{"id":130822,"date":"2023-07-06T10:00:00","date_gmt":"2023-07-06T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=130822"},"modified":"2024-07-03T11:59:34","modified_gmt":"2024-07-03T18:59:34","slug":"the-five-day-job-a-blackbyte-ransomware-intrusion-case-study","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/","title":{"rendered":"The five-day job: A BlackByte ransomware intrusion case study"},"content":{"rendered":"\n<p>As ransomware attacks continue to grow in number and sophistication, threat actors can quickly impact business operations if organizations are not well prepared. In a recent investigation by Microsoft Incident Response (previously known as Microsoft Detection and Response Team \u2013 DART) of an intrusion, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization.<\/p>\n\n\n\n<p>Our investigation found that within those five days, the threat actor employed a range of tools and techniques, culminating in the deployment of BlackByte 2.0 ransomware, to achieve their objectives. These techniques included:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exploitation of unpatched internet-exposed Microsoft Exchange Servers<\/li>\n\n\n\n<li>Web shell deployment facilitating remote access<\/li>\n\n\n\n<li>Use of living-off-the-land tools for persistence and reconnaissance<\/li>\n\n\n\n<li>Deployment of Cobalt Strike beacons for command and control (C2)<\/li>\n\n\n\n<li>Process hollowing and the use of vulnerable drivers for defense evasion<\/li>\n\n\n\n<li>Deployment of custom-developed backdoors to facilitate persistence<\/li>\n\n\n\n<li>Deployment of a custom-developed data collection and exfiltration tool<\/li>\n<\/ul>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-1024x514.webp\" alt=\"BlackByte 2.0 ransomware attack chain by order of stages: initial access and privilege escalation, persistence and command and control, reconnaissance, credential access, lateral movement, data staging and exfiltration, and impact. \" class=\"wp-image-130823 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-1024x514.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-300x150.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-768x385.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-1536x770.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-2048x1027.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-attack-flow-diagram-1024x514.webp\"><figcaption class=\"wp-element-caption\">Figure 1. BlackByte 2.0 ransomware attack chain<\/figcaption><\/figure>\n\n\n\n<p>In this blog, we share details of our investigation into the end-to-end attack chain, exposing security weaknesses that the threat actor exploited to advance their attack. As we learned from Microsoft\u2019s tracking of ransomware attacks and the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/\">cybercriminal economy<\/a> that enables them, disrupting common attack patterns could stop many of the attacker activities that precede ransomware deployment. This case highlights that common security hygiene practices go a long way in preventing, identifying, and responding to malicious activity as early as possible to mitigate the impact of ransomware attacks. We encourage organizations to follow the outlined mitigation steps, including ensuring that internet-facing assets are up to date and configured securely. We also share indicators of compromise, detection details, and hunting guidance to help organizations identify and respond to these attacks in their environments. &nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"forensic-analysis\">Forensic analysis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"initial-access-and-privilege-escalation\">Initial access and privilege escalation<\/h3>\n\n\n\n<p>To obtain initial access into the victim\u2019s environment, the threat actor was observed exploiting the <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/proxyshell-vulnerabilities-and-your-exchange-server\/ba-p\/2684705\">ProxyShell vulnerabilities<\/a> CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers. The exploitation of these vulnerabilities allowed the threat actor to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attain system-level privileges on the compromised Exchange host<\/li>\n\n\n\n<li>Enumerate LegacyDN of users by sending Autodiscover requests, including SIDs of users<\/li>\n\n\n\n<li>Construct a valid authentication token and use it against the Exchange PowerShell backend<\/li>\n\n\n\n<li>Impersonate domain admin users and create a web shell by using the <em>New-MailboxExportRequest<\/em> cmdlet<\/li>\n\n\n\n<li>Create web shells to obtain remote control on affected servers<\/li>\n<\/ul>\n\n\n\n<p>The threat actor was observed operating from the following IP to exploit ProxyShell and access the web shell:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>185.225.73[.]244<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"persistence\">Persistence<\/h3>\n\n\n\n<p><strong>Backdoor<\/strong><\/p>\n\n\n\n<p>After gaining access to a device, the threat actor created the following registry run keys to run a payload each time a user signs in:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Registry key<\/td><td>Value name<\/td><td>Value data<\/td><\/tr><tr><td>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run &nbsp;<\/td><td>MsEdgeMsE<\/td><td>rundll32 C:\\Users\\user\\Downloads\\api-msvc.dll,Default &nbsp;<\/td><\/tr><tr><td>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run &nbsp;<\/td><td>MsEdgeMsE<\/td><td>rundll32 C:\\temp\\api-msvc.dll,Default &nbsp;<\/td><\/tr><tr><td>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run &nbsp;<\/td><td>MsEdgeMsE<\/td><td>rundll32 C:\\systemtest\\api-system.png,Default<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The file <em>api-msvc.dll <\/em>(SHA-256: 4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e) was determined to be a backdoor capable of collecting system information, such as the installed antivirus products, device name, and IP address. This information is then sent via HTTP POST request to the following C2 channel:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>hxxps:\/\/myvisit[.]alteksecurity[.]org\/t<\/em><\/li>\n<\/ul>\n\n\n\n<p>The organization was not using Microsoft Defender Antivirus, which detects this malware as Trojan:Win32\/Kovter!MSR, as the primary antivirus solution, and the backdoor was allowed to run.<\/p>\n\n\n\n<p>An additional file, <em>api-system.png<\/em>, was identified to have similarities to <em>api-msvc.dll<\/em>. This file behaved like a DLL, had the same default export function, and also leveraged run keys for persistence.<\/p>\n\n\n\n<p><strong>Cobalt Strike Beacon<\/strong><\/p>\n\n\n\n<p>The threat actor leveraged Cobalt Strike to achieve persistence. The file <em>sys.exe <\/em>(SHA-256: 5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103), detected by Microsoft Defender Antivirus as Trojan:Win64\/CobaltStrike!MSR, was determined to be a Cobalt Strike Beacon and was downloaded directly from the file sharing service <em>temp[.]sh<\/em>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>hxxps:\/\/temp[.]sh\/szAyn\/sys.exe<\/em><\/li>\n<\/ul>\n\n\n\n<p>This beacon was configured to communicate with the following C2 channel:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>109.206.243[.]59:443<\/li>\n<\/ul>\n\n\n\n<p><strong>AnyDesk<\/strong><strong><\/strong><\/p>\n\n\n\n<p>Threat actors leverage legitimate remote access tools during intrusions to blend into a victim network. In this case, the threat actor utilized the remote administration tool AnyDesk, to maintain persistence and move laterally within the network. AnyDesk was installed as a service and was run from the following paths:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>C:\\systemtest\\anydesk\\AnyDesk.exe<\/em><\/li>\n\n\n\n<li><em>C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe<\/em><\/li>\n\n\n\n<li><em>C:\\Scripts\\AnyDesk.exe<\/em><\/li>\n<\/ul>\n\n\n\n<p>Successful connections were observed in the AnyDesk log file <em>ad_svc.trace<\/em> involving anonymizer service IP addresses linked to TOR and MULLVAD VPN, a common technique that threat actors employ to obscure their source IP ranges.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reconnaissance\">Reconnaissance<\/h3>\n\n\n\n<p>We found the presence and execution of the network discovery tool NetScan being used by the threat actor to perform network enumeration using the following file names:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>netscan.exe <\/em>(SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)<\/li>\n\n\n\n<li><em>netapp.exe <\/em>(SHA-256:1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e)<\/li>\n<\/ul>\n\n\n\n<p>Additionally, execution of AdFind (SHA-256: f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e), an Active Directory reconnaissance tool, was observed in the environment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"credential-access\">Credential access<\/h3>\n\n\n\n<p>Evidence of likely usage of the credential theft tool Mimikatzwas also uncovered through the presence of a related log file <em>mimikatz.log<\/em>. Microsoft IR assesses that Mimikatz was likely used to attain credentials for privileged accounts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"lateral-movement\">Lateral movement<\/h3>\n\n\n\n<p>Using compromised domain admin credentials, the threat actor used Remote Desktop Protocol (RDP) and PowerShell remoting to obtain access to other servers in the environment, including domain controllers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"data-staging-and-exfiltration\">Data staging and exfiltration<\/h3>\n\n\n\n<p>In one server where Microsoft Defender Antivirus was installed, a suspicious file named <em>explorer.exe<\/em> was identified, detected as Trojan:Win64\/WinGoObfusc.LK!MT, and quarantined. However, because tamper protection wasn\u2019t enabled on this server, the threat actor was able to disable the Microsoft Defender Antivirus service, enabling the threat actor to run the file using the following command:<\/p>\n\n\n\n<p>explorer.exe P@$$w0rd<\/p>\n\n\n\n<p>After reverse engineering<em> explorer.exe<\/em>, we determined it to be ExByte, a GoLang-based tool developed and commonly used in BlackByte ransomware attacks for collection and exfiltration of files from victim networks. This tool is capable of enumerating files of interest across the network and, upon execution, creates a log file containing a list of files and associated metadata. Multiple log files were uncovered during the investigation in the path:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>C:\\Exchange\\MSExchLog.log<\/em><\/li>\n<\/ul>\n\n\n\n<p>Analysis of the binary revealed a list of file extensions that are targeted for enumeration.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"521\" height=\"110\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_.jpg\" alt=\"Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_\" class=\"wp-image-130824\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_.jpg 521w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Figure-2.-Binary-analysis-showing-file-extensions-enumerated-by-explorer.exe_-300x63.jpg 300w\" sizes=\"(max-width: 521px) 100vw, 521px\" \/><figcaption class=\"wp-element-caption\">Figure 2. Binary analysis showing file extensions enumerated by <em>explorer.exe<\/em><\/figcaption><\/figure>\n\n\n\n<p>Forensic analysis identified a file named <em>data.txt<\/em> that was created and later deleted after ExByte execution. This file contained obfuscated credentials that ExByte leveraged to authenticate to the popular file sharing platform Mega NZ using the platform\u2019s API at:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>hxxps:\/\/g.api.mega.co[.]nz<\/em><\/li>\n<\/ul>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Figure-3.-Binary-analysis-showing-explorer.exe-functionality-for-connecting-to-file-sharing-service-MEGA-NZ.webp\" alt=\"\" class=\"wp-image-130825 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Figure-3.-Binary-analysis-showing-explorer.exe-functionality-for-connecting-to-file-sharing-service-MEGA-NZ.webp\"><figcaption class=\"wp-element-caption\">Figure 3. Binary analysis showing explorer.exe functionality for connecting to file sharing service MEGA NZ<\/figcaption><\/figure>\n\n\n\n<p>We also determined that this version of Exbyte was crafted specifically for the victim, as it contained a hardcoded device name belonging to the victim and an internal IP address.<\/p>\n\n\n\n<p><strong>ExByte execution flow<\/strong><\/p>\n\n\n\n<p>Upon execution, ExByte decodes several strings and checks if the process is running with privileged access by reading <em>\\\\.\\PHYSICALDRIVE0<\/em>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If this check fails, <em>ShellExecuteW<\/em> is invoked with the <em>IpOperation<\/em> parameter <em>RunAs<\/em>, which runs <em>explorer.exe<\/em> with elevated privileges.<\/li>\n<\/ul>\n\n\n\n<p>After this access check, <em>explorer.exe<\/em> attempts to read the <em>data.txt<\/em> file in the current location:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the text file doesn\u2019t exist, it invokes a command for self-deletion and exits from memory:<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nC:\\Windows\\system32\\cmd.exe \/c ping 1.1.1.1 -n 10 &gt; nul &amp; Del &lt;PATH&gt;\\explorer.exe \/F \/Q\n<\/pre><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>If <em>data.txt<\/em> exists, <em>explorer.exe<\/em> reads the file, passes the buffer to Base64 decode function, and then decrypts the data using the key provided in the command line. The decrypted data is then parsed as JSON below and fed for login function:<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\n{\n\t\u201ca\u201d:\u201dus0\u201d,\n\t\u201cuser\u201d:\u201d&lt;CONTENT FROM data.txt&gt;\u201d\n}\n<\/pre><\/div>\n\n\n<p>Finally, it forms a URL for sign-in to the API of the service MEGA NZ:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>hxxps:\/\/g.api.mega.co[.]nz\/cs?id=1674017543<\/em><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"data-encryption-and-destruction\">Data encryption and destruction<\/h3>\n\n\n\n<p>On devices where files were successfully encrypted, we identified suspicious executables, detected by Microsoft Defender Antivirus as Trojan:Win64\/BlackByte!MSR, with the following names:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>wEFT.exe<\/em><\/li>\n\n\n\n<li><em>schillerized.exe<\/em><\/li>\n<\/ul>\n\n\n\n<p>The files were analyzed and determined to be BlackByte 2.0 binaries responsible for encryption across the environment. The binaries require an 8-digit key number to encrypt files.<\/p>\n\n\n\n<p>Two modes of execution were identified:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When the <em>-s<\/em> parameter is provided, the ransomware self-deletes and encrypts the machine it was executed on.<\/li>\n\n\n\n<li>When the <em>-a<\/em> parameter is provided, the ransomware conducts enumeration and uses an Ultimate Packer Executable (UPX) packed version of PsExec to deploy across the network. Several domain admin credentials were hardcoded in the binary, facilitating the deployment of the binary across the network.<\/li>\n<\/ul>\n\n\n\n<p>Depending on the switch (<em>-s<\/em> or <em>-a<\/em>), execution may create the following files:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>C:\\SystemData\\M8yl89s7.exe<\/em> (UPX-packed PsExec with a random name; SHA-256: ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f)<\/li>\n\n\n\n<li><em>C:\\SystemData\\wEFT.exe<\/em> (Additional BlackByte binary)<\/li>\n\n\n\n<li><em>C:\\SystemData\\MsExchangeLog1.log<\/em> (Log file)<\/li>\n\n\n\n<li><em>C:\\SystemData\\rENEgOtiAtES <\/em>(A vulnerable (CVE-2019-16098) driver <em>RtCore64.sys<\/em> used to evade detection by installed antivirus software; SHA-256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)<\/li>\n\n\n\n<li><em>C:\\SystemData\\iHu6c4.ico<\/em> (Random name \u2013 BlackBytes icon)<\/li>\n\n\n\n<li><em>C:\\SystemData\\BB_Readme_file.txt<\/em> (BlackByte ReadMe file)<\/li>\n\n\n\n<li><em>C:\\SystemData\\skip_bypass.txt<\/em> (Unknown)<\/li>\n<\/ul>\n\n\n\n<p><strong>BlackByte 2.0 ransomware capabilities<\/strong><\/p>\n\n\n\n<p>Some capabilities identified for the BlackByte 2.0 ransomware were:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Antivirus bypass<ul><li>The file <em>rENEgOtiAtES<\/em> created matches <em>RTCore64.sys<\/em>, a vulnerable driver (CVE-2049-16098) that allows any authenticated user to read or write to arbitrary memory<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>The BlackByte binary then creates and starts a service named <em>RABAsSaa<\/em> calling <em>rENEgOtiAtES<\/em>, and exploits this service to evade detection by installed antivirus software<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Process hollowing\n<ul class=\"wp-block-list\">\n<li>Invokes <em>svchost.exe<\/em>, injects to it to complete device encryption, and self-deletes by executing the following command:\n<ul class=\"wp-block-list\">\n<li><code>cmd.exe \/c ping 1.1.1.1 -n 10 &gt; Nul &amp; Del \u201cPATH_TO_BLACKBYTE\u201d \/F \/Q<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Modification \/ disabling of Windows Firewall\n<ul class=\"wp-block-list\">\n<li>The following commands are executed to either modify existing Windows Firewall rules, or to disable Windows Firewall entirely:<ul><li><code>cmd \/c netsh advfirewall set allprofiles state off<\/code><\/li><\/ul><\/li>\n\n\n\n<li><ul><li><code>cmd \/c netsh advfirewall firewall set rule group=\u201dFile and Printer Sharing\u201d new enable=Yes<\/code><\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li><code>cmd \/c netsh advfirewall firewall set rule group=\u201dNetwork Discovery\u201d new enable=Yes<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Modification of volume shadow copies\n<ul class=\"wp-block-list\">\n<li>The following commands are executed to destroy volume shadow copies on the machine:<ul><li><code>cmd \/c vssadmin Resize ShadowStorge \/For=B:\\ \/On=B:\\ \/MaxSize=401MB<\/code><\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li><code>cmd \/c vssadmin Resize ShadowStorage \/For=B:\\ \/On=B:\\ \/MaxSize=UNBOUNDED<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Modification of registry keys\/values\n<ul class=\"wp-block-list\">\n<li>The following commands are executed to modify the registry, facilitating elevated execution on the device:<ul><li><code>cmd \/c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \/v LocalAccountTokenFilterPolicy \/t REG_DWORD \/d 1 \/f<\/code><\/li><\/ul><\/li>\n\n\n\n<li><ul><li><code>cmd \/c reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System \/v EnableLinkedConnections \/t REG_DWORD \/d 1 \/f<\/code><\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li><code>cmd \/c reg add HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\FileSystem \/v LongPathsEnabled \/t REG_DWORD \/d 1 \/f<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Additional functionality<ul><li>Ability to terminate running services and processes<\/li><\/ul><ul><li>Ability to enumerate and mount volumes and network shares for encryption<\/li><\/ul><ul><li>Perform anti-forensics technique timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)<\/li><\/ul>\n<ul class=\"wp-block-list\">\n<li>Ability to perform anti-debugging techniques<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"recommendations\">Recommendations<\/h2>\n\n\n\n<p>To guard against BlackByte ransomware attacks, Microsoft recommends the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure that you have a patch management process in place and that patching for internet-exposed devices is prioritized; Understand and assess your cyber exposure with advanced vulnerability and configuration assessment tools like <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-vulnerability-management\/defender-vulnerability-management?view=o365-worldwide\">Microsoft Defender Vulnerability Management<strong><em> <\/em><\/strong><\/a><strong><em><\/em><\/strong><\/li>\n\n\n\n<li>Implement an endpoint detection and response (EDR) solution like <a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a> to gain visibility into malicious activity in real time across your network<\/li>\n\n\n\n<li>Ensure antivirus protections are updated regularly by <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide\">turning on cloud-based protection<\/a> and that your antivirus solution is configured to block threats<\/li>\n\n\n\n<li>Enable <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide\">tamper protection<\/a> to prevent components of Microsoft Defender Antivirus from being disabled<\/li>\n\n\n\n<li>Block inbound traffic from IPs specified in the indicators of compromise section of this report<\/li>\n\n\n\n<li>Block inbound traffic from TOR exit nodes<\/li>\n\n\n\n<li>Block inbound access from unauthorized public VPN services<\/li>\n\n\n\n<li>Restrict administrative privileges to prevent authorized system changes<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p>BlackByte ransomware attacks target organizations that have infrastructure with unpatched vulnerabilities. &nbsp;As outlined in the <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-digital-defense-report-2022\">Microsoft Digital Defense Report<\/a>, common security hygiene practices, including keeping systems up to date, could protect against 98% of attacks.<\/p>\n\n\n\n<p>As new tools are being developed by threat actors, a modern threat protection solution like Microsoft 365 Defender is necessary to prevent and detect the multiple techniques used in the attack chain, especially where the threat actor attempts to evade or disable specific defense mechanisms. Hunting for malicious behavior should be performed regularly in order to detect potential attacks that could evade detections, as a complementary activity for continuous monitoring from security tools alerts and incidents.<\/p>\n\n\n\n<p>To understand how Microsoft can help you secure your network and respond to network compromise, visit https:\/\/aka.ms\/MicrosoftIR.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"microsoft-365-defender-detections\">Microsoft 365 Defender detections<\/h2>\n\n\n\n<blockquote class=\"wp-block-quote blockquote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>Microsoft 365 Defender is becoming Microsoft Defender XDR. <a href=\"https:\/\/aka.ms\/xdrignite2023\">Learn more<\/a>.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Microsoft Defender Antivirus<\/strong><\/p>\n\n\n\n<p>Microsoft Defender Antivirus detects this threat as the following malware:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Trojan:Win32\/Kovter!MSR<\/li>\n\n\n\n<li>Trojan:Win64\/WinGoObfusc.LK!MT<\/li>\n\n\n\n<li>Trojan:Win64\/BlackByte!MSR<\/li>\n\n\n\n<li>HackTool:Win32\/AdFind!MSR<\/li>\n\n\n\n<li>Trojan:Win64\/CobaltStrike!MSR<\/li>\n<\/ul>\n\n\n\n<p><strong>Microsoft Defender for Endpoint<\/strong><\/p>\n\n\n\n<p>The following alerts might indicate threat activity related to this threat. Note, however, that these alerts can be also triggered by unrelated threat activity.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8216;CVE-2021-31207&#8217; exploit malware was detected<\/li>\n\n\n\n<li>An active &#8216;NetShDisableFireWall&#8217; malware in a command line was prevented from executing.<\/li>\n\n\n\n<li>Suspicious registry modification.<\/li>\n\n\n\n<li>\u2018Rtcore64\u2019 hacktool was detected<\/li>\n\n\n\n<li>Possible ongoing hands-on-keyboard activity (Cobalt Strike)<\/li>\n\n\n\n<li>A file or network connection related to a ransomware-linked emerging threat activity group detected<\/li>\n\n\n\n<li>Suspicious sequence of exploration activities<\/li>\n\n\n\n<li>A process was injected with potentially malicious code<\/li>\n\n\n\n<li>Suspicious behavior by cmd.exe was observed<\/li>\n\n\n\n<li>&#8216;Blackbyte&#8217; ransomware was detected<\/li>\n<\/ul>\n\n\n\n<p><strong>Microsoft Defender Vulnerability Management<\/strong><\/p>\n\n\n\n<p>Microsoft Defender Vulnerability Management surfaces devices that may be affected by the following vulnerabilities used in this threat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CVE-2021-34473<\/li>\n\n\n\n<li>CVE-2021-34523<\/li>\n\n\n\n<li>CVE-2021-31207<\/li>\n\n\n\n<li>CVE-2019-16098<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h2>\n\n\n\n<p><strong>Microsoft 365 Defender<\/strong><\/p>\n\n\n\n<p>Microsoft 365 Defender customers can run the following query to find related activity in their networks:<\/p>\n\n\n\n<p><strong>ProxyShell web shell creation events<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nDeviceProcessEvents\n| where ProcessCommandLine has_any (&quot;ExcludeDumpster&quot;,&quot;New-ExchangeCertificate&quot;) and ProcessCommandLine has_any (&quot;-RequestFile&quot;,&quot;-FilePath&quot;)\n<\/pre><\/div>\n\n\n<p><strong>Suspicious vssadmin events<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nDeviceProcessEvents\n| where ProcessCommandLine has_any (&quot;vssadmin&quot;,&quot;vssadmin.exe&quot;) and ProcessCommandLine has &quot;Resize ShadowStorage&quot; and ProcessCommandLine has_any (&quot;MaxSize=401MB&quot;,&quot; MaxSize=UNBOUNDED&quot;)\n<\/pre><\/div>\n\n\n<p><strong>Detection for persistence creation using Registry Run keys<\/strong><\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; gutter: false; title: ; notranslate\" title=\"\">\nDeviceRegistryEvents \n| where ActionType == &quot;RegistryValueSet&quot; \n| where (RegistryKey has @&quot;Microsoft\\Windows\\CurrentVersion\\RunOnce&quot; and RegistryValueName == &quot;MsEdgeMsE&quot;)  \n    or (RegistryKey has @&quot;Microsoft\\Windows\\CurrentVersion\\RunOnceEx&quot; and RegistryValueName == &quot;MsEdgeMsE&quot;)\n    or (RegistryKey has @&quot;Microsoft\\Windows\\CurrentVersion\\Run&quot; and RegistryValueName == &quot;MsEdgeMsE&quot;)\n| where RegistryValueData startswith @&quot;rundll32&quot;\n| where RegistryValueData endswith @&quot;.dll,Default&quot;\n| project Timestamp,DeviceId,DeviceName,ActionType,RegistryKey,RegistryValueName,RegistryValueData\n<\/pre><\/div>\n\n\n<p><strong>Microsoft Sentinel<\/strong><\/p>\n\n\n\n<p>Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with \u2018TI map\u2019) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:&nbsp; <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy<\/a><\/p>\n\n\n\n<p>Microsoft Sentinel also has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft 365 Defender detections list above.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/W3CIISLog\/ProxyShellPwn2Own.yaml\">ProxyShell<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Web%20Shells%20Threat%20Protection\/Hunting%20Queries\/WebShellActivity.yaml\">Web shell activity<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/http_proxy_oab_CL\/ExchagngeSuspiciousFileDownloads.yaml\">Suspicious file downloads on Exchange Servers<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/MultipleDataSources\/FirewallRuleChanges_using_netsh.yaml\">Firewall rule changes<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/dd6cfe437382dfbd86ac36b76a125fda0c9de0aa\/Hunting%20Queries\/Microsoft%20365%20Defender\/Ransomware\/ShadowCopyDeletion.yml\">Shadow copy deletion<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/UEBA%20Essentials\/Hunting%20Queries\/Anomalous%20RDP%20Activity.yaml\">Anamolous RDP activity<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n\n\n\n<p>The table below shows IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Indicator<\/td><td>Type<\/td><td>Description<\/td><\/tr><tr><td>4a066569113a569a6feb8f44257ac8764ee8f2011765009fdfd82fe3f4b92d3e<\/td><td>SHA-256<\/td><td>api-msvc.dll (Backdoor installed through RunKeys)<\/td><\/tr><tr><td>5f37b85687780c089607670040dbb3da2749b91b8adc0aa411fd6280b5fa7103<\/td><td>SHA-256<\/td><td>sys.exe (Cobalt Strike Beacon)<\/td><\/tr><tr><td>01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd<\/td><td>SHA-256<\/td><td>rENEgOtiAtES (Vulnerable driver RtCore64.sys created by BlackByte binary)<\/td><\/tr><tr><td>ba3ec3f445683d0d0407157fda0c26fd669c0b8cc03f21770285a20b3133098f<\/td><td>SHA-256<\/td><td>[RANDOM_NAME].exe (UPX Packed PsExec created by BlackByte binary)<\/td><\/tr><tr><td>1b9badb1c646a19cdf101ac4f6fdd23bc61eaab8c9f925eb41848cea9fd0738e<\/td><td>SHA-256<\/td><td>\u201cnetscan.exe\u201d, \u201cnetapp.exe (Netscan network discovery tool)<\/td><\/tr><tr><td>f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e<\/td><td>SHA-256<\/td><td>AdFind.exe (Active Directory information gathering tool)<\/td><\/tr><tr><td>hxxps:\/\/myvisit[.]alteksecurity[.]org\/t<\/td><td>URL<\/td><td>C2 for backdoor api-msvc.dll<\/td><\/tr><tr><td>hxxps:\/\/temp[.]sh\/szAyn\/sys.exe<\/td><td>URL<\/td><td>Download URL for sys.exe<\/td><\/tr><tr><td>109.206.243[.]59<\/td><td>IP Address<\/td><td>C2 for Cobalt Strike Beacon sys.exe<\/td><\/tr><tr><td>185.225.73[.]244<\/td><td>IP Address<\/td><td>Originating IP address for ProxyShell exploitation and web shell interaction<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>NOTE:<\/strong> These indicators should not be considered exhaustive for this observed activity.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"appendix\">Appendix<\/h2>\n\n\n\n<p>File extensions targeted by BlackByte binary for encryption:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>.4dd<\/td><td>.4dl<\/td><td>.accdb<\/td><td>.accdc<\/td><td>.accde<\/td><td>.accdr<\/td><td>.accdt<\/td><td>.accft<\/td><\/tr><tr><td>.adb<\/td><td>.ade<\/td><td>.adf<\/td><td>.adp<\/td><td>.arc<\/td><td>.ora<\/td><td>.alf<\/td><td>.ask<\/td><\/tr><tr><td>.btr<\/td><td>.bdf<\/td><td>.cat<\/td><td>.cdb<\/td><td>.ckp<\/td><td>.cma<\/td><td>.cpd<\/td><td>.dacpac<\/td><\/tr><tr><td>.dad<\/td><td>.dadiagrams<\/td><td>.daschema<\/td><td>.db<\/td><td>.db-shm<\/td><td>.db-wal<\/td><td>.db3<\/td><td>.dbc<\/td><\/tr><tr><td>.dbf<\/td><td>.dbs<\/td><td>.dbt<\/td><td>.dbv<\/td><td>. dbx<\/td><td>. dcb<\/td