Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
Resource
win10v2004-20240426-en
General
-
Target
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
-
Size
70KB
-
MD5
2fd685a44814d363e81a07de7bee5233
-
SHA1
a9170c0738cf9f0d746ff409907f13a93f0baf04
-
SHA256
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c
-
SHA512
5bfddc19d55b0377410e1681de30336956f9f9f59b26f8237863079b7b0df0d05aec773ea5e3045dba3b5bed4109b536c75a171d356494285a8a5dd498c87bf5
-
SSDEEP
768:1iCHI1nffAkGisSQ6KRcJZOYoBudWaDyqzlL49FLdS5yA+jz+CEo+R5nOwekfZUW:1LHIlfH7Q6qRBwWa2qxQFZA+j6/Ww+9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" CSRSS.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 11 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 11 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe -
Disables RegEdit via registry modification 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 17 IoCs
pid Process 1824 Black Hole.exe 2064 Lubang Hitam.exe 1800 WINLOGON.EXE 2280 Black Hole.exe 1596 CSRSS.EXE 1856 Lubang Hitam.exe 1904 WINLOGON.EXE 1888 Black Hole.exe 1196 Black Hole.exe 1604 SERVICES.EXE 2276 Lubang Hitam.exe 2336 LSASS.EXE 336 SMSS.EXE 2408 Black Hole.exe 1832 Black Hole.exe 1952 Lubang Hitam.exe 2816 Lubang Hitam.exe -
Loads dropped DLL 22 IoCs
pid Process 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 2064 Lubang Hitam.exe 2064 Lubang Hitam.exe 2064 Lubang Hitam.exe 2064 Lubang Hitam.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1596 CSRSS.EXE 1596 CSRSS.EXE 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 2336 LSASS.EXE 2336 LSASS.EXE 2276 Lubang Hitam.exe 2276 Lubang Hitam.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE -
Adds Run key to start application 2 TTPs 55 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: CSRSS.EXE File opened (read-only) \??\R: LSASS.EXE File opened (read-only) \??\S: LSASS.EXE File opened (read-only) \??\Y: LSASS.EXE File opened (read-only) \??\W: Lubang Hitam.exe File opened (read-only) \??\S: Lubang Hitam.exe File opened (read-only) \??\R: WINLOGON.EXE File opened (read-only) \??\X: WINLOGON.EXE File opened (read-only) \??\Y: CSRSS.EXE File opened (read-only) \??\J: Lubang Hitam.exe File opened (read-only) \??\V: Lubang Hitam.exe File opened (read-only) \??\W: Lubang Hitam.exe File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\P: CSRSS.EXE File opened (read-only) \??\P: Lubang Hitam.exe File opened (read-only) \??\N: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\H: Lubang Hitam.exe File opened (read-only) \??\L: WINLOGON.EXE File opened (read-only) \??\X: CSRSS.EXE File opened (read-only) \??\I: LSASS.EXE File opened (read-only) \??\Y: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\J: Lubang Hitam.exe File opened (read-only) \??\Q: WINLOGON.EXE File opened (read-only) \??\Q: CSRSS.EXE File opened (read-only) \??\P: LSASS.EXE File opened (read-only) \??\S: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\V: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\X: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\X: Lubang Hitam.exe File opened (read-only) \??\I: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\M: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\I: WINLOGON.EXE File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\V: CSRSS.EXE File opened (read-only) \??\Z: CSRSS.EXE File opened (read-only) \??\O: Lubang Hitam.exe File opened (read-only) \??\U: Lubang Hitam.exe File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\W: CSRSS.EXE File opened (read-only) \??\U: LSASS.EXE File opened (read-only) \??\T: CSRSS.EXE File opened (read-only) \??\M: LSASS.EXE File opened (read-only) \??\B: Lubang Hitam.exe File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\R: CSRSS.EXE File opened (read-only) \??\J: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\O: CSRSS.EXE File opened (read-only) \??\L: Lubang Hitam.exe File opened (read-only) \??\G: CSRSS.EXE File opened (read-only) \??\X: LSASS.EXE File opened (read-only) \??\E: WINLOGON.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\T: Lubang Hitam.exe File opened (read-only) \??\W: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\T: Lubang Hitam.exe File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\E: CSRSS.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\M: Lubang Hitam.exe File opened (read-only) \??\B: WINLOGON.EXE -
Drops autorun.inf file 1 TTPs 10 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\Autorun.inf WINLOGON.EXE File created F:\Autorun.inf Lubang Hitam.exe File created F:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification F:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created F:\Autorun.inf WINLOGON.EXE File created F:\Autorun.inf CSRSS.EXE File opened for modification F:\Autorun.inf CSRSS.EXE File opened for modification F:\Autorun.inf Lubang Hitam.exe File created C:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
Drops file in System32 directory 34 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Destruction.scr Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr LSASS.EXE File created C:\Windows\SysWOW64\Shell.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr CSRSS.EXE File created C:\Windows\SysWOW64\Destruction.scr d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\WINDOWS\Black Hole.txt Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt WINLOGON.EXE File opened for modification C:\Windows\Black Hole.exe CSRSS.EXE File opened for modification C:\WINDOWS\Black Hole.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt Lubang Hitam.exe File created C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\WINDOWS\Black Hole.txt CSRSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt CSRSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt LSASS.EXE File opened for modification C:\WINDOWS\Black Hole.txt Lubang Hitam.exe File created C:\WINDOWS\Black Hole.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\Windows\Black Hole.exe LSASS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\Black Hole.exe Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt WINLOGON.EXE File created C:\Windows\Black Hole.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\WINDOWS\Hacked By Gerry.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe Lubang Hitam.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 1824 Black Hole.exe 2280 Black Hole.exe 2280 Black Hole.exe 2280 Black Hole.exe 2280 Black Hole.exe 1196 Black Hole.exe 1196 Black Hole.exe 1196 Black Hole.exe 1196 Black Hole.exe 1196 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe 2408 Black Hole.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 1508 shutdown.exe Token: SeRemoteShutdownPrivilege 1508 shutdown.exe Token: SeShutdownPrivilege 1104 shutdown.exe Token: SeRemoteShutdownPrivilege 1104 shutdown.exe Token: SeShutdownPrivilege 1376 shutdown.exe Token: SeRemoteShutdownPrivilege 1376 shutdown.exe Token: SeShutdownPrivilege 2188 shutdown.exe Token: SeRemoteShutdownPrivilege 2188 shutdown.exe Token: SeShutdownPrivilege 1636 shutdown.exe Token: SeRemoteShutdownPrivilege 1636 shutdown.exe Token: SeShutdownPrivilege 896 shutdown.exe Token: SeRemoteShutdownPrivilege 896 shutdown.exe Token: SeShutdownPrivilege 440 shutdown.exe Token: SeRemoteShutdownPrivilege 440 shutdown.exe Token: SeShutdownPrivilege 2436 shutdown.exe Token: SeRemoteShutdownPrivilege 2436 shutdown.exe Token: SeShutdownPrivilege 2732 shutdown.exe Token: SeRemoteShutdownPrivilege 2732 shutdown.exe Token: SeShutdownPrivilege 2900 shutdown.exe Token: SeRemoteShutdownPrivilege 2900 shutdown.exe Token: SeShutdownPrivilege 1860 shutdown.exe Token: SeRemoteShutdownPrivilege 1860 shutdown.exe Token: SeShutdownPrivilege 2284 shutdown.exe Token: SeRemoteShutdownPrivilege 2284 shutdown.exe Token: SeShutdownPrivilege 1372 shutdown.exe Token: SeRemoteShutdownPrivilege 1372 shutdown.exe Token: SeShutdownPrivilege 3020 shutdown.exe Token: SeRemoteShutdownPrivilege 3020 shutdown.exe Token: SeShutdownPrivilege 1956 shutdown.exe Token: SeRemoteShutdownPrivilege 1956 shutdown.exe Token: SeShutdownPrivilege 1912 shutdown.exe Token: SeRemoteShutdownPrivilege 1912 shutdown.exe Token: SeShutdownPrivilege 2300 shutdown.exe Token: SeRemoteShutdownPrivilege 2300 shutdown.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 1824 Black Hole.exe 2064 Lubang Hitam.exe 1800 WINLOGON.EXE 2280 Black Hole.exe 1596 CSRSS.EXE 1856 Lubang Hitam.exe 1904 WINLOGON.EXE 1888 Black Hole.exe 1604 SERVICES.EXE 1196 Black Hole.exe 2276 Lubang Hitam.exe 2336 LSASS.EXE 2408 Black Hole.exe 336 SMSS.EXE 1832 Black Hole.exe 1952 Lubang Hitam.exe 2816 Lubang Hitam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1508 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 28 PID 1640 wrote to memory of 1508 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 28 PID 1640 wrote to memory of 1508 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 28 PID 1640 wrote to memory of 1508 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 28 PID 1640 wrote to memory of 2812 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 30 PID 1640 wrote to memory of 2812 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 30 PID 1640 wrote to memory of 2812 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 30 PID 1640 wrote to memory of 2812 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 30 PID 1640 wrote to memory of 2816 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 31 PID 1640 wrote to memory of 2816 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 31 PID 1640 wrote to memory of 2816 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 31 PID 1640 wrote to memory of 2816 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 31 PID 1640 wrote to memory of 2832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 32 PID 1640 wrote to memory of 2832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 32 PID 1640 wrote to memory of 2832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 32 PID 1640 wrote to memory of 2832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 32 PID 1640 wrote to memory of 1388 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 34 PID 1640 wrote to memory of 1388 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 34 PID 1640 wrote to memory of 1388 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 34 PID 1640 wrote to memory of 1388 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 34 PID 1640 wrote to memory of 2656 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 37 PID 1640 wrote to memory of 2656 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 37 PID 1640 wrote to memory of 2656 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 37 PID 1640 wrote to memory of 2656 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 37 PID 1640 wrote to memory of 1832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 38 PID 1640 wrote to memory of 1832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 38 PID 1640 wrote to memory of 1832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 38 PID 1640 wrote to memory of 1832 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 38 PID 1640 wrote to memory of 2932 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 40 PID 1640 wrote to memory of 2932 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 40 PID 1640 wrote to memory of 2932 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 40 PID 1640 wrote to memory of 2932 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 40 PID 1640 wrote to memory of 3036 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 42 PID 1640 wrote to memory of 3036 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 42 PID 1640 wrote to memory of 3036 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 42 PID 1640 wrote to memory of 3036 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 42 PID 1640 wrote to memory of 2852 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 45 PID 1640 wrote to memory of 2852 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 45 PID 1640 wrote to memory of 2852 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 45 PID 1640 wrote to memory of 2852 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 45 PID 1640 wrote to memory of 1808 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 47 PID 1640 wrote to memory of 1808 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 47 PID 1640 wrote to memory of 1808 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 47 PID 1640 wrote to memory of 1808 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 47 PID 1640 wrote to memory of 2936 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 48 PID 1640 wrote to memory of 2936 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 48 PID 1640 wrote to memory of 2936 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 48 PID 1640 wrote to memory of 2936 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 48 PID 1640 wrote to memory of 2532 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 50 PID 1640 wrote to memory of 2532 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 50 PID 1640 wrote to memory of 2532 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 50 PID 1640 wrote to memory of 2532 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 50 PID 1640 wrote to memory of 2592 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 51 PID 1640 wrote to memory of 2592 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 51 PID 1640 wrote to memory of 2592 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 51 PID 1640 wrote to memory of 2592 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 51 PID 1640 wrote to memory of 2608 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 52 PID 1640 wrote to memory of 2608 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 52 PID 1640 wrote to memory of 2608 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 52 PID 1640 wrote to memory of 2608 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 52 PID 1640 wrote to memory of 2632 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 53 PID 1640 wrote to memory of 2632 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 53 PID 1640 wrote to memory of 2632 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 53 PID 1640 wrote to memory of 2632 1640 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 53 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Lubang Hitam.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe"C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1640 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:2⤵PID:2812
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:2⤵PID:2816
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:2⤵PID:2832
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:2⤵PID:1388
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:2⤵PID:2656
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:2⤵PID:1832
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:2⤵PID:2932
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:2⤵PID:3036
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:2⤵PID:2852
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:2⤵PID:1808
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:2⤵PID:2936
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:2⤵PID:2532
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:2⤵PID:2592
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:2⤵PID:2608
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:2⤵PID:2632
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:2⤵PID:2784
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:2⤵PID:2536
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:2⤵PID:2516
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:2⤵PID:2956
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:2⤵PID:2648
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:2⤵PID:1428
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:2⤵PID:2668
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:2⤵PID:1260
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:2⤵PID:1020
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1824 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2064 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:1952
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:1580
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:2736
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:576
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:1748
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:996
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:1840
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:2892
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:2972
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:1048
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:3060
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:1584
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:888
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:2268
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:2256
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:2464
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:2476
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:2952
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:2820
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:2660
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:2824
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:2572
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:1560
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:2528
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2280 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:440
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1856 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1800 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:1244
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:1260
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:1724
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:1656
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:1872
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:1728
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:2140
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:2036
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:1868
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:528
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:1780
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:816
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:768
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:268
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:2000
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:1328
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:588
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:336
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:2756
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:2740
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:2216
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:1816
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:2688
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:2708
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1596 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:2532
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:1248
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:2344
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:2220
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:2472
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:2480
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:320
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:2084
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:1896
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:1680
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:2992
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:2724
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:3056
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:956
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:1612
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:1912
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:2804
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:2200
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:3020
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:2476
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:2468
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:1956
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:2988
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:2776
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1196 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2276 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:4⤵PID:2892
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:4⤵PID:552
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:4⤵PID:1616
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:4⤵PID:1704
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:4⤵PID:2596
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:4⤵PID:2096
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:4⤵PID:2572
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:4⤵PID:2948
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:4⤵PID:2832
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:4⤵PID:2768
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:4⤵PID:832
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:4⤵PID:604
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:4⤵PID:1904
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:4⤵PID:2032
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:4⤵PID:1848
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:4⤵PID:1888
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:4⤵PID:1076
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:4⤵PID:2580
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:4⤵PID:1104
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:4⤵PID:1876
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:4⤵PID:2932
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:4⤵PID:568
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:4⤵PID:268
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:4⤵PID:1280
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1832 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1604 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:1160
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:1724
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:764
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:2100
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:2020
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:1816
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:1712
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:1996
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:2608
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:2092
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:816
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:1504
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:1244
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:1136
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:2940
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:2772
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:3048
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:876
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2336 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:2752
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:2924
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:888
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:2420
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:2912
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:2928
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:2192
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:1524
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:2852
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:2028
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:2612
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:2308
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:2280
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:2516
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:2380
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:2388
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:2980
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:3024
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:2288
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:1036
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:1764
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:2732
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:1720
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:2940
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2408 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2816 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:336 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵PID:2452
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1427058273-21386388291477859681001870552-94295510714080746483583871731332766223"1⤵PID:2736
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1070991449-297980665793570782391566882-10365370062533244151931586448546184095"1⤵PID:2824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "284284374-69451545558533792856860411019268427-194697414618123701151118202606"1⤵PID:2188
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1280229255-775874964-2136244368-1967473946-10037375421311620275491591347379022449"1⤵PID:1824
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "16507519599963853161104793543205094860575885867813011431601492500094-1967063851"1⤵PID:1376
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-968038117425612002-1591601601909605265765138313-1329929641-1665451633361250784"1⤵PID:2972
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-41129875-2010315590-1394347315-95234674497068218-1161866817-230404889-215342419"1⤵PID:1872
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "136443803513615950011066388178-210476110-627210963-409314324-5075457741447791317"1⤵PID:1260
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "8765084956008739483213140686587596491287077621-898051383-1965073281197148098"1⤵PID:1868
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1826951922-1280546151291823345487147757-15179456012033474099-5583284401509459249"1⤵PID:1560
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-8764423331102060022-634806191587414931-875420878611327947-705164842755457627"1⤵PID:2724
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2001311326-2082566444-779469288-305199164-1147339863-891240758742572895658898691"1⤵PID:1612
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-7153902626552423541430387931961792042882302272-1321117854673330779-1358448958"1⤵PID:2200
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4942353118248274851123097971-1446983559-178467438321351195011996989241-1936113088"1⤵PID:2064
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-18836275111935561132-20543101031101125631-1837592783-19494916181021487826645021508"1⤵PID:2988
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-43793316-1237271988-2093999148-133083489-26145760-187821174462599510-297118918"1⤵PID:2776
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4518957271371348321-296935525-1009373438-1398011528836577373151525549868823533"1⤵PID:528
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1925824948-1021809997-335382721946069100734975011-398064583121323486569079579"1⤵PID:1728
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1334876691-1862879921647973308-2023291890-17013412152074254145-16771039331688405515"1⤵PID:1860
