b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ce

Analysis

max time kernel
119s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Size

440KB
MD5

e12692f81e2dc5fcf33913cb764cd2f0
SHA1

d063cc9c3e075df64b575d22ca52aacf8234a01c
SHA256

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ce
SHA512

073e088817ffc5391108a7699081d2e31b41902bc70cad7346873db60152b40326cd6e827af70dd53315890e5dd83c84d65b297755a44485fb05d56d8b2b0d5b
SSDEEP

6144:Kba8SfiircLRB/c1BALaHd1LRBXrAkSc5C8SkH8OHNDZIlu0kxtWdks:KZZiT1G/kSc5Cw8OtDZI40krs

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 18 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

SMSS.EXEBlack Hole.exeBlack Hole.exeSERVICES.EXELSASS.EXELubang Hitam.exeCSRSS.EXEWINLOGON.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Lubang Hitam.exe\""	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Lubang Hitam.exe"	WINLOGON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

SMSS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exeCSRSS.EXELSASS.EXEBlack Hole.exeBlack Hole.exeWINLOGON.EXESERVICES.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 9 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeWINLOGON.EXECSRSS.EXEBlack Hole.exeLubang Hitam.exeSERVICES.EXELSASS.EXESMSS.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE

Windows security bypass 2 TTPs 27 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Black Hole.exeWINLOGON.EXEBlack Hole.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exeSERVICES.EXELSASS.EXESMSS.EXECSRSS.EXE

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE

Disables RegEdit via registry modification 18 IoCs

evasion

Processes:

Black Hole.exeLubang Hitam.exeCSRSS.EXELSASS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeSERVICES.EXEBlack Hole.exeWINLOGON.EXESMSS.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 13 IoCs

Processes:

Black Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEBlack Hole.exeBlack Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXELubang Hitam.exe

pid	Process
3620	Black Hole.exe
448	Lubang Hitam.exe
4152	WINLOGON.EXE
2336	CSRSS.EXE
3084	SERVICES.EXE
4904	LSASS.EXE
2212	SMSS.EXE
2376	Black Hole.exe
4636	Black Hole.exe
4784	Lubang Hitam.exe
4540	WINLOGON.EXE
4912	CSRSS.EXE
4104	Lubang Hitam.exe

Loads dropped DLL 2 IoCs

Processes:

Black Hole.exeBlack Hole.exe

pid	Process
2376	Black Hole.exe
4636	Black Hole.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

SERVICES.EXESMSS.EXEBlack Hole.exeCSRSS.EXELubang Hitam.exeBlack Hole.exeWINLOGON.EXELSASS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE

Windows security modification 2 TTPs 36 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exeLSASS.EXEBlack Hole.exeCSRSS.EXESMSS.EXEBlack Hole.exeWINLOGON.EXESERVICES.EXE

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SMSS.EXEBlack Hole.exeBlack Hole.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Black Hole = "C:\\Windows\\Black Hole.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exeWINLOGON.EXE

description	ioc	Process
File opened (read-only)	\??\S:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\N:	Lubang Hitam.exe
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\K:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\N:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\O:	Lubang Hitam.exe
File opened (read-only)	\??\U:	Lubang Hitam.exe
File opened (read-only)	\??\Q:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\I:	Lubang Hitam.exe
File opened (read-only)	\??\W:	Lubang Hitam.exe
File opened (read-only)	\??\Q:	WINLOGON.EXE
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\G:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\O:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\V:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\K:	Lubang Hitam.exe
File opened (read-only)	\??\X:	Lubang Hitam.exe
File opened (read-only)	\??\K:	WINLOGON.EXE
File opened (read-only)	\??\E:	Lubang Hitam.exe
File opened (read-only)	\??\S:	Lubang Hitam.exe
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\M:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\P:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\W:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\P:	Lubang Hitam.exe
File opened (read-only)	\??\Q:	Lubang Hitam.exe
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\N:	WINLOGON.EXE
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\L:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\U:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\Y:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\B:	Lubang Hitam.exe
File opened (read-only)	\??\G:	Lubang Hitam.exe
File opened (read-only)	\??\I:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\M:	Lubang Hitam.exe
File opened (read-only)	\??\T:	Lubang Hitam.exe
File opened (read-only)	\??\V:	Lubang Hitam.exe
File opened (read-only)	\??\E:	WINLOGON.EXE
File opened (read-only)	\??\V:	WINLOGON.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\B:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\E:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\R:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\Z:	Lubang Hitam.exe
File opened (read-only)	\??\T:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\Z:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\L:	Lubang Hitam.exe
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\U:	WINLOGON.EXE
File opened (read-only)	\??\J:	Lubang Hitam.exe
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\H:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\J:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\X:	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened (read-only)	\??\H:	Lubang Hitam.exe
File opened (read-only)	\??\R:	Lubang Hitam.exe
File opened (read-only)	\??\Y:	Lubang Hitam.exe
File opened (read-only)	\??\I:	WINLOGON.EXE

