File name:	6639c5e42418fa8caf0dee6d4516984842cda2bfa9070139ebae691fbf1969f0
Full analysis:	https://app.any.run/tasks/3d48bca1-eb0f-4dc9-96eb-410fb19e1061
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	May 19, 2025, 03:45:33
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec evasion ransomware auto-sch blackhunt
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	B26AAA9908C7A9E43DD1F60FF4A20CE1
SHA1:	9C8A1BEB8FF7C470592211460BF476D24B061420
SHA256:	6639C5E42418FA8CAF0DEE6D4516984842CDA2BFA9070139EBAE691FBF1969F0
SSDEEP:	6144:U7QuvMEX+Z1tPKYJlsAFJsnSQqMK7IZL6t+XXAOMHkuglLqTK74:U7QpvzJKYJ+AFwSQqMKkZ+t+ZMHkvqmU

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:01:09 22:10:30
ZipCRC:	0x884b4800
ZipCompressedSize:	251557
ZipUncompressedSize:	723968
ZipFileName:	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe


(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\6639c5e42418fa8caf0dee6d4516984842cda2bfa9070139ebae691fbf1969f0.zip
(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6184) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4724) 74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	GlobalAssocChangedCounter
Value: 114
(PID) Process:	(7312) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

PID	Process	Filename		Type
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\#BlackHunt_Public.key		binary
		MD5:38905150F60FED8B301FC43198808588	SHA256:5AF4290C674E074D3A78DB70AB287908CF5CEAC250ADFDD6627110B63F4F2A13
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\#BlackHunt_Private.key		binary
		MD5:11C79A6C82A8D5E34B91DBFD88383040	SHA256:A160D3AE09E2DEAB661DCA0AFA2414E5C9C2A465C8C2CCD9E640FB2A3420041F
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\#BlackHunt_ID.txt		binary
		MD5:9CAF6220878AF71A5CCE9F631EB86458	SHA256:89D83CE7E56DF71BC01A98C13BC59325C808096182A3876828745AE20D27A20F
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\#BlackHunt_ReadMe.txt		text
		MD5:CCB09D3FCAFED0A207059BC01ECE8ED4	SHA256:68025975A8D998909EE7811425B0894608A9BE2B783C6D3E26264F47F473AE57
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\Adobe\ARM\S\#BlackHunt_Private.key		binary
		MD5:11C79A6C82A8D5E34B91DBFD88383040	SHA256:A160D3AE09E2DEAB661DCA0AFA2414E5C9C2A465C8C2CCD9E640FB2A3420041F
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\Adobe\ARM\#BlackHunt_ReadMe.hta		html
		MD5:9AC575170360CF517BA689BBD7FE03C6	SHA256:32F04BA31E9FBD709F8AABD109E37A9C22A87C50FD2C6CE95F7A777F8E6CA6E6
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\#BlackHunt_Private.key		binary
		MD5:11C79A6C82A8D5E34B91DBFD88383040	SHA256:A160D3AE09E2DEAB661DCA0AFA2414E5C9C2A465C8C2CCD9E640FB2A3420041F
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\Adobe\ARM\Acrobat_23.001.20093\#BlackHunt_ReadMe.hta		html
		MD5:9AC575170360CF517BA689BBD7FE03C6	SHA256:32F04BA31E9FBD709F8AABD109E37A9C22A87C50FD2C6CE95F7A777F8E6CA6E6
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\Adobe\ARM\S\#BlackHunt_ReadMe.hta		html
		MD5:9AC575170360CF517BA689BBD7FE03C6	SHA256:32F04BA31E9FBD709F8AABD109E37A9C22A87C50FD2C6CE95F7A777F8E6CA6E6
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	C:\ProgramData\Adobe\#BlackHunt_ReadMe.txt		text
		MD5:CCB09D3FCAFED0A207059BC01ECE8ED4	SHA256:68025975A8D998909EE7811425B0894608A9BE2B783C6D3E26264F47F473AE57

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4724	74df3452a6b9dcdba658af7a9cf5afb09cce51534f9bc63079827bf73075243b.exe	208.95.112.1:80	ip-api.com	TUT-AS	US	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2196	svchost.exe	224.0.0.251:5353	—	—	—	unknown
2196	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
ip-api.com	208.95.112.1	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
geo2.adobe.com	95.100.184.205	whitelisted
p13n.adobe.io	107.22.247.231 54.144.73.197 34.193.227.236 18.207.85.246	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
2196	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)

General Info

6639c5e42418fa8caf0dee6d4516984842cda2bfa9070139ebae691fbf1969f0

B26AAA9908C7A9E43DD1F60FF4A20CE1

9C8A1BEB8FF7C470592211460BF476D24B061420

6639C5E42418FA8CAF0DEE6D4516984842CDA2BFA9070139EBAE691FBF1969F0

6144:U7QuvMEX+Z1tPKYJlsAFJsnSQqMK7IZL6t+XXAOMHkuglLqTK74:U7QpvzJKYJ+AFwSQqMKkZ+t+ZMHkvqmU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Using BCDEDIT.EXE to modify recovery options

Deletes shadow copies

Resizes shadow copies

RANSOMWARE has been detected

BLACKHUNT has been detected (YARA)

Uses Task Scheduler to run other applications

Renames files like ransomware

Starts CMD.EXE for self-deleting

SUSPICIOUS

Uses REG/REGEDIT.EXE to modify registry

Found strings related to reading or modifying Windows Defender settings

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Modifies existing scheduled task

Creates file in the systems drive root

Checks for external IP

Uses WEVTUTIL.EXE to cleanup log

Uses pipe srvsvc via SMB (transferring data)

Runs PING.EXE to delay simulation

Hides command output

Uses TASKKILL.EXE to kill process

Deletes scheduled task without confirmation

INFO

Creates files in the program directory

Reads the computer name

Manual execution by a user

Reads the machine GUID from the registry

Checks supported languages

Process checks computer location settings

Auto-launch of the file from Task Scheduler

Reads security settings of Internet Explorer

Reads Microsoft Office registry keys

Reads Internet Explorer settings

Application launched itself

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity