Analysis
-
max time kernel
100s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
02/12/2022, 20:59
General
-
Target
7a3880a4289ed44b59cc6043819334572ef281d7c968173ad1b3feade70798f6.exe
-
Size
70KB
-
MD5
53d7f16c242c352a30f8ddef88916f2c
-
SHA1
3c1d53646d6df6ab6030fa4f8e5448adc7eea85e
-
SHA256
7a3880a4289ed44b59cc6043819334572ef281d7c968173ad1b3feade70798f6
-
SHA512
7fcbad023cc9d876957a778c2106eceae30db64272b594ea8c09af85cebfc7f2b52dde1d0cefeb3712b536952d695c22cd0bd95e9345568f88a41b50f7ad2ab6
-
SSDEEP
768:1iCHI1nffAkGisSQ6KRcJZOYoBudWaDyqzlL49FLdS5yA+jz+CE8+R5nOwekfZUW:1LHIlfH7Q6qRBwWa2qxQFZA+j6bWw+9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 24 IoCs
-
Modifies system executable filetype association 2 TTPs 64 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 12 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 12 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Disables RegEdit via registry modification 24 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 29 IoCs
-
Loads dropped DLL 41 IoCs
-
Windows security modification 2 TTPs 44 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 46 IoCs
-
Drops file in Windows directory 44 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
-
Suspicious use of SetWindowsHookEx 25 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a3880a4289ed44b59cc6043819334572ef281d7c968173ad1b3feade70798f6.exe"C:\Users\Admin\AppData\Local\Temp\7a3880a4289ed44b59cc6043819334572ef281d7c968173ad1b3feade70798f6.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:2⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:2⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:4⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:4⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:4⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
-
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1690761724-1469743917-682055781-950851460-9756378916097686361650028871-382583382"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1087491402-1843231215-12283105431132162125-449121108-727915909-203414712-1341753679"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-318980303-690711543-1548002630-1461767245-1491880854-1478373063-750571102212241303"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "507637428-20668867831775770145-884966397-1284018344-182112525-645888550-190028908"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "970555870-106973834677583782-18320337391026578636-1514951186-2016064098-740439068"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-160938077720916970964586637032123826277-19826734522171581201272884013233283742"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1555219578-1926363424-1964585052100116694-21404183935164230578690870661761506035"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-146118176205303682310849473501715280601-19611935731870774226-15046192441041299734"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-9028955861494959465-8565615431479128384953105450837151387-842044790-230080785"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1258255486-1232522731318831203-1878191594683283134-20557466391791527794-1207956212"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-850466841-2092070744-1013926911-368898030-493374392-452657768-2093046321648741822"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1651802847850493913780520282039752378-15511095561640120375-621866731340011699"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-78866558011915225881265623241-1768064869-1359829261-202655994367200376-1814757752"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1186363103819227614-10727297671236728167766911073-12956502401111401572459666373"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16624593851633651048-1944179061656860761-1829752901455539423-612099005-536546733"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "63058466-420261229-1135263958-17742170591905033291126712554-1497582166-222422656"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "823632327357399561-1241066363-1422902836274026715966999912-1464639672336464343"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "855082695506729497-1592046607-1324580883173988848-2043538539-974547699-8097250"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-647593683530272858-198485674036096947017991575313154677901554046346233469058"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "481284758-1712368052-12578954-261051152-1299444776410706301-822192441528341400"1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD587bdcbbf4ea65949dd11b8c58e8d61a6
SHA103ea16212dd2ea45773593067b2838b85ee52492
SHA25606c1b3df1b3017788f540a1302e8fa097ea61cd7367e32981b4da124c589734f
SHA512fe3061626051c9a4758243f5ca44514f7ed02ddad02304b49f939859174022a636363fe4eabd2a4960f19fe6e129c92d22a6859ae52e0f43bc3db85b3e8b1370
-
Filesize
70KB
MD5f8ba0ad3c372324eedc91e5d3719fec5
SHA139aa009e0caa6cccabe8c4c99f073bb863eb7ab0
SHA25686112e1c368f2ac7f278af9820e604cea6dd6df47e441d4ead71963f8fd39a37
SHA512fcc133baf6fd2d2762d4ea99e7e1adc8c40416db73f5b1d23b9482186eeb5b2669a480b4aa67e1d8184c4b069f2647f3e1980d3c5e971da9f41cf5f5824a7e63
-
Filesize
70KB
MD5190bd4851ad71ddd57803d9b6d7197cb
SHA106cdc71a93bdd18b41e7c64b759daae4093bcf59
SHA25603388efac53e6c0bd0039fdbb95e7c540ed67a6af0eceed205c51ce21cd9f99c
SHA5128ebc8a21745760d436d0d261ea1bae32eeb74457f11be44226276ff17e8ae11f2329cb85a1aac6f85edd511c88075389f290256d0a52555be5c1839f42ac2ffc
-
Filesize
70KB
MD530effec34a9f06465d12ca4820131a9b
SHA13d397551899a72cfff9e509218b5279bf3505507
SHA25606073bc8aee0356247fef8071975d15772109b62cfd31e52cc43caa93270a216
SHA51209763cf8fd6cdf4a1652c89aa8bce2a4531fb1ebef862edd366346cfa4dd5ef5238ca740752441a08afff159022443bc2cb661f9de45dde88317dd170480ddd2
-
Filesize
70KB
MD5f8ba0ad3c372324eedc91e5d3719fec5
SHA139aa009e0caa6cccabe8c4c99f073bb863eb7ab0
SHA25686112e1c368f2ac7f278af9820e604cea6dd6df47e441d4ead71963f8fd39a37
SHA512fcc133baf6fd2d2762d4ea99e7e1adc8c40416db73f5b1d23b9482186eeb5b2669a480b4aa67e1d8184c4b069f2647f3e1980d3c5e971da9f41cf5f5824a7e63
-
Filesize
70KB
MD52cf1cae7c4074d2d32b8fe82ea874be7
SHA1f924c835917ac1b34b58bde55cdac483a4bfc300
SHA2562c9804eee2ba4fde149c1f7e52e8173482436ae847cb90855ab1eb00a1521cb8
SHA512fdd1db0c79877720534656d0d08481c51859c69b83e7a1cedf0ab8694379b9ed6d04690b9f92afe9585db6c1dda5b4820f0395dbf8fee78e42d83a13406ab20e
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD5c0b8bc65a05f41dceef78dc18659e16d
SHA154b89845905c2970a6dec8c14b130a9535af5f6d
SHA2568b01a0bba4888b2c89e8c064bc40982e861e5751941e396e64cfe911506f9a71
SHA5128aa7fc6feb3958d19883e657d1877ad85e925adf36c8853f3025731f0eb47cc8695c471792826734b626f0cccd3514753aa39db7988e8bbb2c35fa4daa81302a
-
Filesize
70KB
MD5190bd4851ad71ddd57803d9b6d7197cb
SHA106cdc71a93bdd18b41e7c64b759daae4093bcf59
SHA25603388efac53e6c0bd0039fdbb95e7c540ed67a6af0eceed205c51ce21cd9f99c
SHA5128ebc8a21745760d436d0d261ea1bae32eeb74457f11be44226276ff17e8ae11f2329cb85a1aac6f85edd511c88075389f290256d0a52555be5c1839f42ac2ffc
-
Filesize
70KB
MD530effec34a9f06465d12ca4820131a9b
SHA13d397551899a72cfff9e509218b5279bf3505507
SHA25606073bc8aee0356247fef8071975d15772109b62cfd31e52cc43caa93270a216
SHA51209763cf8fd6cdf4a1652c89aa8bce2a4531fb1ebef862edd366346cfa4dd5ef5238ca740752441a08afff159022443bc2cb661f9de45dde88317dd170480ddd2
-
Filesize
70KB
MD5357bf8d23d63e91e2e790121bb2e1acf
SHA1157b73796a8f63a183e695726658f2f962d51ed1
SHA256939448f87a9176706c2ee50e663f2d9064e4360ec17fd449ec3ab18d6163099b
SHA512b6629ad85e9eb9755f1303d51fa3437cf09dc9dcfa498a6b9fbbc8a7a4fbf91077886e5239410c21e493dc117bd3073e5a843b139995dbd0a8a2631d5b45633a
-
Filesize
70KB
MD530effec34a9f06465d12ca4820131a9b
SHA13d397551899a72cfff9e509218b5279bf3505507
SHA25606073bc8aee0356247fef8071975d15772109b62cfd31e52cc43caa93270a216
SHA51209763cf8fd6cdf4a1652c89aa8bce2a4531fb1ebef862edd366346cfa4dd5ef5238ca740752441a08afff159022443bc2cb661f9de45dde88317dd170480ddd2
-
Filesize
70KB
MD54c919b4305ffd5fa45d8fd3bbf93f40f
SHA1dafde90855f575661804a3af969d3c4dbbb2140e
SHA2568783b0e171b8838e86fcd3e27480026bd9c65a9df6b33cb087fa20edffa3ef03
SHA512155cdaa9a5f74a7593646e45f09fa6b07e3ae11a874f41849d6865b6f6909a190a84d81a9378f6f5e2416e0896f1592d33f0bfd5dac53d6bd004136d4e93c3d9
-
Filesize
70KB
MD5f8ba0ad3c372324eedc91e5d3719fec5
SHA139aa009e0caa6cccabe8c4c99f073bb863eb7ab0
SHA25686112e1c368f2ac7f278af9820e604cea6dd6df47e441d4ead71963f8fd39a37
SHA512fcc133baf6fd2d2762d4ea99e7e1adc8c40416db73f5b1d23b9482186eeb5b2669a480b4aa67e1d8184c4b069f2647f3e1980d3c5e971da9f41cf5f5824a7e63
-
Filesize
70KB
MD50da31cf2744a08c834d37ce51404a489
SHA142ee25407cc26cd01dab00b5d5cab2b749dae985
SHA25644a784dca5a852908ba17a4b00e28477389f68a6b399c590a3bd902dc9dab888
SHA51286dafa35463f31cdf01fcb2fa624a05bc4972d4f2abce3b51cd4b64d8cbd74eb0258d3f0f1df3894544af0f69d66482f3b31a5039f20a06a9a7fa0ea9dd2e20e
-
Filesize
70KB
MD5c85be4083e7c4eb257cd703f04564e09
SHA1c6bf180d857ce342b18ab21ee107e82a4c6b455e
SHA256b46b71d3592e28fbfe83f0aeea19b24b73c84ff1db3fca8e431645d6a04354a4
SHA512837ec038a9cbb50f55ae44caf21b40125620b16b5cedf1cb160725f8a33045094512c6c1bc780fc8d84c046e4abba89e9274b290737ec6a2dafbcf4e95c58ec2
-
Filesize
70KB
MD5c85be4083e7c4eb257cd703f04564e09
SHA1c6bf180d857ce342b18ab21ee107e82a4c6b455e
SHA256b46b71d3592e28fbfe83f0aeea19b24b73c84ff1db3fca8e431645d6a04354a4
SHA512837ec038a9cbb50f55ae44caf21b40125620b16b5cedf1cb160725f8a33045094512c6c1bc780fc8d84c046e4abba89e9274b290737ec6a2dafbcf4e95c58ec2
-
Filesize
70KB
MD52cf1cae7c4074d2d32b8fe82ea874be7
SHA1f924c835917ac1b34b58bde55cdac483a4bfc300
SHA2562c9804eee2ba4fde149c1f7e52e8173482436ae847cb90855ab1eb00a1521cb8
SHA512fdd1db0c79877720534656d0d08481c51859c69b83e7a1cedf0ab8694379b9ed6d04690b9f92afe9585db6c1dda5b4820f0395dbf8fee78e42d83a13406ab20e
-
Filesize
70KB
MD5f2be874800b168cab22998a47f870160
SHA1e2d3cc7c453130ab9cdd647084946a512133dabb
SHA256a9076d7e54dc01f3792c21f59d5d5adf32cc97ee3e68f266f2487f2dd603524d
SHA512d46fcfaf77b207dbf51f3a965ac4e741e2d1e8d51b6fbe18e43275f397551be939e720556cd2171cb84eef4ea2c04efc10434ca64dee0166b9cb5cacddd5936a
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD527a340e56a0510399716a9b30dcb79af
SHA1a1722ab20db2b14f6f9a0f8e4acc0a5c411b23db
SHA25603d037828d447521995ba834ca74251b40aaed4061d4f48f4c62f5babe33281f
SHA5125f2eaead96340b75e6e44a81e6baa86deab8e84af6829b75a6deff7ebf3f2a695b9c48c014d3bffc1a715b2d7c41d445056387b554526f00350bc3db7d561e28
-
Filesize
70KB
MD527a340e56a0510399716a9b30dcb79af
SHA1a1722ab20db2b14f6f9a0f8e4acc0a5c411b23db
SHA25603d037828d447521995ba834ca74251b40aaed4061d4f48f4c62f5babe33281f
SHA5125f2eaead96340b75e6e44a81e6baa86deab8e84af6829b75a6deff7ebf3f2a695b9c48c014d3bffc1a715b2d7c41d445056387b554526f00350bc3db7d561e28
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD527a340e56a0510399716a9b30dcb79af
SHA1a1722ab20db2b14f6f9a0f8e4acc0a5c411b23db
SHA25603d037828d447521995ba834ca74251b40aaed4061d4f48f4c62f5babe33281f
SHA5125f2eaead96340b75e6e44a81e6baa86deab8e84af6829b75a6deff7ebf3f2a695b9c48c014d3bffc1a715b2d7c41d445056387b554526f00350bc3db7d561e28
-
Filesize
70KB
MD527a340e56a0510399716a9b30dcb79af
SHA1a1722ab20db2b14f6f9a0f8e4acc0a5c411b23db
SHA25603d037828d447521995ba834ca74251b40aaed4061d4f48f4c62f5babe33281f
SHA5125f2eaead96340b75e6e44a81e6baa86deab8e84af6829b75a6deff7ebf3f2a695b9c48c014d3bffc1a715b2d7c41d445056387b554526f00350bc3db7d561e28
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD527a340e56a0510399716a9b30dcb79af
SHA1a1722ab20db2b14f6f9a0f8e4acc0a5c411b23db
SHA25603d037828d447521995ba834ca74251b40aaed4061d4f48f4c62f5babe33281f
SHA5125f2eaead96340b75e6e44a81e6baa86deab8e84af6829b75a6deff7ebf3f2a695b9c48c014d3bffc1a715b2d7c41d445056387b554526f00350bc3db7d561e28
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD50007021a170538b3aa961310f0aae255
SHA13f10edf97b7153260e8237741154d7ac67e06f88
