61e7ec4436d304d807
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5f964866b1fe37f5c913dff1f2dd0861c
SHA1ba7e151cfcabb2d156816751419e6ba22c05301b
SHA25643329608c1a9bdc32a55aa2298d0de66eb2aeaf1d3d99bbd0ac53eb7646735a4
SHA512d8cef52ce26c196d426ca4708c9a63badc1d419a36ddcd31fbd95633d917d9e02cc419d1bce096b7000d4c69e913329b6333c48daa6feecb70a208f8bc6ef6d8
-
Filesize
70KB
MD5cfd34f28d898737e86c5ec05aefc5063
SHA1485815a9ca135d9df9cf1483a7b7d038c11df47b
SHA256521e86e6c916caa4c45f667669f4f32e50e49e8cc6d16f1f36e2183abc56f2bc
SHA51294ecfa77651186c833a02fb28e8e752b775f10cf43ed1c56c06cc09622e5bcfc7f8462a26d81377fc404af5b4dc4251eb1b835e2b928339a24d050934128c200
-
Filesize
70KB
MD5ec371625dfa172866dd9680328c5bf37
SHA11d7267e30ce22d22943e161c64896c4091bb67b4
SHA2569f3c54a6c1011b64549741fb2ce24aa459ca402323ee54e6958390bfe47b1f12
SHA5123803c7cd748fbd9ce195e435e7ae403d2b61b6c179abf1da52ce095637d344ea399113309e7f11a1f170dcb7cf1ff266f7c6ce6577953df20b38eb00af35815b
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5eb09fac097163610102592fd8417f34e
SHA1091c2c870eb8d30dc2248904812871a3a21d829b
SHA256ed0605c012fa44fb9759b9bf0a040ef94f7918bb721c6e8247824ce1e4c70948
SHA512de86bbdd46fe2a10a0ee67d623f8d4ed615750cbab8055b5638f582a4164b8a228153de213e05e98a8708baceb759b680c40db893e3b36f45b8eb0dc195072e4
-
Filesize
70KB
MD5fddad6c6750e47e49a3e266a9b06a54d
SHA1d8dc414814c99d34651c8188e1f820011db064f1
SHA256c2a43681ec29b4ac9e14f1a1d1560ff9553aacbcf3d15ff943a0a1ef17a6b1a5
SHA512b08a34c4dccbfe1ea0f72433bd46129d8fccbe048251d8e0714bf7b5784ca55d37a81c87f4f9a9baa57c12a26b371da145cd07fb58a634d1ec7c7195307a2ba2
-
Filesize
70KB
MD5fddad6c6750e47e49a3e266a9b06a54d
SHA1d8dc414814c99d34651c8188e1f820011db064f1
SHA256c2a43681ec29b4ac9e14f1a1d1560ff9553aacbcf3d15ff943a0a1ef17a6b1a5
SHA512b08a34c4dccbfe1ea0f72433bd46129d8fccbe048251d8e0714bf7b5784ca55d37a81c87f4f9a9baa57c12a26b371da145cd07fb58a634d1ec7c7195307a2ba2
-
Filesize
70KB
MD5cfd34f28d898737e86c5ec05aefc5063
SHA1485815a9ca135d9df9cf1483a7b7d038c11df47b
SHA256521e86e6c916caa4c45f667669f4f32e50e49e8cc6d16f1f36e2183abc56f2bc
SHA51294ecfa77651186c833a02fb28e8e752b775f10cf43ed1c56c06cc09622e5bcfc7f8462a26d81377fc404af5b4dc4251eb1b835e2b928339a24d050934128c200
-
Filesize
70KB
MD5cfd34f28d898737e86c5ec05aefc5063
SHA1485815a9ca135d9df9cf1483a7b7d038c11df47b
SHA256521e86e6c916caa4c45f667669f4f32e50e49e8cc6d16f1f36e2183abc56f2bc
SHA51294ecfa77651186c833a02fb28e8e752b775f10cf43ed1c56c06cc09622e5bcfc7f8462a26d81377fc404af5b4dc4251eb1b835e2b928339a24d050934128c200
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5ec371625dfa172866dd9680328c5bf37
SHA11d7267e30ce22d22943e161c64896c4091bb67b4
SHA2569f3c54a6c1011b64549741fb2ce24aa459ca402323ee54e6958390bfe47b1f12
