Analysis Overview
SHA256
d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c
Threat Level: Known bad
The file d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
Modifies WinLogon for persistence
Disables use of System Restore points
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Loads dropped DLL
Executes dropped EXE
Modifies system executable filetype association
Windows security modification
Enumerates connected drives
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:52
Reported
2024-06-01 03:55
Platform
win7-20240221-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| N/A | N/A | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| N/A | N/A | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| N/A | N/A | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| N/A | N/A | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File created | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File created | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
Drops file in Windows directory
Enumerates physical storage devices
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Mouse\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
"C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1427058273-21386388291477859681001870552-94295510714080746483583871731332766223"
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1070991449-297980665793570782391566882-10365370062533244151931586448546184095"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "284284374-69451545558533792856860411019268427-194697414618123701151118202606"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1280229255-775874964-2136244368-1967473946-10037375421311620275491591347379022449"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16507519599963853161104793543205094860575885867813011431601492500094-1967063851"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-968038117425612002-1591601601909605265765138313-1329929641-1665451633361250784"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-41129875-2010315590-1394347315-95234674497068218-1161866817-230404889-215342419"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "136443803513615950011066388178-210476110-627210963-409314324-5075457741447791317"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "8765084956008739483213140686587596491287077621-898051383-1965073281197148098"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1826951922-1280546151291823345487147757-15179456012033474099-5583284401509459249"
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8764423331102060022-634806191587414931-875420878611327947-705164842755457627"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2001311326-2082566444-779469288-305199164-1147339863-891240758742572895658898691"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7153902626552423541430387931961792042882302272-1321117854673330779-1358448958"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4942353118248274851123097971-1446983559-178467438321351195011996989241-1936113088"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18836275111935561132-20543101031101125631-1837592783-19494916181021487826645021508"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-43793316-1237271988-2093999148-133083489-26145760-187821174462599510-297118918"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4518957271371348321-296935525-1009373438-1398011528836577373151525549868823533"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1925824948-1021809997-335382721946069100734975011-398064583121323486569079579"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1334876691-1862879921647973308-2023291890-17013412152074254145-16771039331688405515"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17570447071510673365-956146030-47957632-661705190-7646845432131012937-1483841876"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1021143046-1972877755-6785182731566781446-180840328610333529971110584839-1803017366"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4575097410806302082973373971125663093-11445002622029905978-640084114263399884"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13839896831466623179-1870562423-1537701841-378081436-18709388261767969688-1914693168"