SHA256ea6b395a7aa0f374bbf08491eb4db988c0e1601caf9b866bf9f13da6106ac3e0
SHA512f744d656d2734859522fb48560bbd7bd33e0489c247dada4a78ad4d42fbb20084695d1c7950fda517ff4a3bd69c8a5669f2fcd5b34469d82c502361eba4f10c4
-
Filesize
70KB
MD51293b8d4aacd5d8f022750e6e7ce0170
SHA13b13f0218c731c741bb8026997ec32c726a6e7f8
SHA25680995e62d295429e267e6b580ef4fc95a41e5b86d30eb9f0d03c9c527b955bf1
SHA512d2005f9518c82f8a46924f466e76c855d6aef07d4b167f87183837b280780211128808aed5eb4730ed39d6fc860e25ba7173bf5922643172e601e480dd1a9ea6
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD590e05aaea564a51b9354797820a0f283
SHA1867a16d9d61c8195823a2d7f298e40d4b04ab651
SHA256f9055bff65c1b05ad08b2ff262126b0426d65cb87bf5335f6c9ef1b4afd459c3
SHA51259f7fa15796ae797a777e0a4fd89d90707e9f1576af9af5a91e86d45b9976d77a8df01e673244bae08e3fa1f1371fd315eb3e1444cca74a60d854b2cd2e661aa
-
Filesize
70KB
MD5a1e7d5a1cf5ee06b71f2cb554959e824
SHA1bf92882d96ca56421597ea068e2ac4409f82b180
SHA2567f9a08ac7ab1fc60997459d746fd9ecbdb52cf9eee7fee05a5992aad811afcf4
SHA512c73c9e9bcba168e078f108e45402436d3354fc261d95f35ece782a04e9e83467dc3fcda121dda9b494be019911753a3df9935b3f0b5b45c2c83f4565867b28c0
-
Filesize
70KB
MD5a1e7d5a1cf5ee06b71f2cb554959e824
SHA1bf92882d96ca56421597ea068e2ac4409f82b180
SHA2567f9a08ac7ab1fc60997459d746fd9ecbdb52cf9eee7fee05a5992aad811afcf4
SHA512c73c9e9bcba168e078f108e45402436d3354fc261d95f35ece782a04e9e83467dc3fcda121dda9b494be019911753a3df9935b3f0b5b45c2c83f4565867b28c0
-
Filesize
70KB
MD527a340e56a0510399716a9b30dcb79af
SHA1a1722ab20db2b14f6f9a0f8e4acc0a5c411b23db
SHA25603d037828d447521995ba834ca74251b40aaed4061d4f48f4c62f5babe33281f
SHA5125f2eaead96340b75e6e44a81e6baa86deab8e84af6829b75a6deff7ebf3f2a695b9c48c014d3bffc1a715b2d7c41d445056387b554526f00350bc3db7d561e28
-
Filesize
70KB
MD527a340e56a0510399716a9b30dcb79af
SHA1a1722ab20db2b14f6f9a0f8e4acc0a5c411b23db
SHA25603d037828d447521995ba834ca74251b40aaed4061d4f48f4c62f5babe33281f
SHA5125f2eaead96340b75e6e44a81e6baa86deab8e84af6829b75a6deff7ebf3f2a695b9c48c014d3bffc1a715b2d7c41d445056387b554526f00350bc3db7d561e28
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
70KB
MD5bdd2501f0cae479f4fbcb65bb032ea17
SHA110b20fca7543644d32ef93f21f52cfd938e0a49a
SHA256f908a9893fb45edb9e51b4529e05832023aeb8061b2b15586141712961c0e4f6
SHA512f4183d66422db86391fe99e895e24b800a64c48c1567169d42f8b13a448f724cb13baccb37abfc474a889bae8f4bf1ec7592d10c4444fe1ec3c5c81e559d9542
-
Filesize
70KB
MD5190bd4851ad71ddd57803d9b6d7197cb
SHA106cdc71a93bdd18b41e7c64b759daae4093bcf59
SHA25603388efac53e6c0bd0039fdbb95e7c540ed67a6af0eceed205c51ce21cd9f99c
SHA5128ebc8a21745760d436d0d261ea1bae32eeb74457f11be44226276ff17e8ae11f2329cb85a1aac6f85edd511c88075389f290256d0a52555be5c1839f42ac2ffc
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD5e537626ab9eee488f7533c860e86ac47
SHA1483e2a2e3ed6dc23da2d435ae77f16bb626b1353
SHA2562b1f71e67aa5e1685109096981c276e6894d5f40e99d374030d2c499d9b7ad59
