14bd4541137ec39fafa313003dbaa93d31ee5c1dcbc90e8287dc279683a9ba20

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6476bbf019b75400e65de9d79edcefb2.exe
Size

70KB
MD5

6476bbf019b75400e65de9d79edcefb2
SHA1

f2bf1ffcdcaafcf91d9afb94e2f2d9bc723cb394
SHA256

14bd4541137ec39fafa313003dbaa93d31ee5c1dcbc90e8287dc279683a9ba20
SHA512

070adb617df5e85d460f5ba1c5c7da0a4ced96e80bc4182b780258710406ba7e2b58bb68bff427b352cee012930000dbd706564644ae4f4f43a328a53e611d3a
SSDEEP

1536:1LHIlfH7Q6qRBwWa2qxQFZA+j6L0Ww+9:1oS6qcWjqazp6LNR

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	SMSS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE

Windows security bypass 2 TTPs 27 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	CSRSS.EXE

Disables RegEdit via registry modification 18 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6476bbf019b75400e65de9d79edcefb2.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 9 IoCs

pid	Process
2580	Black Hole.exe
1396	Lubang Hitam.exe
4144	WINLOGON.EXE
4736	CSRSS.EXE
3304	SERVICES.EXE
3100	LSASS.EXE
2644	SMSS.EXE
2248	Black Hole.exe
1752	Lubang Hitam.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	Black Hole.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE

Windows security modification 2 TTPs 36 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	CSRSS.EXE

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	SMSS.EXE

Enumerates connected drives 3 TTPs 44 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Lubang Hitam.exe
File opened (read-only)	\??\K:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\L:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\W:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\L:	Lubang Hitam.exe
File opened (read-only)	\??\R:	Lubang Hitam.exe
File opened (read-only)	\??\Y:	Lubang Hitam.exe
File opened (read-only)	\??\X:	Lubang Hitam.exe
File opened (read-only)	\??\B:	Lubang Hitam.exe
File opened (read-only)	\??\G:	Lubang Hitam.exe
File opened (read-only)	\??\I:	Lubang Hitam.exe
File opened (read-only)	\??\O:	Lubang Hitam.exe
File opened (read-only)	\??\P:	Lubang Hitam.exe
File opened (read-only)	\??\W:	Lubang Hitam.exe
File opened (read-only)	\??\B:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\E:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\V:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\E:	Lubang Hitam.exe
File opened (read-only)	\??\K:	Lubang Hitam.exe
File opened (read-only)	\??\M:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\R:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\Q:	Lubang Hitam.exe
File opened (read-only)	\??\V:	Lubang Hitam.exe
File opened (read-only)	\??\S:	Lubang Hitam.exe
File opened (read-only)	\??\H:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\I:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\O:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\Z:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\J:	Lubang Hitam.exe
File opened (read-only)	\??\M:	Lubang Hitam.exe
File opened (read-only)	\??\N:	Lubang Hitam.exe
File opened (read-only)	\??\T:	Lubang Hitam.exe
File opened (read-only)	\??\N:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\P:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\Q:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\S:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\U:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\H:	Lubang Hitam.exe
File opened (read-only)	\??\U:	Lubang Hitam.exe
File opened (read-only)	\??\G:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\J:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\T:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\X:	6476bbf019b75400e65de9d79edcefb2.exe
File opened (read-only)	\??\Y:	6476bbf019b75400e65de9d79edcefb2.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\Autorun.inf	6476bbf019b75400e65de9d79edcefb2.exe
File created	C:\Autorun.inf	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\Autorun.inf	6476bbf019b75400e65de9d79edcefb2.exe
File created	F:\Autorun.inf	6476bbf019b75400e65de9d79edcefb2.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Destruction.scr	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Lubang Hitam.exe
File created	C:\Windows\SysWOW64\Destruction.scr	6476bbf019b75400e65de9d79edcefb2.exe
File created	C:\Windows\SysWOW64\Shell.exe	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\Windows\SysWOW64\Lubang Hitam.exe	Lubang Hitam.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\Lubang Hitam.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Lubang Hitam.exe	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\Windows\SysWOW64\Destruction.scr	Lubang Hitam.exe
File created	C:\Windows\SysWOW64\Lubang Hitam.exe	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Destruction.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\Lubang Hitam.exe	6476bbf019b75400e65de9d79edcefb2.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\WINDOWS\Hacked By Gerry.txt	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\Windows\Black Hole.exe	WINLOGON.EXE
File created	C:\WINDOWS\Black Hole.txt	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\WINDOWS\Black Hole.txt	6476bbf019b75400e65de9d79edcefb2.exe
File opened for modification	C:\WINDOWS\Black Hole.txt	Lubang Hitam.exe
File created	C:\Windows\Black Hole.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\Black Hole.exe	Lubang Hitam.exe
File opened for modification	C:\WINDOWS\Hacked By Gerry.txt	Lubang Hitam.exe
File opened for modification	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\WINDOWS\Hacked By Gerry.txt	6476bbf019b75400e65de9d79edcefb2.exe
File created	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File created	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\Black Hole.exe	6476bbf019b75400e65de9d79edcefb2.exe
File created	C:\Windows\Black Hole.exe	6476bbf019b75400e65de9d79edcefb2.exe

Modifies Control Panel 54 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Black Hole.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Lubang Hitam.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Black Hole.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	Black Hole.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	Lubang Hitam.exe
Key created	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\Mouse\	SMSS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6476bbf019b75400e65de9d79edcefb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2580	Black Hole.exe
2580	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe
2248	Black Hole.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1780	6476bbf019b75400e65de9d79edcefb2.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	692	shutdown.exe
Token: SeRemoteShutdownPrivilege	692	shutdown.exe
Token: SeShutdownPrivilege	424	shutdown.exe
Token: SeRemoteShutdownPrivilege	424	shutdown.exe
Token: SeShutdownPrivilege	3824	shutdown.exe
Token: SeRemoteShutdownPrivilege	3824	shutdown.exe
Token: SeShutdownPrivilege	1972	shutdown.exe
Token: SeRemoteShutdownPrivilege	1972	shutdown.exe
Token: SeShutdownPrivilege	1752	Lubang Hitam.exe
Token: SeRemoteShutdownPrivilege	1752	Lubang Hitam.exe
Token: SeShutdownPrivilege	4872	shutdown.exe
Token: SeRemoteShutdownPrivilege	4872	shutdown.exe
Token: SeShutdownPrivilege	2076	shutdown.exe
Token: SeRemoteShutdownPrivilege	2076	shutdown.exe
Token: SeShutdownPrivilege	4612	shutdown.exe
Token: SeRemoteShutdownPrivilege	4612	shutdown.exe
Token: SeShutdownPrivilege	3924	shutdown.exe
Token: SeRemoteShutdownPrivilege	3924	shutdown.exe
Token: SeShutdownPrivilege	8	shutdown.exe
Token: SeRemoteShutdownPrivilege	8	shutdown.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1780	6476bbf019b75400e65de9d79edcefb2.exe
2580	Black Hole.exe
1396	Lubang Hitam.exe
4144	WINLOGON.EXE
4736	CSRSS.EXE
3304	SERVICES.EXE
3100	LSASS.EXE
2644	SMSS.EXE
2248	Black Hole.exe
1752	Lubang Hitam.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 692	1780	6476bbf019b75400e65de9d79edcefb2.exe	86
PID 1780 wrote to memory of 692	1780	6476bbf019b75400e65de9d79edcefb2.exe	86
PID 1780 wrote to memory of 692	1780	6476bbf019b75400e65de9d79edcefb2.exe	86
PID 1780 wrote to memory of 2580	1780	6476bbf019b75400e65de9d79edcefb2.exe	92
PID 1780 wrote to memory of 2580	1780	6476bbf019b75400e65de9d79edcefb2.exe	92
PID 1780 wrote to memory of 2580	1780	6476bbf019b75400e65de9d79edcefb2.exe	92
PID 2580 wrote to memory of 424	2580	Black Hole.exe	96
PID 2580 wrote to memory of 424	2580	Black Hole.exe	96
PID 2580 wrote to memory of 424	2580	Black Hole.exe	96
PID 1780 wrote to memory of 1396	1780	6476bbf019b75400e65de9d79edcefb2.exe	99
PID 1780 wrote to memory of 1396	1780	6476bbf019b75400e65de9d79edcefb2.exe	99
PID 1780 wrote to memory of 1396	1780	6476bbf019b75400e65de9d79edcefb2.exe	99
PID 1396 wrote to memory of 3824	1396	Lubang Hitam.exe	97
PID 1396 wrote to memory of 3824	1396	Lubang Hitam.exe	97
PID 1396 wrote to memory of 3824	1396	Lubang Hitam.exe	97
PID 1780 wrote to memory of 4144	1780	6476bbf019b75400e65de9d79edcefb2.exe	100
PID 1780 wrote to memory of 4144	1780	6476bbf019b75400e65de9d79edcefb2.exe	100
PID 1780 wrote to memory of 4144	1780	6476bbf019b75400e65de9d79edcefb2.exe	100
PID 4144 wrote to memory of 1972	4144	WINLOGON.EXE	102
PID 4144 wrote to memory of 1972	4144	WINLOGON.EXE	102
PID 4144 wrote to memory of 1972	4144	WINLOGON.EXE	102
PID 1780 wrote to memory of 4736	1780	6476bbf019b75400e65de9d79edcefb2.exe	114
PID 1780 wrote to memory of 4736	1780	6476bbf019b75400e65de9d79edcefb2.exe	114
PID 1780 wrote to memory of 4736	1780	6476bbf019b75400e65de9d79edcefb2.exe	114
PID 4736 wrote to memory of 1752	4736	CSRSS.EXE	121
PID 4736 wrote to memory of 1752	4736	CSRSS.EXE	121
PID 4736 wrote to memory of 1752	4736	CSRSS.EXE	121
PID 1780 wrote to memory of 3304	1780	6476bbf019b75400e65de9d79edcefb2.exe	103
PID 1780 wrote to memory of 3304	1780	6476bbf019b75400e65de9d79edcefb2.exe	103
PID 1780 wrote to memory of 3304	1780	6476bbf019b75400e65de9d79edcefb2.exe	103
PID 3304 wrote to memory of 4872	3304	SERVICES.EXE	106
PID 3304 wrote to memory of 4872	3304	SERVICES.EXE	106
PID 3304 wrote to memory of 4872	3304	SERVICES.EXE	106
PID 1780 wrote to memory of 3100	1780	6476bbf019b75400e65de9d79edcefb2.exe	112
PID 1780 wrote to memory of 3100	1780	6476bbf019b75400e65de9d79edcefb2.exe	112
PID 1780 wrote to memory of 3100	1780	6476bbf019b75400e65de9d79edcefb2.exe	112
PID 3100 wrote to memory of 2076	3100	LSASS.EXE	111
PID 3100 wrote to memory of 2076	3100	LSASS.EXE	111
PID 3100 wrote to memory of 2076	3100	LSASS.EXE	111
PID 1780 wrote to memory of 2644	1780	6476bbf019b75400e65de9d79edcefb2.exe	109
PID 1780 wrote to memory of 2644	1780	6476bbf019b75400e65de9d79edcefb2.exe	109
PID 1780 wrote to memory of 2644	1780	6476bbf019b75400e65de9d79edcefb2.exe	109
PID 2644 wrote to memory of 4612	2644	SMSS.EXE	108
PID 2644 wrote to memory of 4612	2644	SMSS.EXE	108
PID 2644 wrote to memory of 4612	2644	SMSS.EXE	108
PID 1396 wrote to memory of 2248	1396	Lubang Hitam.exe	122
PID 1396 wrote to memory of 2248	1396	Lubang Hitam.exe	122
PID 1396 wrote to memory of 2248	1396	Lubang Hitam.exe	122
PID 2248 wrote to memory of 3924	2248	Black Hole.exe	116
PID 2248 wrote to memory of 3924	2248	Black Hole.exe	116
PID 2248 wrote to memory of 3924	2248	Black Hole.exe	116
PID 1396 wrote to memory of 1752	1396	Lubang Hitam.exe	121
PID 1396 wrote to memory of 1752	1396	Lubang Hitam.exe	121
PID 1396 wrote to memory of 1752	1396	Lubang Hitam.exe	121
PID 1752 wrote to memory of 8	1752	Lubang Hitam.exe	120
PID 1752 wrote to memory of 8	1752	Lubang Hitam.exe	120
PID 1752 wrote to memory of 8	1752	Lubang Hitam.exe	120

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1"	6476bbf019b75400e65de9d79edcefb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Black Hole.exe

C:\Users\Admin\AppData\Local\Temp\6476bbf019b75400e65de9d79edcefb2.exe
"C:\Users\Admin\AppData\Local\Temp\6476bbf019b75400e65de9d79edcefb2.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1780
- C:\WINDOWS\SysWOW64\shutdown.exe
  C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\Black Hole.exe
  "C:\Windows\Black Hole.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2580
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:424
- C:\Windows\SysWOW64\Lubang Hitam.exe
  "C:\Windows\system32\Lubang Hitam.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1396
- - C:\Windows\SysWOW64\Lubang Hitam.exe
    "C:\Windows\system32\Lubang Hitam.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1752
- - C:\Windows\Black Hole.exe
    "C:\Windows\Black Hole.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Windows security modification
    - Adds Run key to start application
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2248
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4144
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3304
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2644
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3100
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4736

C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
1⤵
PID:1752
- C:\WINDOWS\SysWOW64\shutdown.exe
  C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:8

C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\118202442607.bmp

Filesize
2.6MB

MD5
591cd62167ab88842a094f05dd3fccc2

SHA1
03227ab120c5eba47e05b8f35d7f47ab530ba845

SHA256
f2bf425f5120c4824215c888c2181ad0658ab91bede3aa89ca83ebdfbcc66170

SHA512
c1abbf412bdb1340407234ac57ffc1f7a810b4ba8e6e8fb2e07f425250c8a1ab583cef7343baf8af5c6edad814d0cbfcd4f4f08bfbd47cfd1f69461a740f81d1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
70KB

MD5
3de70b97aef0be07447833dfe0d5459f

SHA1
b375e52d9cd5a6bd73a3b6865605efbcf5796171

SHA256
ebdbc2a42c361001472bf3b73bf461a7a406245734229524b5dc6cabee9de0f5

SHA512
7c2613c6039599ce9463dc7bbf84b0f2d8e0ec7f7085838cbef03bd5c2b379e0dd18112f00cc253d4425bcfb520460d7c77d2ac50468d22b5164cefd0253ac87

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
70KB

MD5
2dfe05add7bc653ffb83e2fd8140ff97

SHA1
8736c292741b61d3fdcd2cbba8513d980f4ff949

SHA256
eb50ba8f5a50f325a1358e81f1824c945d0760e453894439cf84c51228da9230

SHA512
b6c90c51837b21ca957abc791249cb4049f466f61f29c2adda563def2b4999ec5417a953b3f7f3b96a649cef54b1eb998e651a29f372fcc9c1cd32e9d174f839

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
70KB

MD5
5124b426d9907ecbd487cdfdebac3866

SHA1
e0c560b202768382e98cd99e576f516be19d0502

SHA256
9ed1062f67c4a1df03b5a5c86a1068f9b1ec837ed746e2f16c1ca9dc70a11b59

SHA512
2731b91163b9ac7f4d7d57bcd0077d9183afa1eb66f508b83f776036cfc39383b110facea7cea5e8e1f6c4d75eba73fd40bce7854508add68c394a1d0a94993d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
70KB

MD5
efcbf246d4ae615ce237287958f218bd

SHA1
9ad2a935d3a032c11da3ba9e8769d5544eb46b4f

SHA256
8c8047ee29f5f311171bbc102e0a21ee838ab9176cf0427311e032ae3fb77677

SHA512
65574b97c329ecae5a9560520228e8903dc13afbc414b1011da5d637742242bbdce0aa226ffb5853ae4bda6cf3e9a66d4bf0fd41a1d175c6a128592cd8e0783e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
70KB

MD5
09cdeede6a3b0d54cc9ffd3c660d3805

SHA1
b94b69217d6816b1feff57fb7f4b819948e3fd9c

SHA256
aacf14ca01a9fa880474563664c81862a7c4edf0b6045d79a6af3488c432c12b

SHA512
86a77709a3d665d37d2c00c957b4fe35c6efb8a08d643cc91c0b6fc46deaf5046eddd78cfe23cf38b83395a111a702786ee23cf4ee64d95bc523edd72cae66dd

Download Submit
C:\Users\Admin\Local Settings\Application Data\lsass.exe

Filesize
57KB

MD5
432a4b7aa2bf0ae2283af298883096f8

SHA1
b8112ff1d411420bbf2dba4cb595008358ee0c39

SHA256
9d9c42325a84a42a8e13918da80d76c7f1f19a8830aa86f8b8aa6036969167e8

SHA512
f556db93098d2b4407bfff3fcee385940b1f52d93dfd97541799a3094b33b565a29ea4b04086ea948191289d8866df9bcca5cd73371748d719fe19284b9ff4b0

Download Submit
C:\Users\Admin\Local Settings\Application Data\services.exe

Filesize
20KB

MD5
01615a74bf170b30dea6ef349bb49e5e

SHA1
f699c177df44bf7e5c92689274c48a315f6180ef

SHA256
eda8e5ad54783fc81d020f8d88f4a7bafd30eb057ade72a241c30d3ce7adeac5

SHA512
15a8a290595fe83e3923091e6fb20efaa780af4b99f09d1b75bd52e3e97d381b180d339f9e255fbc0fb60e5ad7e9431e8a14d8ab6d2c5a3efee0031f1504d5be

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Zero Code.pif

Filesize
32KB

MD5
95ff1b8b89d75e9470558864a919c5bf

SHA1
9f6152fac91b4671e5656c0e11597c2fa5051fad

SHA256
ab0d02d21bf877bae3ea186001f3a8d30c15f79c7c620c7dc723aed6c9fdc5ee

SHA512
2cfc410ee917adf32e00be319d8ad6c0a604a2f633a9ebde29b120cdfaf42865af9715237395c2af1973537f601881e92b7567fddf69b614b37229f726ab535a

Download Submit
C:\WINDOWS\Black Hole.txt

Filesize
1KB

MD5
6635e047c242e6d64b2716d81095bf5f

SHA1
5def5300f894e58bbb0caaa94680f7735ccd248d

SHA256
9757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf

SHA512
c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0

Download Submit
C:\WINDOWS\Hacked By Gerry.txt

Filesize
1KB

MD5
e067dafcbe64a95f5045a281397732db

SHA1
1af7095f98c486ca247449980000d06b04ffc50c

SHA256
b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6

SHA512
1b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58

Download Submit
C:\Windows\Black Hole.exe

Filesize
70KB

MD5
17a2dd655dbf53a1ebb933f03104c2cd

SHA1
284e727a8c60683ebb4daabcaa13ed83733ba0f5

SHA256
f197d067a4ae42ab14823994158b3f31fb380f614d47a914815eb4d0631001fb

SHA512
ff95acdc127846a764b535a2ed3e3a1897183a42c4f2f3d2e6d9ae890405183c1cddd9c6042a11a60bf82f0b1ae414191e91f9bb7b657e203cab3dad61ac8cea

Download Submit
C:\Windows\Black Hole.exe

Filesize
70KB

MD5
2ae3b35854ea4b94fed5e1dc91db07e8

SHA1
ca69f0aee696e5136416bf6f822c5ab1c56116f2

SHA256
7c12815561b959a234cfe2fff8a767804c9eeedd70fa11a8a4ce4684caca0f9d

SHA512
5f5bfdbb8dd5feb4b02c990574ee8d2ea07e2e769765bf986eaef67b6a63454887ef4bc62f3c67d02edf1385854df0e670ed85df437b108f4451665672e73612

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
267KB

MD5
c052d81dd7c7502746772ba427cc3d48

SHA1
aa383b3aa9afdfd2a9fe9e83c69e962d20d94830

SHA256
97114188ecb3fbd024e0901c644b0f0f430e6c084ce3503bdef46491a0421bb1

SHA512
cc2e00522ddd83d04c49e45e43687a884325991dc79af734e2eb1c3b925662c378f2efcbba06cb2a57e4b65c3550c6225b969e346a318d2408c6b177b5753e8f