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

description	ioc	Process
File created	F:\Autorun.inf	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	F:\Autorun.inf	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File created	C:\Autorun.inf	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	C:\Autorun.inf	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

Drops file in System32 directory 25 IoCs

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXELubang Hitam.exeLubang Hitam.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\Destruction.scr	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File created	C:\Windows\SysWOW64\Lubang Hitam.exe	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File created	C:\Windows\SysWOW64\Lubang Hitam.exe	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\Destruction.scr	CSRSS.EXE
File created	C:\Windows\SysWOW64\Lubang Hitam.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\Lubang Hitam.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\Shell.exe	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	C:\Windows\SysWOW64\1126202412524.bmp	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Lubang Hitam.exe	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Destruction.scr	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Lubang Hitam.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	C:\Windows\SysWOW64\Shell.exe	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Destruction.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\Lubang Hitam.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\Shell.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Lubang Hitam.exe	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\SysWOW64\Destruction.scr	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

Drops file in Windows directory 19 IoCs

Processes:

Lubang Hitam.exeWINLOGON.EXELubang Hitam.exeLubang Hitam.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeCSRSS.EXE

description	ioc	Process
File opened for modification	C:\WINDOWS\Hacked By Gerry.txt	Lubang Hitam.exe
File opened for modification	C:\WINDOWS\Hacked By Gerry.txt	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File created	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\Black Hole.exe	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\Black Hole.exe	CSRSS.EXE
File opened for modification	C:\WINDOWS\Black Hole.txt	Lubang Hitam.exe
File created	C:\Windows\msvbvm60.dll	Lubang Hitam.exe
File opened for modification	C:\Windows\Black Hole.exe	WINLOGON.EXE
File opened for modification	C:\WINDOWS\Black Hole.txt	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File created	C:\WINDOWS\Hacked By Gerry.txt	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	C:\WINDOWS\Hacked By Gerry.txt	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File opened for modification	C:\Windows\Black Hole.exe	Lubang Hitam.exe
File opened for modification	C:\WINDOWS\Black Hole.txt	WINLOGON.EXE
File created	C:\Windows\Black Hole.exe	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
File created	C:\WINDOWS\Black Hole.txt	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINLOGON.EXEshutdown.exeBlack Hole.exeshutdown.exeshutdown.exeSMSS.EXEBlack Hole.exeBlack Hole.exeLubang Hitam.exeshutdown.exeb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeLubang Hitam.exeshutdown.exeCSRSS.EXELubang Hitam.exeSERVICES.EXEshutdown.exeshutdown.exeshutdown.exeCSRSS.EXELSASS.EXEshutdown.exeshutdown.exeWINLOGON.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Hole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Hole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Black Hole.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lubang Hitam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lubang Hitam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lubang Hitam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE

Modifies Control Panel 54 IoCs

evasion

Processes:

SERVICES.EXEBlack Hole.exeLubang Hitam.exeCSRSS.EXEWINLOGON.EXELSASS.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeSMSS.EXEBlack Hole.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	Black Hole.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	Lubang Hitam.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Lubang Hitam.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	Lubang Hitam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Black Hole.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	Black Hole.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Black Hole.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\	Black Hole.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Mouse\SwapMouseButtons = "1"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Black Hole.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DESTRU~1.SCR"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\	Black Hole.exe

Modifies registry class 64 IoCs

Processes:

Lubang Hitam.exeBlack Hole.exeBlack Hole.exeCSRSS.EXESERVICES.EXEb3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeLSASS.EXESMSS.EXEWINLOGON.EXE