SHA5123803c7cd748fbd9ce195e435e7ae403d2b61b6c179abf1da52ce095637d344ea399113309e7f11a1f170dcb7cf1ff266f7c6ce6577953df20b38eb00af35815b
-
Filesize
70KB
MD5ec371625dfa172866dd9680328c5bf37
SHA11d7267e30ce22d22943e161c64896c4091bb67b4
SHA2569f3c54a6c1011b64549741fb2ce24aa459ca402323ee54e6958390bfe47b1f12
SHA5123803c7cd748fbd9ce195e435e7ae403d2b61b6c179abf1da52ce095637d344ea399113309e7f11a1f170dcb7cf1ff266f7c6ce6577953df20b38eb00af35815b
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5f964866b1fe37f5c913dff1f2dd0861c
SHA1ba7e151cfcabb2d156816751419e6ba22c05301b
SHA25643329608c1a9bdc32a55aa2298d0de66eb2aeaf1d3d99bbd0ac53eb7646735a4
SHA512d8cef52ce26c196d426ca4708c9a63badc1d419a36ddcd31fbd95633d917d9e02cc419d1bce096b7000d4c69e913329b6333c48daa6feecb70a208f8bc6ef6d8
-
Filesize
70KB
MD5f964866b1fe37f5c913dff1f2dd0861c
SHA1ba7e151cfcabb2d156816751419e6ba22c05301b
SHA25643329608c1a9bdc32a55aa2298d0de66eb2aeaf1d3d99bbd0ac53eb7646735a4
SHA512d8cef52ce26c196d426ca4708c9a63badc1d419a36ddcd31fbd95633d917d9e02cc419d1bce096b7000d4c69e913329b6333c48daa6feecb70a208f8bc6ef6d8
-
Filesize
70KB
MD5d320abb2f7117e4c78c93a46a91297e6
SHA19e6eee912e8081594e62e8f440f669f0ad0f4a6a
SHA256b2d266b121d4a398ed003ca368591294d7d40c3657edde79353c9631a3ed9121
SHA512a27a67754045a80fa8554a9aeed06b48f4e63798b2b98526d775eacfe3c9a1ff59d2f1d8b5e8e4347770b39bf1065f0fb693d6708bfc1b2c2567872ce4457b45
-
Filesize
70KB
MD5cfd34f28d898737e86c5ec05aefc5063
SHA1485815a9ca135d9df9cf1483a7b7d038c11df47b
SHA256521e86e6c916caa4c45f667669f4f32e50e49e8cc6d16f1f36e2183abc56f2bc
SHA51294ecfa77651186c833a02fb28e8e752b775f10cf43ed1c56c06cc09622e5bcfc7f8462a26d81377fc404af5b4dc4251eb1b835e2b928339a24d050934128c200
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD535c06001c62c84ed3daa518a3ff0bf1d
SHA1c2e5bd598f3fe97b85fdba97c7cafc3ef879321b
SHA256c8b96df7c1f7f143fd521c8a59448d1e4143c3eab3c40e7acb0172a079c86ef0
SHA512c9a3281de1ad0be77abd3fcec53f3dc7aa07d672185b415461003612609f686bfcf5c4941fe278ec5e4be4f9bfee403ecb7e52658fc7a05d420e76f56a73d5c8
-
Filesize
70KB
MD51156748b3ed6a29e03dfd8723dfebdad
SHA1e98087780afdae75db23e81473abaf5ceb62b709
SHA256569a0003bc5a9ac78379048b67a1412fc1861d147e20c7305c893cbbd4af6103
SHA512b82d63a49ca45d17a58464bed78237a4c220c0aa344a4996618168048563f80d7bcbaa4c007da012901dc4a07c329344cd9290bcaa2b4a0b4694e19a6d001bfc
-
Filesize
70KB
MD5512169d069723f542c38aaad47d528a9
SHA1262667fd41b346fd84b2af905d42be9433c3728e
SHA256ce74b1016e1b189db6368f20252874d59a44d2f96b000c6d130e108d3a4440e7
SHA51264702f4df8a59d5bb16b0c8e16a2922de20a9ab524b9fecf6a41b689fcabb9671e68c55d2cf911081d224f97310cf3f0324c87c5c21a4bab3e29770fc0462ed5
-
Filesize
70KB
MD5ec371625dfa172866dd9680328c5bf37
SHA11d7267e30ce22d22943e161c64896c4091bb67b4
SHA2569f3c54a6c1011b64549741fb2ce24aa459ca402323ee54e6958390bfe47b1f12