Download Submit
C:\Windows\SysWOW64\Destruction.scr

Filesize
61KB

MD5
5d2109527580cf43e27a0b0c96135e34

SHA1
d195a3dbcbd207d4e25b8082102f38c78b66a5f7

SHA256
9433103f9ce06726802f0ba227d3aa050ce924ecc97cc993185b2f7a2fe6541d

SHA512
1b6c8663278e21497b34bdf1372bbcb9d96f357ebe06ae5ca4616ba57cde650d1f3fbae7073a365b88916b551f9c04ad0dc404af86703ceb6b7a1c16d345ff54

Download Submit
C:\Windows\SysWOW64\Lubang Hitam.exe

Filesize
70KB

MD5
8753d68428fd49f3a2cf145f1f311e19

SHA1
0162811afea8848fc83f655a84db561f84364025

SHA256
bb3dd70b36c438a5f73ce0993900751b5b92fe9a03c557da87405964c1d20a52

SHA512
88f054cbfd7d93f27c95f87911d5197cb5309fa83997ec6e7abd7c03fa9c7227d8b1218eb3705efe105e7ee576c5ec3adedcb869c852239066b0b137d3161d7d

Download Submit
C:\Windows\SysWOW64\Lubang Hitam.exe

Filesize
70KB

MD5
6476bbf019b75400e65de9d79edcefb2

SHA1
f2bf1ffcdcaafcf91d9afb94e2f2d9bc723cb394

SHA256
14bd4541137ec39fafa313003dbaa93d31ee5c1dcbc90e8287dc279683a9ba20

SHA512
070adb617df5e85d460f5ba1c5c7da0a4ced96e80bc4182b780258710406ba7e2b58bb68bff427b352cee012930000dbd706564644ae4f4f43a328a53e611d3a

Download Submit
C:\Windows\msvbvm60.dll

Filesize
57KB

MD5
ec45e07f2948f1183e594fd76394b4ec

SHA1
7523ca7003d6cc31998398464f8168f6ce1e6eed

SHA256
d22cbaeeeea4a872ee8e0f2feafd183c6758dea920a87a542bd98be69359587c

SHA512
29950dbbba367f7202a327afa3a7ec77ad4daf4ec8b71f7bb7f4e4f9dcf1966a883f0f519a3c62610d6f0e121e13a2801f77ff3baff433bdef467b912f05a505

Download Submit
F:\Autorun.inf

Filesize
93B

MD5
4809daf962803cad2b891b94c195d3dd

SHA1
707bdd28edcf5e9e288959f62d4da8823777ec12

SHA256
3468667630714eb86464ecfe903b59a843670ade55b49ac9d653421b91bcf139

SHA512
c9c233b22a853ce17731cb3466f7e8234da4e3de0dec6cc48ed15232303d4f29c49770e20a7064ad9329f8d9d27f8d4b547443d837320f58ac230973bb7dd11f

Download Submit
F:\Read Me.txt

Filesize
3KB

MD5
5c462f1ea2917c0b502ae0761c0f60d8

SHA1
c1d15b093b2843528544d77dc0d9d4e3b8a85297

SHA256
09c76898e4fa4174c53c2ad514274b5d2ca636ec6f223be5fda4c6135ec4ac10

SHA512
e6219ccbabe77a4999ade79c7074753495da9c61d6451c53be34219cc19746ca9a0dadef3b47cd8859cd59604064af5e9fc2a5044780bcfebaaa13dc08c36bbc

Download Submit
memory/1396-372-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1396-76-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1396-75-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1752-357-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1752-371-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1752-358-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1780-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1780-117-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1780-524-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1780-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2248-520-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2248-347-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2248-348-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2580-67-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2580-66-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2580-87-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2644-496-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2644-119-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3100-474-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3100-112-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3100-114-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3304-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3304-449-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4144-401-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4144-93-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4144-91-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4736-424-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4736-99-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/4736-98-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download