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Lubang Hitam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Lubang Hitam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Black Hole.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\Shell.exe\" \"%1\" %*"	Black Hole.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Black Hole.exeBlack Hole.exe

pid	Process
3620	Black Hole.exe
3620	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe
2376	Black Hole.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

pid	Process
1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

shutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exeshutdown.exe

description	pid	Process
Token: SeShutdownPrivilege	548	shutdown.exe
Token: SeRemoteShutdownPrivilege	548	shutdown.exe
Token: SeShutdownPrivilege	384	shutdown.exe
Token: SeRemoteShutdownPrivilege	384	shutdown.exe
Token: SeShutdownPrivilege	3624	shutdown.exe
Token: SeRemoteShutdownPrivilege	3624	shutdown.exe
Token: SeShutdownPrivilege	4020	shutdown.exe
Token: SeRemoteShutdownPrivilege	4020	shutdown.exe
Token: SeShutdownPrivilege	3716	shutdown.exe
Token: SeRemoteShutdownPrivilege	3716	shutdown.exe
Token: SeShutdownPrivilege	1764	shutdown.exe
Token: SeRemoteShutdownPrivilege	1764	shutdown.exe
Token: SeShutdownPrivilege	1948	shutdown.exe
Token: SeRemoteShutdownPrivilege	1948	shutdown.exe
Token: SeShutdownPrivilege	4920	shutdown.exe
Token: SeRemoteShutdownPrivilege	4920	shutdown.exe
Token: SeShutdownPrivilege	4360	shutdown.exe
Token: SeRemoteShutdownPrivilege	4360	shutdown.exe
Token: SeShutdownPrivilege	3232	shutdown.exe
Token: SeRemoteShutdownPrivilege	3232	shutdown.exe
Token: SeShutdownPrivilege	2652	shutdown.exe
Token: SeRemoteShutdownPrivilege	2652	shutdown.exe
Token: SeShutdownPrivilege	4412	shutdown.exe
Token: SeRemoteShutdownPrivilege	4412	shutdown.exe
Token: SeShutdownPrivilege	2928	shutdown.exe
Token: SeRemoteShutdownPrivilege	2928	shutdown.exe
Token: SeShutdownPrivilege	1724	shutdown.exe
Token: SeRemoteShutdownPrivilege	1724	shutdown.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEBlack Hole.exeBlack Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXELubang Hitam.exe

pid	Process
1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
3620	Black Hole.exe
448	Lubang Hitam.exe
4152	WINLOGON.EXE
2336	CSRSS.EXE
3084	SERVICES.EXE
4904	LSASS.EXE
2212	SMSS.EXE
2376	Black Hole.exe
4636	Black Hole.exe
4784	Lubang Hitam.exe
4540	WINLOGON.EXE
4912	CSRSS.EXE
4104	Lubang Hitam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeBlack Hole.exeLubang Hitam.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEBlack Hole.exeBlack Hole.exeLubang Hitam.exe