SHA512db989ea573a4be61ced3d4211d18d53bfd110cffcc65165e1ce6f731edc805c15709c03dbbfd882880e740349e1446658ad8195726f33a02ffe0d0475f6621e7
-
Filesize
70KB
MD5190bd4851ad71ddd57803d9b6d7197cb
SHA106cdc71a93bdd18b41e7c64b759daae4093bcf59
SHA25603388efac53e6c0bd0039fdbb95e7c540ed67a6af0eceed205c51ce21cd9f99c
SHA5128ebc8a21745760d436d0d261ea1bae32eeb74457f11be44226276ff17e8ae11f2329cb85a1aac6f85edd511c88075389f290256d0a52555be5c1839f42ac2ffc
-
Filesize
70KB
MD5190bd4851ad71ddd57803d9b6d7197cb
SHA106cdc71a93bdd18b41e7c64b759daae4093bcf59
SHA25603388efac53e6c0bd0039fdbb95e7c540ed67a6af0eceed205c51ce21cd9f99c
SHA5128ebc8a21745760d436d0d261ea1bae32eeb74457f11be44226276ff17e8ae11f2329cb85a1aac6f85edd511c88075389f290256d0a52555be5c1839f42ac2ffc
-
Filesize
70KB
MD530effec34a9f06465d12ca4820131a9b
SHA13d397551899a72cfff9e509218b5279bf3505507
SHA25606073bc8aee0356247fef8071975d15772109b62cfd31e52cc43caa93270a216
SHA51209763cf8fd6cdf4a1652c89aa8bce2a4531fb1ebef862edd366346cfa4dd5ef5238ca740752441a08afff159022443bc2cb661f9de45dde88317dd170480ddd2
-
Filesize
70KB
MD530effec34a9f06465d12ca4820131a9b
SHA13d397551899a72cfff9e509218b5279bf3505507
SHA25606073bc8aee0356247fef8071975d15772109b62cfd31e52cc43caa93270a216
SHA51209763cf8fd6cdf4a1652c89aa8bce2a4531fb1ebef862edd366346cfa4dd5ef5238ca740752441a08afff159022443bc2cb661f9de45dde88317dd170480ddd2
-
Filesize
70KB
MD5f8ba0ad3c372324eedc91e5d3719fec5
SHA139aa009e0caa6cccabe8c4c99f073bb863eb7ab0
SHA25686112e1c368f2ac7f278af9820e604cea6dd6df47e441d4ead71963f8fd39a37
SHA512fcc133baf6fd2d2762d4ea99e7e1adc8c40416db73f5b1d23b9482186eeb5b2669a480b4aa67e1d8184c4b069f2647f3e1980d3c5e971da9f41cf5f5824a7e63
-
Filesize
70KB
MD5f8ba0ad3c372324eedc91e5d3719fec5
SHA139aa009e0caa6cccabe8c4c99f073bb863eb7ab0
SHA25686112e1c368f2ac7f278af9820e604cea6dd6df47e441d4ead71963f8fd39a37
SHA512fcc133baf6fd2d2762d4ea99e7e1adc8c40416db73f5b1d23b9482186eeb5b2669a480b4aa67e1d8184c4b069f2647f3e1980d3c5e971da9f41cf5f5824a7e63
-
Filesize
70KB
MD52cf1cae7c4074d2d32b8fe82ea874be7
SHA1f924c835917ac1b34b58bde55cdac483a4bfc300
SHA2562c9804eee2ba4fde149c1f7e52e8173482436ae847cb90855ab1eb00a1521cb8
SHA512fdd1db0c79877720534656d0d08481c51859c69b83e7a1cedf0ab8694379b9ed6d04690b9f92afe9585db6c1dda5b4820f0395dbf8fee78e42d83a13406ab20e
-
Filesize
70KB
MD52cf1cae7c4074d2d32b8fe82ea874be7
SHA1f924c835917ac1b34b58bde55cdac483a4bfc300
SHA2562c9804eee2ba4fde149c1f7e52e8173482436ae847cb90855ab1eb00a1521cb8
SHA512fdd1db0c79877720534656d0d08481c51859c69b83e7a1cedf0ab8694379b9ed6d04690b9f92afe9585db6c1dda5b4820f0395dbf8fee78e42d83a13406ab20e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
70KB
MD52e89ee6d11f183e32110c76e67b66e1d
SHA147016dcae36c13f4adb1ac12880036292be6243b
SHA25625b8000f5d23e69f1619537ac1a197e4f105d53568806683b6c2c394ae05f9dd
SHA5124e126b2195f8edb78862af221e1d6dda6c620fbed5cf1467bac059ac8dacba3a45235598c67d190617fa941726790ab60c9cd2d979236018667b0eb698859d7e
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
8KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
432KB