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "343264077-15694637281501913270-173841807194017185582131428-16050316971525741360"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
Network
Files
memory/1640-0-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1640-1-0x0000000000020000-0x0000000000022000-memory.dmp
C:\Windows\SysWOW64\Lubang Hitam.exe
| MD5 | 2fd685a44814d363e81a07de7bee5233 |
| SHA1 | a9170c0738cf9f0d746ff409907f13a93f0baf04 |
| SHA256 | d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c |
| SHA512 | 5bfddc19d55b0377410e1681de30336956f9f9f59b26f8237863079b7b0df0d05aec773ea5e3045dba3b5bed4109b536c75a171d356494285a8a5dd498c87bf5 |
F:\Read Me.txt
| MD5 | 5c462f1ea2917c0b502ae0761c0f60d8 |
| SHA1 | c1d15b093b2843528544d77dc0d9d4e3b8a85297 |
| SHA256 | 09c76898e4fa4174c53c2ad514274b5d2ca636ec6f223be5fda4c6135ec4ac10 |
| SHA512 | e6219ccbabe77a4999ade79c7074753495da9c61d6451c53be34219cc19746ca9a0dadef3b47cd8859cd59604064af5e9fc2a5044780bcfebaaa13dc08c36bbc |
F:\Autorun.inf
| MD5 | 4809daf962803cad2b891b94c195d3dd |
| SHA1 | 707bdd28edcf5e9e288959f62d4da8823777ec12 |
| SHA256 | 3468667630714eb86464ecfe903b59a843670ade55b49ac9d653421b91bcf139 |
| SHA512 | c9c233b22a853ce17731cb3466f7e8234da4e3de0dec6cc48ed15232303d4f29c49770e20a7064ad9329f8d9d27f8d4b547443d837320f58ac230973bb7dd11f |
memory/1640-64-0x0000000002830000-0x000000000289C000-memory.dmp
C:\Windows\Black Hole.exe
| MD5 | bba70a3b7152ca2afb91b2629d885b56 |
| SHA1 | 12f468531989377138ed0e7af68f6176286dabda |
| SHA256 | 00962b4905c240d20409aa5d621cfe00b9ad31164305e8cb294f5319c170e399 |
| SHA512 | 27fe892a858c146ec96929250fc121b7f23787637bb03de344a94cb94136fcb48e4664b8bc39667bf7984e47bd68d664c0694412f29a2f109f2471eb24dc37fc |
memory/1824-72-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1640-70-0x0000000002830000-0x000000000289C000-memory.dmp
memory/1824-82-0x0000000000400000-0x000000000046C000-memory.dmp
\Windows\SysWOW64\Lubang Hitam.exe
| MD5 | 790b515819f3521aecd69eb32165b154 |
| SHA1 | 8f7b1353fd871a428abbab60c9ee976f0aba19e3 |
| SHA256 | 013b6afb97b19745b4e31bb5b73b22c4c7f647fcd50c664d446009b27289e303 |
| SHA512 | f6c1552596c4e9ea39e746312766f383a410bfbc670d9060f68abf93a4a96a5d00ddde5b09955627c2de1f2f07374c38ec902685815e21875ae654222a4b0a11 |
memory/2064-92-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1640-90-0x0000000002830000-0x000000000289C000-memory.dmp
memory/1640-85-0x0000000002830000-0x000000000289C000-memory.dmp
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
| MD5 | dcf5b449fe01fbf091278d4bf2613c18 |
| SHA1 | f2ec640d467764e211cba73b533fd20c3e8e6f03 |
| SHA256 | e7c56ab586d2270948d36a499ac671bab781ee7c440772cd0e1406e65fbb6c0a |
| SHA512 | b9f9f15b9643d99f6c416e0e798fa6f091da7af7eddab02f5b3fd0867e5c9dae4a66d81f5406b21a7a5548dc32f7e64f512c5c1d2e9f33827eb0e0bc30891133 |
memory/1640-99-0x0000000002830000-0x000000000289C000-memory.dmp
memory/1800-107-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe
| MD5 | e4af15d2521d797275e5524c90825d84 |
| SHA1 | ec8f100699d08b77039e5f0c2546f2359ccb3d14 |
| SHA256 | 65ac72860e1e1fc25ea06fea7296b76b15dc30c5c3d83e39b0cd44687c1090ec |
| SHA512 | 3412ce74b27330b90655bdf7d8b5a9b7165e662dc7f228bb0ec274336cb012b583024e72d861e8ea0b60472c2b90251c829f9e3316b1c5e17da55363b13ba061 |
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
| MD5 | 91b723c8018dca0b644beaa0ce97325c |
| SHA1 | 76da15bd668fc6f11efca7ce90ffdca5c1f6b7f6 |
| SHA256 | 2ea08b8062a7818f2d0a5f7784ee81808e9bef6d9199776329b8e6746666eae6 |
| SHA512 | 8252e6a588ad859c85e6d6dddb23875595a5b7a1ddfeb29f879f6031f3285ba9d0fb0d0144d81d27fce4a248d443a09845c2a768d40729ca1c394e21f0edc4f1 |
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
| MD5 | 0fa022d0d6583b693ef2310e290f1c84 |
| SHA1 | 31676a9e82b66d4e0e40d73f273ef3ffe0878383 |
| SHA256 | 1012ad5784f769f7a393e48c12a3f55c419c319a4273731cfdf60fbeefacbe46 |
| SHA512 | fa1baff54b8f105bc0f688855d559855a21afcc3165ac793409e9dc81b30c09b893f2d08e159d97874b373fe6455af8f61340e70f5cfd444c0ff38fb92028903 |
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
| MD5 | 499370c82546d88953f523061b9b7746 |
| SHA1 | 8125184c901300f498552b4297f8dce93b71ab3e |
| SHA256 | 583225302b62be144ab90af5ba8cb3b3c08f50408eb63103216efd07b76126df |
| SHA512 | 0d5e2b833c4df34a7d4dfe83f4df4e30b898518debbdb1699497182227ed992ff0188fa039a0b892ba3f8d2fb70ad7c75dd1d03918b659f2b5f9a118b0968851 |
C:\WINDOWS\Hacked By Gerry.txt
| MD5 | e067dafcbe64a95f5045a281397732db |
| SHA1 | 1af7095f98c486ca247449980000d06b04ffc50c |
| SHA256 | b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6 |
| SHA512 | 1b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58 |
C:\WINDOWS\Black Hole.txt
| MD5 | 6635e047c242e6d64b2716d81095bf5f |
| SHA1 | 5def5300f894e58bbb0caaa94680f7735ccd248d |
| SHA256 | 9757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf |
| SHA512 | c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0 |
C:\Windows\Black Hole.exe
| MD5 | f69ebac6ecc3b8d6a88930e2101fa50d |
| SHA1 | aae281e7cd28093ca4ad31e64f98740847b380af |
| SHA256 | f7d0194946c993f3c8479fdac85b8cabe7b0440d33d991c031996e929a24bc98 |
| SHA512 | 20a1a261aebbe769e0fac2ee7814fd501cd1c64b02e2c0a4573ca628b16049ee06e417cea6a2d18ba84b9ae69ee7ccc9bdd1613eb045625e5d3c0c6eeb7e7f01 |
memory/2064-165-0x0000000002D60000-0x0000000002DCC000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
| MD5 | 40ceec1d3f871df28c1003c7d60798f2 |
| SHA1 | 071319a10d466fe684525937241e9d56bcae8843 |
| SHA256 | d0fd80bf68da48fd3e6e2013b89822ad243e3043144a20587d55ec7b68735638 |
| SHA512 | 5728a16bb102c53d6c24ac1d8fa15c90671e982a2d68d1cf96978b581979582347e46625c7eef21a1009684617a7a718339bf6ab209d1b34a013e62d359393d7 |
C:\Windows\MSVBVM60.DLL
| MD5 | 5343a19c618bc515ceb1695586c6c137 |
| SHA1 | 4dedae8cbde066f31c8e6b52c0baa3f8b1117742 |
| SHA256 | 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce |
| SHA512 | 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606 |
memory/1640-168-0x0000000000020000-0x0000000000022000-memory.dmp
memory/1596-177-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1640-175-0x0000000002830000-0x000000000289C000-memory.dmp
memory/1856-190-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2280-167-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2064-204-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1904-271-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1800-286-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2280-294-0x0000000072940000-0x0000000072A93000-memory.dmp
memory/1888-298-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1888-297-0x0000000072940000-0x0000000072A93000-memory.dmp
memory/2280-295-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe
| MD5 | bafacc6d804b737619c410023439e4be |
| SHA1 | 3f0106174ab553865283b5062484708d163e868c |
| SHA256 | a4714b1eeeb730873367ba33df06c19d65d719d600b093a6944a19ea0ae52ba7 |
| SHA512 | ef239544dea0abed4374ca954354609533f0bba484f708d5d2e0d03cf4b633f8e141f24f1888a4deffb893c0c20f613060f1bd2b3d4c227538e4f9decbd8440e |
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
| MD5 | 039b4217bd97a3937c54237b0c6c8462 |
| SHA1 | 9dd2b94b9a5e3ac60abf473551b2b31ab66297b4 |
| SHA256 | ed13cdfd1ee92cd04522368151a2751fba4205939b76aa20781087a85e94c452 |
| SHA512 | 32bda88780e61d80e5382664aaaabc7c0a96d71110dfc2be4f2b30d9c3c6e24a46b6695bb408b6b7d5ce6df72831222def09a0f0a5e229981fb5b265c68a8542 |
memory/1640-314-0x0000000002830000-0x000000000289C000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
| MD5 | e48bf33bfeafc13bd00744fc98aef3b5 |
| SHA1 | d410e78785b7bfdf5ed0d5977c16c6063e34656b |
| SHA256 | 7fda0c5a873761d812f4b92c88b853b427468cf179f8b5fc84e0379285d29c1b |
| SHA512 | b6a1772668b87c8f0aca25455a8e4fbe64ad8eec45e8d5f88748186e55e8c0de79536708020f0fae0df09858191a59f8ee64cf89caf1619ad4e24345ff24a992 |
C:\Windows\Black Hole.exe
| MD5 | da19368219e86bf080701693b83daf14 |
| SHA1 | 2ba453f1b5b63eec6482a90a963393404edd799c |
| SHA256 | 3a3ed346c80f8c556eea1c21f5522ce41f0eece0b0c01d8dd6b5d02c2d36667b |
| SHA512 | 492714e9791c62ce61e3f313ebdc8eabf12ecfc07ec9a99e92e2bf4e30ab8f001c6fa496bfa30f794433c7aebb4de086cdac6f8b460b4222da6297b7a2b9ecbc |
memory/1604-369-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1196-366-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1640-365-0x0000000002830000-0x000000000289C000-memory.dmp
memory/1596-364-0x0000000001E40000-0x0000000001EAC000-memory.dmp
memory/1596-384-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2276-387-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1604-410-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1640-421-0x0000000002830000-0x000000000289C000-memory.dmp
memory/1640-422-0x0000000002830000-0x000000000289C000-memory.dmp
memory/1196-428-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2336-425-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1196-427-0x0000000072940000-0x0000000072A93000-memory.dmp
memory/1640-442-0x0000000002830000-0x000000000289C000-memory.dmp
memory/336-450-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2336-471-0x00000000006B0000-0x000000000071C000-memory.dmp
memory/2408-475-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2276-499-0x00000000026E0000-0x000000000274C000-memory.dmp
memory/1832-503-0x0000000072940000-0x0000000072A93000-memory.dmp
memory/2276-508-0x00000000026E0000-0x000000000274C000-memory.dmp
memory/2276-507-0x00000000026E0000-0x000000000274C000-memory.dmp
memory/2336-506-0x00000000006B0000-0x000000000071C000-memory.dmp
memory/1832-504-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2336-505-0x00000000006B0000-0x000000000071C000-memory.dmp
memory/2276-730-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2336-783-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1952-796-0x0000000000400000-0x000000000046C000-memory.dmp
memory/336-805-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2816-810-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2408-821-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2408-820-0x0000000072940000-0x0000000072A93000-memory.dmp
memory/1640-1012-0x0000000000400000-0x000000000046C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:52
Reported
2024-06-01 03:55
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
102s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\"" | C:\Windows\Black Hole.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Black Hole.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
Enumerates connected drives
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Autorun.inf | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | F:\Autorun.inf | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | F:\Autorun.inf | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | F:\Autorun.inf | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | F:\Autorun.inf | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | F:\Autorun.inf | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | F:\Autorun.inf | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File created | C:\Autorun.inf | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Windows\Black Hole.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\Black Hole.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\Black Hole.exe | N/A |
| File created | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Windows\Black Hole.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Shell.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\Lubang Hitam.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Destruction.scr | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\Black Hole.exe | C:\Windows\Black Hole.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File created | C:\WINDOWS\Black Hole.txt | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\Black Hole.exe | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File created | C:\Windows\Black Hole.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\WINDOWS\Hacked By Gerry.txt | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\Black Hole.exe | C:\Windows\Black Hole.exe | N/A |
| File opened for modification | C:\WINDOWS\Black Hole.txt | C:\Windows\Black Hole.exe | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Windows\Black Hole.exe | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\WINDOWS\Hacked By Gerry.txt | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Mouse\ | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\Black Hole.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
| N/A | N/A | C:\Windows\Black Hole.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\WINDOWS\SysWOW64\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinkeys = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Windows\Black Hole.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Windows\Black Hole.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp | C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" | C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" | C:\Windows\SysWOW64\Lubang Hitam.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" | C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe
"C:\Users\Admin\AppData\Local\Temp\d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q z:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q y:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q x:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q w:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q v:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q u:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q t:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q s:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q r:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q q:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q p:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q o:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q n:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q m:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q l:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q k:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q j:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q i:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q h:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q g:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q f:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q e:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q d:
C:\WINDOWS\SysWOW64\cmd.exe
C:\WINDOWS\system32\cmd.exe /c rd /s /q c:
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Black Hole.exe
"C:\Windows\Black Hole.exe"
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\SysWOW64\Lubang Hitam.exe
"C:\Windows\system32\Lubang Hitam.exe"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
C:\WINDOWS\SysWOW64\shutdown.exe
C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/1508-0-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1508-1-0x00000000001C0000-0x00000000001C2000-memory.dmp
C:\Windows\SysWOW64\Lubang Hitam.exe
| MD5 | 2fd685a44814d363e81a07de7bee5233 |
| SHA1 | a9170c0738cf9f0d746ff409907f13a93f0baf04 |
| SHA256 | d82cefe294d40ccf445218475806acc484245716c4ddaff04facc27fa0c2e28c |
| SHA512 | 5bfddc19d55b0377410e1681de30336956f9f9f59b26f8237863079b7b0df0d05aec773ea5e3045dba3b5bed4109b536c75a171d356494285a8a5dd498c87bf5 |
F:\Autorun.inf
| MD5 | 4809daf962803cad2b891b94c195d3dd |
| SHA1 | 707bdd28edcf5e9e288959f62d4da8823777ec12 |
| SHA256 | 3468667630714eb86464ecfe903b59a843670ade55b49ac9d653421b91bcf139 |
| SHA512 | c9c233b22a853ce17731cb3466f7e8234da4e3de0dec6cc48ed15232303d4f29c49770e20a7064ad9329f8d9d27f8d4b547443d837320f58ac230973bb7dd11f |
F:\Read Me.txt
| MD5 | 5c462f1ea2917c0b502ae0761c0f60d8 |
| SHA1 | c1d15b093b2843528544d77dc0d9d4e3b8a85297 |
| SHA256 | 09c76898e4fa4174c53c2ad514274b5d2ca636ec6f223be5fda4c6135ec4ac10 |
| SHA512 | e6219ccbabe77a4999ade79c7074753495da9c61d6451c53be34219cc19746ca9a0dadef3b47cd8859cd59604064af5e9fc2a5044780bcfebaaa13dc08c36bbc |
C:\Windows\Black Hole.exe
| MD5 | 69d811e5f9265b2c3eccfc39c9597938 |
| SHA1 | 56ad7a089a5e2031f157e4fca2d71310b02a230e |
| SHA256 | 9dc6bdb598a14dd1434c2c6d47aa5e964ae80e7cee8a1bb4ddfac8c002a6c02e |
| SHA512 | db01289226fbda920f5455d0e5c1afbfcc54685a82bfb3c64c147bee43e94a2fee83a105c995360f15844a43f56a173a8728df865cbb7a084b93e080fded5331 |
memory/2584-66-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Windows\SysWOW64\Lubang Hitam.exe
| MD5 | 6d93a9ba850363e4f3d27a1b9b53cae7 |
| SHA1 | a02a8804d6e5d6b2640f4678603a3190ff9c5915 |
| SHA256 | 3bdee662b5d0224f43ddcda09189658a76cc01662c9d0550ee499be55d2b9d51 |
| SHA512 | ac8544a3eac5ef361fee4e077a0531306c2c48f9dcc6ba739c02e6dbbfdf17e7f640b3cffd17a3329997228434ed583c898061bba219d67f4d02687399809cf2 |
memory/4040-78-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2584-86-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
| MD5 | 0f04263db021b2e40d767ae8891f9ba7 |
| SHA1 | e1dc312cdbecacfd1fba0ebfeca71231a238ace4 |
| SHA256 | f12e676fa16a354d8495b6076c503361d16ac318f97c1e3362d352d63f5189e3 |
| SHA512 | 8648fd2146d6eef778415145d8c18cfad6ecb0c663cc7617d2179382c13b11b046a23f445b42dfb487c3cee5d2d58d21e19f57530fd1fafb2052df871014e12b |
memory/3820-89-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
| MD5 | 5d8b71df1f0fc372df4d18c3b278cd72 |
| SHA1 | 03a0f3e60c9caaaab771c4e4e749b922dbdb5f98 |
| SHA256 | c14ac0df3eb141ee06ac985f944a446d2f5eb501ea8701b977617358262ae218 |
| SHA512 | b0be124d27aef723c8558c01255361ea4ddcdcd4c6299fb59420aba13aa16c4273ecb8c16b62830ec69215b1ecdf328537a2c4c214332336ad51921c9aca1dd9 |
memory/816-98-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe
| MD5 | 1435ec2300ca23bb8eb38a700c73e98c |
| SHA1 | 16f065576c78fd402ee18888c4c2038e212423bb |
| SHA256 | 3d63c957c6bef0646842f6b52194a66844357a2ce898124a30373174a9e84bc0 |
| SHA512 | 4d85ddd2a2bd8b92f69053ebb5be3a867fe87a53b5eb7486501643be80c00a475c71aa42277b3e0f6ff71d74946c98f65fcfa8f7041c40fc8e47dea39d92e77e |
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
| MD5 | 277614c6e6f0f7b86381b5db63434e92 |
| SHA1 | 2ffe34be1da219689cf710936a0962aafb3360e2 |
| SHA256 | 7caaec03349b42bf40edf3e08fefb5b422ad90bb63dd2fe80c339ffc9306d7c7 |
| SHA512 | 2ced2995b43f5c9f09b4ca9c978be0541f9cfd2124c25ffe7dd135d6b478a82091226ec62eefae0d0a8b891e7c7f25e08f892b4bfc5e608c0b6f15334759a470 |
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
| MD5 | 4857ebb09c526f3c9f73abda3a42e8a6 |
| SHA1 | 37ba2a3bf091c5cf52e7d59c96b5a5def2b3cf12 |
| SHA256 | 2e8f6e96191d494335f9115c7f45136928d2a15d28493b4dde9b4b39c82b3538 |
| SHA512 | 63cd432752b631c3e11b799aeec26d03d162c53448f2e15ce5a349f14fb4b2f365037bb080ab5aebbeb33e1c985000beec8207eab1bc5075cdd7a1c6733e2831 |
memory/3496-114-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2248-131-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Windows\Black Hole.exe
| MD5 | 66a474002037e8cb85bb7ddcd6d1a88f |
| SHA1 | 782efd88c157ca3ed77c582731ecc75ca3787caa |
| SHA256 | 97ac843287e734bdbbb0d08730982b06847862f42fdada4a0497b6c79e4c75b9 |
| SHA512 | 625d0017f69a8aaea9fe3088cb24b6c262907a3ecd0907fa50ed35b559c34ffb3a46dc382b02129c7647d0c2380dc053a14e7482f25ebf337397113ea604af9a |
C:\Black Hole.exe
| MD5 | c2dad8cd19a2061f9cb152b36e261c80 |
| SHA1 | 50947e9db21f3e7b7efb9d3cd43738aa75e30eb1 |
| SHA256 | f0dc94736036677e97071d44a5b954bc6c11f0ae13a00aa31ab854d8aa583845 |
| SHA512 | b8e264a77440d4d943dc5b493cb8e2364f457a83534f346381709e90d714df13170d410dbcb5c45a189491e858e7ec5f59f254814b4b2a3aeb36ea050c47067e |
C:\Windows\SysWOW64\Shell.exe
| MD5 | 39bd810987ba65e42a955cb955d480bc |
| SHA1 | 45251b9d7da24ac60fd7e3ea2b3b7d902bcdee6e |
| SHA256 | 87b24d48f1f57173b3a0ad20886726049a213cbd030682b007450686409999a3 |
| SHA512 | 97c8dd1b9488e9ec28c1c32600156f7846187013e38694e1316dec3052c7eaa72b6499c27294478b2ed11570a171ca08bd61d71315029c8b1792c7bfb1bef6ce |
C:\Windows\SysWOW64\Destruction.scr
| MD5 | ecae673d3b7831716af86a8886654184 |
| SHA1 | 1ce431abcd9a370211cb4c7912879d41a640705e |
| SHA256 | 698ac72e4438d65b979c880ec3d394c63f33e0206b7d6274091074aa04757ae2 |
| SHA512 | 0421da35f5dd4efe7473b7ced9cf061fe12b121eda52d2f03b158ac333905f12a469c6fb3cf7a9078b73c72a32876632143f2a2e2b15fbd1ac730357bbfb622e |
C:\Users\All Users\Start Menu\Programs\Startup\Zero Code.pif
| MD5 | 473012b1fafd77fd846773c4225de605 |
| SHA1 | e62849be31456f3193ca8d25d089aa8c0e9fafa7 |
| SHA256 | e5f5795a9d923a53106c91a1123f8e3efc7fd9a0884db3b85349d8e7d4a6f920 |
| SHA512 | d6543021e77377d9be48007b08f1c6985e1afae6cc897c334311d1bfd6a02d25f76ba0cf5795f66d715ad79f5e57dcbb046ce27b3382c2e2e639839b556592eb |
C:\Windows\Black Hole.exe
| MD5 | 3515c7ddd0cb41c66bf2b90b1dc5483c |
| SHA1 | cf1ff1a4f3bf932c9c979bd20f4dc67957e79cdf |
| SHA256 | ac2315458f18bdbb71251cc985e6849dcf8ed1b45c53571c1830a8941624bdc4 |
| SHA512 | b960f460610a4349f9ad79b7ccf6194d9a187445e879d8edd2d69c6aeaaf68a65feb62ad314b7e602850a72726440207663e135911be9db6e53e52b27662fa60 |
C:\Black Hole.exe
| MD5 | 52f13d5f1e062562a89ab6a7d20f45a2 |
| SHA1 | faed88a0c1d882f80d46efab59db82657345d3e5 |
| SHA256 | 66b3300b84802ab3446fc69350f66537b808bdec219ca025b1a6d6d6fc31bfcb |
| SHA512 | cc987626e6e066ddf113c3663a9e2f9aecc59eec452de996665c1358a289affd821872e4969763049b8847806978c6deaa0df0347ad0b86f1bfc0486d51879a7 |
C:\Windows\SysWOW64\Shell.exe
| MD5 | 8b855b20db6eb57ba796a8e7501572f7 |
| SHA1 | 42953ed73121b53c873019bbf071910b62065467 |
| SHA256 | fcd8fb6c69fdac330da0616413ee15676307716d28bcefc52832c3e6ec368ddc |
| SHA512 | c5966455eb6db3e0d2b194d8211bf4b9cccee9a47c49074958c80f6c467e1ff4bdbd3b867febb87b232e5fdb2cea450adb3f5ea7a46f11c1b92c507482ad28e4 |
C:\Windows\SysWOW64\Destruction.scr
| MD5 | 31cf1bc9357c8bfc496951f3c6b2f1d4 |
| SHA1 | 46e43ddc6a17bcda9f43a1e37404e47dd0950c37 |
| SHA256 | 00c3cd6220170d19cc3d8502084d07bab79b68c6b11f36624d0bddf502522295 |
| SHA512 | 5597b77c335c2e3e925285f7bc445f6f43b36010dc5fa12cc47824fc3d6ba1c8a64e4fd1ff6013ff783d2ce557c28ec7d0fd0e228c3fdba59d56dd87eb2658bf |
C:\Users\All Users\Start Menu\Programs\Startup\Zero Code.pif
| MD5 | dee0b6b16ec7d37df16656b72bbf236e |
| SHA1 | 915ad1d16be9bceac4fe04b2b0a2dcc903dbd1f0 |
| SHA256 | b2bb288750d807cc98bdd3c563e2b61d60b8a0255c0e7f949227fe403d525658 |
| SHA512 | 1ea831a680247e4d17a18a3784f4f733d6d60fad435f335e487ad69a2194195ae16c381154256691cb3d30e5142899f08780552464c5b50cf29868ef92b5612f |
C:\WINDOWS\Black Hole.txt
| MD5 | 6635e047c242e6d64b2716d81095bf5f |
| SHA1 | 5def5300f894e58bbb0caaa94680f7735ccd248d |
| SHA256 | 9757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf |
| SHA512 | c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0 |
C:\WINDOWS\Hacked By Gerry.txt
| MD5 | e067dafcbe64a95f5045a281397732db |
| SHA1 | 1af7095f98c486ca247449980000d06b04ffc50c |
| SHA256 | b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6 |
| SHA512 | 1b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58 |
memory/4692-282-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Windows\msvbvm60.dll
| MD5 | 25f62c02619174b35851b0e0455b3d94 |
| SHA1 | 4e8ee85157f1769f6e3f61c0acbe59072209da71 |
| SHA256 | 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2 |
| SHA512 | f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a |
F:\Black Hole.exe
| MD5 | a7337a8f176b77efa8a8fabb224e054c |
| SHA1 | 2fb4ed8c63758f276963e82e73130be3c5613c26 |
| SHA256 | f63a282980928aabc7cc02edfde5bed1fa86b13a1365c000a61d44864dbdf604 |
| SHA512 | fff2fb8eef0c9ec05975345ad2ebc59038df004965813fe398c3f85159eb622d65557debe350378efee5c94af6c85aa7fd95ef96d2f8d902ac61a5e8abdc2c09 |
memory/1776-403-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1508-406-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/1776-409-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1952-413-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2264-417-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2264-419-0x0000000000400000-0x000000000046C000-memory.dmp
memory/5096-430-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4768-432-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4840-437-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4840-447-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4784-445-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2100-444-0x0000000000400000-0x000000000046C000-memory.dmp
memory/5096-442-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3104-460-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2460-475-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2180-476-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2092-493-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4064-494-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1372-504-0x0000000000400000-0x000000000046C000-memory.dmp
memory/940-508-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4032-510-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3104-473-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4152-520-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1952-534-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2156-459-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3320-458-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4784-457-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4740-581-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4924-588-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4080-620-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4424-621-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4424-633-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3044-637-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3044-643-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2920-645-0x0000000000400000-0x000000000046C000-memory.dmp
memory/888-651-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3360-656-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4780-655-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3016-671-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1396-684-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1820-686-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1396-688-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2060-691-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2452-695-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2060-699-0x0000000000400000-0x000000000046C000-memory.dmp
memory/116-701-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4800-707-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4800-709-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1464-713-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4040-723-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3820-743-0x0000000000400000-0x000000000046C000-memory.dmp
memory/816-766-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3496-788-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2248-814-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4632-837-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4692-859-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1508-860-0x0000000000400000-0x000000000046C000-memory.dmp