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17570447071510673365-956146030-47957632-661705190-7646845432131012937-1483841876"1⤵PID:996
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1021143046-1972877755-6785182731566781446-180840328610333529971110584839-1803017366"1⤵PID:2740
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "4575097410806302082973373971125663093-11445002622029905978-640084114263399884"1⤵PID:2472
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13839896831466623179-1870562423-1537701841-378081436-18709388261767969688-1914693168"1⤵PID:2480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "343264077-15694637281501913270-173841807194017185582131428-16050316971525741360"1⤵PID:1504
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5499370c82546d88953f523061b9b7746
SHA18125184c901300f498552b4297f8dce93b71ab3e
SHA256583225302b62be144ab90af5ba8cb3b3c08f50408eb63103216efd07b76126df
SHA5120d5e2b833c4df34a7d4dfe83f4df4e30b898518debbdb1699497182227ed992ff0188fa039a0b892ba3f8d2fb70ad7c75dd1d03918b659f2b5f9a118b0968851
-
Filesize
70KB
MD540ceec1d3f871df28c1003c7d60798f2
SHA1071319a10d466fe684525937241e9d56bcae8843
SHA256d0fd80bf68da48fd3e6e2013b89822ad243e3043144a20587d55ec7b68735638
SHA5125728a16bb102c53d6c24ac1d8fa15c90671e982a2d68d1cf96978b581979582347e46625c7eef21a1009684617a7a718339bf6ab209d1b34a013e62d359393d7
-
Filesize
70KB
MD5e4af15d2521d797275e5524c90825d84
SHA1ec8f100699d08b77039e5f0c2546f2359ccb3d14
SHA25665ac72860e1e1fc25ea06fea7296b76b15dc30c5c3d83e39b0cd44687c1090ec
SHA5123412ce74b27330b90655bdf7d8b5a9b7165e662dc7f228bb0ec274336cb012b583024e72d861e8ea0b60472c2b90251c829f9e3316b1c5e17da55363b13ba061
-
Filesize
70KB
MD5bafacc6d804b737619c410023439e4be
SHA13f0106174ab553865283b5062484708d163e868c
SHA256a4714b1eeeb730873367ba33df06c19d65d719d600b093a6944a19ea0ae52ba7
SHA512ef239544dea0abed4374ca954354609533f0bba484f708d5d2e0d03cf4b633f8e141f24f1888a4deffb893c0c20f613060f1bd2b3d4c227538e4f9decbd8440e
-
Filesize
70KB
MD591b723c8018dca0b644beaa0ce97325c
SHA176da15bd668fc6f11efca7ce90ffdca5c1f6b7f6
SHA2562ea08b8062a7818f2d0a5f7784ee81808e9bef6d9199776329b8e6746666eae6
SHA5128252e6a588ad859c85e6d6dddb23875595a5b7a1ddfeb29f879f6031f3285ba9d0fb0d0144d81d27fce4a248d443a09845c2a768d40729ca1c394e21f0edc4f1
-
Filesize
70KB
MD5039b4217bd97a3937c54237b0c6c8462
SHA19dd2b94b9a5e3ac60abf473551b2b31ab66297b4
SHA256ed13cdfd1ee92cd04522368151a2751fba4205939b76aa20781087a85e94c452
SHA51232bda88780e61d80e5382664aaaabc7c0a96d71110dfc2be4f2b30d9c3c6e24a46b6695bb408b6b7d5ce6df72831222def09a0f0a5e229981fb5b265c68a8542
-
Filesize
70KB
MD50fa022d0d6583b693ef2310e290f1c84
SHA131676a9e82b66d4e0e40d73f273ef3ffe0878383
SHA2561012ad5784f769f7a393e48c12a3f55c419c319a4273731cfdf60fbeefacbe46
SHA512fa1baff54b8f105bc0f688855d559855a21afcc3165ac793409e9dc81b30c09b893f2d08e159d97874b373fe6455af8f61340e70f5cfd444c0ff38fb92028903
-
Filesize
70KB
MD5e48bf33bfeafc13bd00744fc98aef3b5
SHA1d410e78785b7bfdf5ed0d5977c16c6063e34656b
SHA2567fda0c5a873761d812f4b92c88b853b427468cf179f8b5fc84e0379285d29c1b
SHA512b6a1772668b87c8f0aca25455a8e4fbe64ad8eec45e8d5f88748186e55e8c0de79536708020f0fae0df09858191a59f8ee64cf89caf1619ad4e24345ff24a992
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
70KB
MD5f69ebac6ecc3b8d6a88930e2101fa50d
SHA1aae281e7cd28093ca4ad31e64f98740847b380af
SHA256f7d0194946c993f3c8479fdac85b8cabe7b0440d33d991c031996e929a24bc98
SHA51220a1a261aebbe769e0fac2ee7814fd501cd1c64b02e2c0a4573ca628b16049ee06e417cea6a2d18ba84b9ae69ee7ccc9bdd1613eb045625e5d3c0c6eeb7e7f01
-
Filesize
70KB
MD5da19368219e86bf080701693b83daf14
SHA12ba453f1b5b63eec6482a90a963393404edd799c
SHA2563a3ed346c80f8c556eea1c21f5522ce41f0eece0b0c01d8dd6b5d02c2d36667b
SHA512492714e9791c62ce61e3f313ebdc8eabf12ecfc07ec9a99e92e2bf4e30ab8f001c6fa496bfa30f794433c7aebb4de086cdac6f8b460b4222da6297b7a2b9ecbc
-
Filesize
70KB
MD5bba70a3b7152ca2afb91b2629d885b56
SHA112f468531989377138ed0e7af68f6176286dabda
SHA25600962b4905c240d20409aa5d621cfe00b9ad31164305e8cb294f5319c170e399
SHA51227fe892a858c146ec96929250fc121b7f23787637bb03de344a94cb94136fcb48e4664b8bc39667bf7984e47bd68d664c0694412f29a2f109f2471eb24dc37fc
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
70KB
MD52fd685a44814d363e81a07de7bee5233
SHA1a9170c0738cf9f0d746ff409907f13a93f0baf04
SHA256d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c
SHA5125bfddc19d55b0377410e1681de30336956f9f9f59b26f8237863079b7b0df0d05aec773ea5e3045dba3b5bed4109b536c75a171d356494285a8a5dd498c87bf5
-
Filesize
93B
MD54809daf962803cad2b891b94c195d3dd
SHA1707bdd28edcf5e9e288959f62d4da8823777ec12
SHA2563468667630714eb86464ecfe903b59a843670ade55b49ac9d653421b91bcf139
SHA512c9c233b22a853ce17731cb3466f7e8234da4e3de0dec6cc48ed15232303d4f29c49770e20a7064ad9329f8d9d27f8d4b547443d837320f58ac230973bb7dd11f
-
Filesize
3KB
MD55c462f1ea2917c0b502ae0761c0f60d8
SHA1c1d15b093b2843528544d77dc0d9d4e3b8a85297
SHA25609c76898e4fa4174c53c2ad514274b5d2ca636ec6f223be5fda4c6135ec4ac10
SHA512e6219ccbabe77a4999ade79c7074753495da9c61d6451c53be34219cc19746ca9a0dadef3b47cd8859cd59604064af5e9fc2a5044780bcfebaaa13dc08c36bbc
-
Filesize
70KB
MD5dcf5b449fe01fbf091278d4bf2613c18
SHA1f2ec640d467764e211cba73b533fd20c3e8e6f03
SHA256e7c56ab586d2270948d36a499ac671bab781ee7c440772cd0e1406e65fbb6c0a
SHA512b9f9f15b9643d99f6c416e0e798fa6f091da7af7eddab02f5b3fd0867e5c9dae4a66d81f5406b21a7a5548dc32f7e64f512c5c1d2e9f33827eb0e0bc30891133
-
Filesize
70KB
MD5790b515819f3521aecd69eb32165b154
SHA18f7b1353fd871a428abbab60c9ee976f0aba19e3
SHA256013b6afb97b19745b4e31bb5b73b22c4c7f647fcd50c664d446009b27289e303
SHA512f6c1552596c4e9ea39e746312766f383a410bfbc670d9060f68abf93a4a96a5d00ddde5b09955627c2de1f2f07374c38ec902685815e21875ae654222a4b0a11