description	pid	Process	procid_target
PID 1396 wrote to memory of 548	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	82
PID 1396 wrote to memory of 548	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	82
PID 1396 wrote to memory of 548	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	82
PID 1396 wrote to memory of 3620	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	86
PID 1396 wrote to memory of 3620	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	86
PID 1396 wrote to memory of 3620	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	86
PID 3620 wrote to memory of 384	3620	Black Hole.exe	88
PID 3620 wrote to memory of 384	3620	Black Hole.exe	88
PID 3620 wrote to memory of 384	3620	Black Hole.exe	88
PID 1396 wrote to memory of 448	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	90
PID 1396 wrote to memory of 448	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	90
PID 1396 wrote to memory of 448	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	90
PID 448 wrote to memory of 3624	448	Lubang Hitam.exe	91
PID 448 wrote to memory of 3624	448	Lubang Hitam.exe	91
PID 448 wrote to memory of 3624	448	Lubang Hitam.exe	91
PID 1396 wrote to memory of 4152	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	93
PID 1396 wrote to memory of 4152	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	93
PID 1396 wrote to memory of 4152	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	93
PID 4152 wrote to memory of 4020	4152	WINLOGON.EXE	94
PID 4152 wrote to memory of 4020	4152	WINLOGON.EXE	94
PID 4152 wrote to memory of 4020	4152	WINLOGON.EXE	94
PID 1396 wrote to memory of 2336	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	96
PID 1396 wrote to memory of 2336	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	96
PID 1396 wrote to memory of 2336	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	96
PID 2336 wrote to memory of 3716	2336	CSRSS.EXE	99
PID 2336 wrote to memory of 3716	2336	CSRSS.EXE	99
PID 2336 wrote to memory of 3716	2336	CSRSS.EXE	99
PID 1396 wrote to memory of 3084	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	101
PID 1396 wrote to memory of 3084	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	101
PID 1396 wrote to memory of 3084	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	101
PID 3084 wrote to memory of 1764	3084	SERVICES.EXE	102
PID 3084 wrote to memory of 1764	3084	SERVICES.EXE	102
PID 3084 wrote to memory of 1764	3084	SERVICES.EXE	102
PID 1396 wrote to memory of 4904	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	104
PID 1396 wrote to memory of 4904	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	104
PID 1396 wrote to memory of 4904	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	104
PID 4904 wrote to memory of 1948	4904	LSASS.EXE	105
PID 4904 wrote to memory of 1948	4904	LSASS.EXE	105
PID 4904 wrote to memory of 1948	4904	LSASS.EXE	105
PID 1396 wrote to memory of 2212	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	107
PID 1396 wrote to memory of 2212	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	107
PID 1396 wrote to memory of 2212	1396	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe	107
PID 2212 wrote to memory of 4920	2212	SMSS.EXE	108
PID 2212 wrote to memory of 4920	2212	SMSS.EXE	108
PID 2212 wrote to memory of 4920	2212	SMSS.EXE	108
PID 448 wrote to memory of 2376	448	Lubang Hitam.exe	110
PID 448 wrote to memory of 2376	448	Lubang Hitam.exe	110
PID 448 wrote to memory of 2376	448	Lubang Hitam.exe	110
PID 2376 wrote to memory of 4360	2376	Black Hole.exe	111
PID 2376 wrote to memory of 4360	2376	Black Hole.exe	111
PID 2376 wrote to memory of 4360	2376	Black Hole.exe	111
PID 4152 wrote to memory of 4636	4152	WINLOGON.EXE	112
PID 4152 wrote to memory of 4636	4152	WINLOGON.EXE	112
PID 4152 wrote to memory of 4636	4152	WINLOGON.EXE	112
PID 4636 wrote to memory of 3232	4636	Black Hole.exe	114
PID 4636 wrote to memory of 3232	4636	Black Hole.exe	114
PID 4636 wrote to memory of 3232	4636	Black Hole.exe	114
PID 4152 wrote to memory of 4784	4152	WINLOGON.EXE	115
PID 4152 wrote to memory of 4784	4152	WINLOGON.EXE	115
PID 4152 wrote to memory of 4784	4152	WINLOGON.EXE	115
PID 4784 wrote to memory of 2652	4784	Lubang Hitam.exe	117
PID 4784 wrote to memory of 2652	4784	Lubang Hitam.exe	117
PID 4784 wrote to memory of 2652	4784	Lubang Hitam.exe	117
PID 4152 wrote to memory of 4540	4152	WINLOGON.EXE	119

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exeSERVICES.EXEBlack Hole.exeSMSS.EXEWINLOGON.EXECSRSS.EXELSASS.EXEBlack Hole.exeLubang Hitam.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecycleFiles = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoPwdPage = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "67108863"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu = "1"	Lubang Hitam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLowDiskSpaceChecks = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\Disabled = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1"	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Black Hole.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders = "1"	Black Hole.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer = "1"	CSRSS.EXE

C:\Users\Admin\AppData\Local\Temp\b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe
"C:\Users\Admin\AppData\Local\Temp\b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ceN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1396
- C:\WINDOWS\SysWOW64\shutdown.exe
  C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\Black Hole.exe
  "C:\Windows\Black Hole.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3620
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- C:\Windows\SysWOW64\Lubang Hitam.exe
  "C:\Windows\system32\Lubang Hitam.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:448
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\Black Hole.exe
    "C:\Windows\Black Hole.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Windows security modification
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2376
  - - C:\WINDOWS\SysWOW64\shutdown.exe
      C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4360
- - C:\Windows\SysWOW64\Lubang Hitam.exe
    "C:\Windows\system32\Lubang Hitam.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4104
  - - C:\WINDOWS\SysWOW64\shutdown.exe
      C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1724
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4152
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4020
- - C:\Windows\Black Hole.exe
    "C:\Windows\Black Hole.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\WINDOWS\SysWOW64\shutdown.exe
      C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3232
- - C:\Windows\SysWOW64\Lubang Hitam.exe
    "C:\Windows\system32\Lubang Hitam.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\WINDOWS\SysWOW64\shutdown.exe
      C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4540
  - - C:\WINDOWS\SysWOW64\shutdown.exe
      C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4412
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4912
  - - C:\WINDOWS\SysWOW64\shutdown.exe
      C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2336
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3084
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4904
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2212
- - C:\WINDOWS\SysWOW64\shutdown.exe
    C:\WINDOWS\system32\shutdown.exe -s -f -t 3600 -c An Error Occured. System Not Found!
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Black Hole.exe

Filesize
440KB

MD5
55e0322bb5cbaedca4d94a582a8e1824

SHA1
0c9c1032bf14897293c41f5df4fd1254b5f67a0e

SHA256
7fda79dc8c9aa1b89b406211a628e5f7d3517544c9e14e4a629f996195680bd1

SHA512
836ee2f20dc942cf4dbc189ab9eda6a8cd49b40267c730670ff485b356b0c06922ebf8a2470181a5f86ea3275b1cd3eee2310ed8cd6bccecd919959b40894c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\1126202412621.bmp

Filesize
2.6MB

MD5
adb8dddcb74978d7f305fb328abd4c1b

SHA1
51f25319f922f4d3635d94f259874973e54067a3

SHA256
a691267ec35d526e529f539a0347c6a124607ed7288618fc87ff60bfff3b31a7

SHA512
517023c6a357df3bf089971d1a7500dc0b87a003b5b7e0e5ce343e0c5003e0101cf59876ff892e97672e873802e084a8c045f77778e994218287efcbf49785c7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
440KB

MD5
136338e9f32ec1414319f37c16586483

SHA1
6578b4529931091bb4659fd759723f6f08c839ee

SHA256
2cd1a38b2070ba30094cab5517bbe428525da7e471327613a499bf825eea4e44

SHA512
3817ae6584799b3cf615b86133b57f9fac3e7bd966cd71f4dcbd52221b632ac30928193bbc76ab4e3ee1b7e3b07f1593921fc1141d60ae0ec6f49934db1c8983

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
440KB

MD5
04525e7a49b71d408188f41127df30ec

SHA1
f945e1f914a69eb2d7bbcd5300dbf6dd430811cc

SHA256
1d446bb9326fd4be5658d8db4bf56288e848c9d76b9ee67cbab86b3a0800f768

SHA512
c0099b395f6e8c27820c7f7d29803eef377b5554153a1a158f1ab605a6a47798f14f4f2c7cd4139052cc571f9bdfcf9d342b4a3854c7db7ce507cc6468429bd7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
440KB

MD5
1e70f314bce071f76d73a1f15797f1c6

SHA1
20eea755d3a3e2ea8d62e707befc95a24f71a68e

SHA256
5a9d21102902b785f8b4ee2d4fa1be99bc5496664c686ff64fe584085f4ad475

SHA512
53d5f544171d3ae571c4ae268f421c632fdd0b19371645640e9d633dde13602ecc8649412d62c021a9c0ada73a8eddb7f5d6996af8d4131b7c91d4525b353930

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
440KB

MD5
f203b101b2d0a4761f951e664b6b39aa

SHA1
11025292cda0c7ca4af702a6d3c9197019e9c5e6

SHA256
d2c42369d2cca378c9205f95d1ff2d7c3e601dbf8c0a51923628647055573cc6

SHA512
56745b3d9b109b274bf1d240aa052d62112a35aadbb5d562d3eea02904bd13ea2f0b228f73cc254d11b15eb8ca1cfbf74490e6ae747a66d5f1c5287e806bcb03

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
440KB

MD5
111a5b0472c84accbdaa3dad94f76998

SHA1
03402ad49f414e864f95f5eb0a6714396e601338

SHA256
82294007dff367978176048836bf315181088fc0b5f0ff855a3cf142275e035d

SHA512
5ba4340baec1768bffa633cabbbb45c4b1731d78ad85f2d0c5e4b84b260b3ec2182a53221979956e31a0e06b40f367e86e17d55d394546f7b712e932307c0e86

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Zero Code.pif

Filesize
440KB

MD5
0e9815bbd55cb9f967480b8a172503da

SHA1
ede72f5a45daeeb7e5032e1a9167623e45b67d3e

SHA256
ac810f33128df1857e84b95f4905b56e6718434161fe323648f0c4490fe169a0

SHA512
d7d8dd10f53def62dea44d64dc6c0107979478e48116bc2260979d38bc0a3c2ed4d7173fcc45623e35200cdb218cfcb2ffdf6b21279134de7dd7f022bc67afd5

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Zero Code.pif

Filesize
440KB

MD5
7c0b0f0a70d09fef6762454e460db386

SHA1
3462477e80feba6238019094fe10194d46a1e3c0

SHA256
1585cfb6da0f7cbe4a3bd4db5c89d0197dd47b449c7ec316796a9095f437b88a

SHA512
e82cf579933b20b2a6459f6385f62a3d4409da4034d3eb2800d9fbfa22ac8eefecfd5b995b225e58a2a1e598e4bf6f6da20741bd06ea3a091ed5b57fcc60bcc9

Download Submit
C:\Windows\Black Hole.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Black Hole.exe

Filesize
440KB

MD5
ab9a7ce6987759ffaf90229441ca99df

SHA1
32ec31bae7fc5a5ad148169fba461e5e83509e36

SHA256
645a459e676de3403ddb6a948cf2fb40b2556641434bc3cc1bdbb974360695e0

SHA512
8463550d7f13f7100f913caeac98989b323e95532ac968d030cff3a590f446a0274ebbdaa2297ebe07332e8a24b5ce2cf06f316bea71967f04d2763634f211bf

Download Submit
C:\Windows\Black Hole.exe

Filesize
440KB

MD5
25d4a3710449664207a3626917b7978f

SHA1
14d6059ff44a9cc722315f733f943919db16edfa

SHA256
b2498a21ee3f8ab4c5d448428b109fc00f85e5e2cbeac0d716e67f288c5edefa

SHA512
c747ff48449b0099af3be7d56ee4f765ee58587931e9dc05970a729574ff5f158a8682e82e660e562054e7b26b558645aed0216847f9615b5be867d48a7ad2cb

Download Submit
C:\Windows\Black Hole.exe

Filesize
440KB

MD5
7b17f430d43a352f31a22eadd58d2601

SHA1
e7f833fbe585e556f0f9d243748a67ebff0c653e

SHA256
33610855f09add2ff9ad245ee0373e13c24877dd10af5d5a89e073bfef5a2d3f

SHA512
88b4d316d8b54f661441e8546b7e73d95c49c513ffd081fd1a74483eafc38febe19f49174e2982a1dbbb61a7dfc74e9f1cb1b81beedf145ff1ca9a668c809b25

Download Submit
C:\Windows\Black Hole.txt

Filesize
1KB

MD5
6635e047c242e6d64b2716d81095bf5f

SHA1
5def5300f894e58bbb0caaa94680f7735ccd248d

SHA256
9757b4f406657c44fcbd40757d1ae06e833a8e1542ca976e6ae63578031b32bf

SHA512
c9bae9bf090e7c67fac53d061bb43c2091e991c8f568889463d0c1af8f48652c79c51785c0906705098b418b2d7a4b200580fb44091ecf8bf24d8b1b45a258c0

Download Submit
C:\Windows\Hacked By Gerry.txt

Filesize
1KB

MD5
e067dafcbe64a95f5045a281397732db

SHA1
1af7095f98c486ca247449980000d06b04ffc50c

SHA256
b6085ee8c1f2de574973b9f3a7417257e25573c2b5228b5a8f87e3788e2733b6

SHA512
1b575d62fee219538f8d624ab833cbce0aee431559a0adfa1e3ce9cd4f5ab8a2887b394843ebf164c884ccbed5687d644474328471b23c28edba8f99ccf08b58

Download Submit
C:\Windows\SysWOW64\Destruction.scr

Filesize
440KB

MD5
21cfa3f281f64b15e6a5e9b0b1da8f6a

SHA1
23a0fef45e10b9024c26c25fe6baf2134600f650

SHA256
4764d83ec0d9c82486985cf615b34ab635de36052bc55b4cb89cb2f81e09e045

SHA512
8249b79ead9b5f066cc88a6edc0405cca1feff3f6823eb62cc36fac74ec1b4b7e896f640043b664c74ba8fdc8aab2d1ad89f46895de4c83deb17bb9531339f84

Download Submit
C:\Windows\SysWOW64\Destruction.scr

Filesize
440KB

MD5
8fc229838eacf9395e35a32e9258f5ca

SHA1
e7014face1155d8384a6d1de93ae2d297cfc6328

SHA256
784282ae59a86aee4b0016bb50e8ccd8838832c12405916a4dcc401a8ea101ff

SHA512
4d9dc75218d0f8bab0d22f51d1f97cd529dd90fd6c0f0be5f3db585db618f2b243c62d9f3a1bd4fdf8dfef111e71146d5c9ba7cf9cda21d023e3cb93b952e1db

Download Submit
C:\Windows\SysWOW64\Lubang Hitam.exe

Filesize
440KB

MD5
e12692f81e2dc5fcf33913cb764cd2f0

SHA1
d063cc9c3e075df64b575d22ca52aacf8234a01c

SHA256
b3064b7d985d43ac95233f3139484c93ea15b96d7851f7c560b25948225dd5ce

SHA512
073e088817ffc5391108a7699081d2e31b41902bc70cad7346873db60152b40326cd6e827af70dd53315890e5dd83c84d65b297755a44485fb05d56d8b2b0d5b

Download Submit
C:\Windows\SysWOW64\Lubang Hitam.exe

Filesize
440KB

MD5
b2ab7ef80bfef5f46050fbd9112cdaff

SHA1
da3ad4200b390ec83669692ba5cf718ba13e5573

SHA256
18752c944dab7988b828e5f647fd12db601f95e4170377baac31e77201715e38

SHA512
a0d9406ba90ba48f47427a531b37b12415513a098618153edb21bef41d4f235b783720f4767da638b3d56776a4a28eefe7d09922451ab173e3153c1d893ea2ab

Download Submit
C:\Windows\SysWOW64\Shell.exe

Filesize
440KB

MD5
2c213c371876367e5901ccec1dc5a436

SHA1
c7d77982e1b89b9c3430366050a4e8b49e81dc89

SHA256
1132a36a3e3cd535751476b4c9d68731f7f2d7cd349781711bb20ef2f748b1a7

SHA512
5b196dd8d3fff8943c3e2a91e7d095fcca0dbf872271184805caf536018e6615233c7d5324bd39e907f92fe8ac84b9bdf22b544e43ec29a412e118b6a74a1b2b

Download Submit
C:\Windows\SysWOW64\Shell.exe

Filesize
440KB

MD5
d73f619b55f4d48c5073a8da9ec73061

SHA1
503dffe83181e3b66e0ca3da8b03eb9f0f31cab5

SHA256
ecc9535b54959c584b99c821561df8d611ba665c220afdf35008d4266963ac95

SHA512
4fc21561f21867c6f485bcb26ade427c8b5fc9567d68ebe410dd9c6fa86a32c45fea94fa115bbbf39e52d6e05ef7c55af66bf84f5b73624797c85f0a6f28bdd6

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
F:\Autorun.inf

Filesize
93B

MD5
4809daf962803cad2b891b94c195d3dd

SHA1
707bdd28edcf5e9e288959f62d4da8823777ec12

SHA256
3468667630714eb86464ecfe903b59a843670ade55b49ac9d653421b91bcf139

SHA512
c9c233b22a853ce17731cb3466f7e8234da4e3de0dec6cc48ed15232303d4f29c49770e20a7064ad9329f8d9d27f8d4b547443d837320f58ac230973bb7dd11f

Download Submit
F:\Read Me.txt

Filesize
3KB

MD5
5c462f1ea2917c0b502ae0761c0f60d8

SHA1
c1d15b093b2843528544d77dc0d9d4e3b8a85297

SHA256
09c76898e4fa4174c53c2ad514274b5d2ca636ec6f223be5fda4c6135ec4ac10

SHA512
e6219ccbabe77a4999ade79c7074753495da9c61d6451c53be34219cc19746ca9a0dadef3b47cd8859cd59604064af5e9fc2a5044780bcfebaaa13dc08c36bbc

Download Submit
memory/448-73-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/448-416-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1396-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1396-558-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2212-111-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2212-524-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2336-92-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2336-458-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2376-546-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2376-364-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3084-480-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3084-99-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3620-64-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3620-94-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4104-405-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4152-86-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4152-436-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4540-393-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4636-380-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4636-386-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4784-389-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4784-385-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4904-105-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4904-502-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4912-395-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4912-398-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download