SHA5123803c7cd748fbd9ce195e435e7ae403d2b61b6c179abf1da52ce095637d344ea399113309e7f11a1f170dcb7cf1ff266f7c6ce6577953df20b38eb00af35815b
-
Filesize
70KB
MD5188b0ac227a10b4ba7b3289080490fc9
SHA103bb34f23038116b0cbac4ccbaed2a24372d4456
SHA256bfe06e957b2713acccbfcdcd099cdcd451a869215fd82d497d6bda9a0973adb7
SHA51230b74ba71d0d4cd65a74a2c06f5e1befb6758e85d2bdeaf512fa0ec5e5fb244360684675fbefcf6e50da220345beeb566b9530e372a66959c35931d275a2148d
-
Filesize
70KB
MD577ebef4615466d263bb068e0abf96f2d
SHA1e8167356705ea22cece013d123b3b8b7f8a708e4
SHA2564dd4b42db68d9508b7f46a462d0846ecad3d71bddb483d2c662af85131151a9c
SHA51212329c2f592c546f513e289eafc9f9f05b7f8690d9d7061700514693f1fdefe896e8b60610d82efa7df6b67b424b26721b9fe02b7f1f7099404e32ee770910c6
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5f964866b1fe37f5c913dff1f2dd0861c
SHA1ba7e151cfcabb2d156816751419e6ba22c05301b
SHA25643329608c1a9bdc32a55aa2298d0de66eb2aeaf1d3d99bbd0ac53eb7646735a4
SHA512d8cef52ce26c196d426ca4708c9a63badc1d419a36ddcd31fbd95633d917d9e02cc419d1bce096b7000d4c69e913329b6333c48daa6feecb70a208f8bc6ef6d8
-
Filesize
70KB
MD5c113a5262e0dd235d469f4d8cbffe935
SHA122028f00059d621bf70341824b9958713fa2b011
SHA2567ac5a8f1900d1d2a4722a245b055069e756f242cc41e2a65db4064fdc3ecef4a
SHA512a4594066867a8cc6f4d471b125b1c916b3675d45e735239e7550626747b1552499ac23f54dd5866e3c5c5e855093b1b5c933d3f4979dae61e7ec4436d304d807
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5f964866b1fe37f5c913dff1f2dd0861c
SHA1ba7e151cfcabb2d156816751419e6ba22c05301b
SHA25643329608c1a9bdc32a55aa2298d0de66eb2aeaf1d3d99bbd0ac53eb7646735a4
SHA512d8cef52ce26c196d426ca4708c9a63badc1d419a36ddcd31fbd95633d917d9e02cc419d1bce096b7000d4c69e913329b6333c48daa6feecb70a208f8bc6ef6d8
-
Filesize
70KB
MD5cfd34f28d898737e86c5ec05aefc5063
SHA1485815a9ca135d9df9cf1483a7b7d038c11df47b
SHA256521e86e6c916caa4c45f667669f4f32e50e49e8cc6d16f1f36e2183abc56f2bc
SHA51294ecfa77651186c833a02fb28e8e752b775f10cf43ed1c56c06cc09622e5bcfc7f8462a26d81377fc404af5b4dc4251eb1b835e2b928339a24d050934128c200
-
Filesize
70KB
MD5ec371625dfa172866dd9680328c5bf37
SHA11d7267e30ce22d22943e161c64896c4091bb67b4
SHA2569f3c54a6c1011b64549741fb2ce24aa459ca402323ee54e6958390bfe47b1f12
SHA5123803c7cd748fbd9ce195e435e7ae403d2b61b6c179abf1da52ce095637d344ea399113309e7f11a1f170dcb7cf1ff266f7c6ce6577953df20b38eb00af35815b
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD52ef4ba88c0709907bb115eafb5039f1d
SHA19bb153da2822b7512da831fedf1e3e59d970c7ca
SHA256b6e0a8e4055940bcf786296fd80e63fed0ea36755902338902d4fe4b1784011e
SHA512fe9337b0dc3c183a439bd3e6fb160ee361ecd0852eff0c33c03229d118b67cd170861d76f125d4e9f0003681364e51ea4e4708f7483b658ed7d35e533b89f049
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
70KB
MD5e6bb14b38774adeff3778faed86e04aa
SHA113c743c22ca7b1635efe5b18a61af9548c328da5
SHA256d562db43c0331edb3edda0311178eb81ce8e203129d9d9ce0388397e04927413
SHA51251b9b77ee096cfca2bdd74e5f73bd625e313308bc49c6907ce7d04cdd029af16e3688bb7d05456c2f12535a1b6c0b24d1dcc876ba3bae965fda3e47310f66100
-
Filesize
70KB
MD5e6bb14b38774adeff3778faed86e04aa
SHA113c743c22ca7b1635efe5b18a61af9548c328da5
SHA256d562db43c0331edb3edda0311178eb81ce8e203129d9d9ce0388397e04927413
SHA51251b9b77ee096cfca2bdd74e5f73bd625e313308bc49c6907ce7d04cdd029af16e3688bb7d05456c2f12535a1b6c0b24d1dcc876ba3bae965fda3e47310f66100
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
70KB
MD5c113a5262e0dd235d469f4d8cbffe935
SHA122028f00059d621bf70341824b9958713fa2b011
SHA2567ac5a8f1900d1d2a4722a245b055069e756f242cc41e2a65db4064fdc3ecef4a
SHA512a4594066867a8cc6f4d471b125b1c916b3675d45e735239e7550626747b1552499ac23f54dd5866e3c5c5e855093b1b5c933d3f4979dae61e7ec4436d304d807
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5f964866b1fe37f5c913dff1f2dd0861c
SHA1ba7e151cfcabb2d156816751419e6ba22c05301b
SHA25643329608c1a9bdc32a55aa2298d0de66eb2aeaf1d3d99bbd0ac53eb7646735a4
SHA512d8cef52ce26c196d426ca4708c9a63badc1d419a36ddcd31fbd95633d917d9e02cc419d1bce096b7000d4c69e913329b6333c48daa6feecb70a208f8bc6ef6d8
-
Filesize
70KB
MD5cfd34f28d898737e86c5ec05aefc5063
SHA1485815a9ca135d9df9cf1483a7b7d038c11df47b
SHA256521e86e6c916caa4c45f667669f4f32e50e49e8cc6d16f1f36e2183abc56f2bc
SHA51294ecfa77651186c833a02fb28e8e752b775f10cf43ed1c56c06cc09622e5bcfc7f8462a26d81377fc404af5b4dc4251eb1b835e2b928339a24d050934128c200
-
Filesize
70KB
MD5ec371625dfa172866dd9680328c5bf37
SHA11d7267e30ce22d22943e161c64896c4091bb67b4
SHA2569f3c54a6c1011b64549741fb2ce24aa459ca402323ee54e6958390bfe47b1f12
SHA5123803c7cd748fbd9ce195e435e7ae403d2b61b6c179abf1da52ce095637d344ea399113309e7f11a1f170dcb7cf1ff266f7c6ce6577953df20b38eb00af35815b
-
Filesize
70KB
MD53020b54366b3f14c73547daa64feb49d
SHA1acd5da4aa2e51bdeb4bd5adafb62e00c65d0fed3
SHA256202f2d302cafcef8c58fee766e0931cb45c3fce5a540e056ec32dac938f3fdaf
SHA5125d2fd710f5e032caa6e1e9cc68b51d8236671e6d69b85f2032d19a1885b98792e5a4bb126f48d1129919cdfdb58aea22266367c39185ef9d411aac0064971924
-
Filesize
70KB
MD53020b54366b3f14c73547daa64feb49d
SHA1acd5da4aa2e51bdeb4bd5adafb62e00c65d0fed3
SHA256202f2d302cafcef8c58fee766e0931cb45c3fce5a540e056ec32dac938f3fdaf
SHA5125d2fd710f5e032caa6e1e9cc68b51d8236671e6d69b85f2032d19a1885b98792e5a4bb126f48d1129919cdfdb58aea22266367c39185ef9d411aac0064971924
-
Filesize
70KB
MD5c113a5262e0dd235d469f4d8cbffe935
SHA122028f00059d621bf70341824b9958713fa2b011
SHA2567ac5a8f1900d1d2a4722a245b055069e756f242cc41e2a65db4064fdc3ecef4a
SHA512a4594066867a8cc6f4d471b125b1c916b3675d45e735239e7550626747b1552499ac23f54dd5866e3c5c5e855093b1b5c933d3f4979dae61e7ec4436d304d807
-
Filesize
70KB
MD5c113a5262e0dd235d469f4d8cbffe935
SHA122028f00059d621bf70341824b9958713fa2b011
SHA2567ac5a8f1900d1d2a4722a245b055069e756f242cc41e2a65db4064fdc3ecef4a
SHA512a4594066867a8cc6f4d471b125b1c916b3675d45e735239e7550626747b1552499ac23f54dd5866e3c5c5e855093b1b5c933d3f4979dae61e7ec4436d304d807
-
Filesize
70KB
MD5c113a5262e0dd235d469f4d8cbffe935
SHA122028f00059d621bf70341824b9958713fa2b011
SHA2567ac5a8f1900d1d2a4722a245b055069e756f242cc41e2a65db4064fdc3ecef4a
SHA512a4594066867a8cc6f4d471b125b1c916b3675d45e735239e7550626747b1552499ac23f54dd5866e3c5c5e855093b1b5c933d3f4979dae61e7ec4436d304d807
-
Filesize
70KB
MD5c113a5262e0dd235d469f4d8cbffe935
SHA122028f00059d621bf70341824b9958713fa2b011
SHA2567ac5a8f1900d1d2a4722a245b055069e756f242cc41e2a65db4064fdc3ecef4a
SHA512a4594066867a8cc6f4d471b125b1c916b3675d45e735239e7550626747b1552499ac23f54dd5866e3c5c5e855093b1b5c933d3f4979dae61e7ec4436d304d807
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD51d2b02da100712ee5fb18d34c95aca3a
SHA109a06ee5990fdaf9d448e2fcfadb94131a2d01d3
SHA25683d2053b11f20d27b244e402db9b389bffd064a6017abc030198cbc4c30d8bb2
SHA5122f433f7e4354bfe21703fd320b606005786669ac19cd4f694e01846fa2722338adc2784f38643709ad56467cf5f128ca5f769f6b7f57a47f5001fe6de27e4831
-
Filesize
70KB
MD5cfd34f28d898737e86c5ec05aefc5063
SHA1485815a9ca135d9df9cf1483a7b7d038c11df47b
SHA256521e86e6c916caa4c45f667669f4f32e50e49e8cc6d16f1f36e2183abc56f2bc
SHA51294ecfa77651186c833a02fb28e8e752b775f10cf43ed1c56c06cc09622e5bcfc7f8462a26d81377fc404af5b4dc4251eb1b835e2b928339a24d050934128c200
-
Filesize
70KB
MD5ec371625dfa172866dd9680328c5bf37
SHA11d7267e30ce22d22943e161c64896c4091bb67b4
SHA2569f3c54a6c1011b64549741fb2ce24aa459ca402323ee54e6958390bfe47b1f12
SHA5123803c7cd748fbd9ce195e435e7ae403d2b61b6c179abf1da52ce095637d344ea399113309e7f11a1f170dcb7cf1ff266f7c6ce6577953df20b38eb00af35815b
-
Filesize
70KB
MD5131402caac465fa160183dd4bb830900
SHA1272fc390fd341362c3accaa4c3ac1d59973d9597
SHA25652a5b9e09f0864653f1f149f8a7413db34fd4c51b79d7ca5257c09e6109d1d18
SHA5126daa2badb4de4705f999c8977a2698d0046992e4e1a383ce030fadccd7dee1258eab631fe381cf795d5ac689bee380f80a80918d75e9a1f1c226a8bd21d6c867
-
Filesize
70KB
MD5131402caac465fa160183dd4bb830900
SHA1272fc390fd341362c3accaa4c3ac1d59973d9597
SHA25652a5b9e09f0864653f1f149f8a7413db34fd4c51b79d7ca5257c09e6109d1d18
SHA5126daa2badb4de4705f999c8977a2698d0046992e4e1a383ce030fadccd7dee1258eab631fe381cf795d5ac689bee380f80a80918d75e9a1f1c226a8bd21d6c867
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
70KB
MD5c3fb374b35f2c8a68c82b67bea0b5851
SHA1585538b0969772f9a12b4e8c32a9f0e9ba0d70bc
SHA2565e580fc223e0f61ab62eaa207e2f509d58ab0a99dbc9b3d0e9a034baf48b9e2b
SHA512d0b6e387bd8de8bb028b0ebc1b8872897c551284e3cd15618b9a1e30ae5fb5474ac82a14da2f93777e9412c77ef24ce4a099fb405c60faaa3e5431682769f0e2