><td>. dct<\/td><td>. dcx<\/td><\/tr><tr><td>. ddl<\/td><td>. dlis<\/td><td>. dp1<\/td><td>. dqy<\/td><td>. dsk<\/td><td>. dsn<\/td><td>. dtsx<\/td><td>. dxl<\/td><\/tr><tr><td>. eco<\/td><td>. ecx<\/td><td>. edb<\/td><td>. epim<\/td><td>. exb<\/td><td>. fcd<\/td><td>. fdb<\/td><td>. fic<\/td><\/tr><tr><td>. fmp<\/td><td>. fmp12<\/td><td>. fmpsl<\/td><td>. fol<\/td><td>.fp3<\/td><td>. fp4<\/td><td>. fp5<\/td><td>. fp7<\/td><\/tr><tr><td>. fpt<\/td><td>. frm<\/td><td>. gdb<\/td><td>. grdb<\/td><td>. gwi<\/td><td>. hdb<\/td><td>. his<\/td><td>. ib<\/td><\/tr><tr><td>. idb<\/td><td>. ihx<\/td><td>. itdb<\/td><td>. itw<\/td><td>. jet<\/td><td>. jtx<\/td><td>. kdb<\/td><td>. kexi<\/td><\/tr><tr><td>. kexic<\/td><td>. kexis<\/td><td>. lgc<\/td><td>. lwx<\/td><td>. maf<\/td><td>. maq<\/td><td>. mar<\/td><td>. masmav<\/td><\/tr><tr><td>. mdb<\/td><td>. mpd<\/td><td>. mrg<\/td><td>. mud<\/td><td>. mwb<\/td><td>. myd<\/td><td>. ndf<\/td><td>. nnt<\/td><\/tr><tr><td>. nrmlib<\/td><td>. ns2<\/td><td>. ns3<\/td><td>. ns4<\/td><td>. nsf<\/td><td>. nv<\/td><td>. nv2<\/td><td>. nwdb<\/td><\/tr><tr><td>. nyf<\/td><td>. odb<\/td><td>. ogy<\/td><td>. orx<\/td><td>. owc<\/td><td>. p96<\/td><td>. p97<\/td><td>. pan<\/td><\/tr><tr><td>. pdb<\/td><td>. pdm<\/td><td>. pnz<\/td><td>. qry<\/td><td>. qvd<\/td><td>. rbf<\/td><td>. rctd<\/td><td>. rod<\/td><\/tr><tr><td>. rodx<\/td><td>. rpd<\/td><td>. rsd<\/td><td>. sas7bdat<\/td><td>. sbf<\/td><td>. scx<\/td><td>. sdb<\/td><td>. sdc<\/td><\/tr><tr><td>. sdf<\/td><td>. sis<\/td><td>. spg<\/td><td>. sql<\/td><td>. sqlite<\/td><td>. sqlite3<\/td><td>. sqlitedb<\/td><td>. te<\/td><\/tr><tr><td>. temx<\/td><td>. tmd<\/td><td>. tps<\/td><td>. trc<\/td><td>. trm<\/td><td>. udb<\/td><td>. udl<\/td><td>. usr<\/td><\/tr><tr><td>. v12<\/td><td>. vis<\/td><td>. vpd<\/td><td>. vvv<\/td><td>. wdb<\/td><td>. wmdb<\/td><td>. wrk<\/td><td>. xdb<\/td><\/tr><tr><td>. xld<\/td><td>. xmlff<\/td><td>. abcddb<\/td><td>. abs<\/td><td>. abx<\/td><td>. accdw<\/td><td>. and<\/td><td>. db2<\/td><\/tr><tr><td>. fm5<\/td><td>. hjt<\/td><td>. icg<\/td><td>. icr<\/td><td>. kdb<\/td><td>. lut<\/td><td>. maw<\/td><td>. mdn<\/td><\/tr><tr><td>. mdt<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Shared folders targeted for encryption (Example: <em>\\\\[IP address]\\Downloads<\/em>):<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>Users<\/td><td>Backup<\/td><td>Veeam<\/td><td>homes<\/td><td>home<\/td><\/tr><tr><td>media<\/td><td>common<\/td><td>Storage Server<\/td><td>Public<\/td><td>Web<\/td><\/tr><tr><td>Images<\/td><td>Downloads<\/td><td>BackupData<\/td><td>ActiveBackupForBusiness<\/td><td>Backups<\/td><\/tr><tr><td>NAS-DC<\/td><td>DCBACKUP<\/td><td>DirectorFiles<\/td><td>share<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>File extensions ignored:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>.ini<\/td><td>.url<\/td><td>.msilog<\/td><td>.log<\/td><td>.ldf<\/td><td>.lock<\/td><td>.theme<\/td><td>.msi<\/td><\/tr><tr><td>.sys<\/td><td>.wpx<\/td><td>.cpl<\/td><td>.adv<\/td><td>.msc<\/td><td>.scr<\/td><td>.key<\/td><td>.ico<\/td><\/tr><tr><td>.dll<\/td><td>.hta<\/td><td>.deskthemepack<\/td><td>.nomedia<\/td><td>.msu<\/td><td>.rtp<\/td><td>.msp<\/td><td>.idx<\/td><\/tr><tr><td>.ani<\/td><td>.386<\/td><td>.diagcfg<\/td><td>.bin<\/td><td>.mod<\/td><td>.ics<\/td><td>.com<\/td><td>.hlp<\/td><\/tr><tr><td>&nbsp;.spl<\/td><td>.nls<\/td><td>.cab<\/td><td>.exe<\/td><td>.diagpkg<\/td><td>.icl<\/td><td>.ocx<\/td><td>.rom<\/td><\/tr><tr><td>.prf<\/td><td>.thempack<\/td><td>.msstyles<\/td><td>.icns<\/td><td>.mpa<\/td><td>.drv<\/td><td>.cur<\/td><td>.diagcab<\/td><\/tr><tr><td>.cmd<\/td><td>.shs<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Folders ignored:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>windows<\/td><td>boot<\/td><td>program files (x86)<\/td><td>windows.old<\/td><td>programdata<\/td><\/tr><tr><td>intel<\/td><td>bitdefender<\/td><td>trend micro<\/td><td>windowsapps<\/td><td>appdata<\/td><\/tr><tr><td>application data<\/td><td>system volume information<\/td><td>perflogs<\/td><td>msocache<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Files ignored:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>bootnxt<\/td><td>ntldr<\/td><td>bootmgr<\/td><td>thumbs.db<\/td><\/tr><tr><td>ntuser.dat<\/td><td>bootsect.bak<\/td><td>autoexec.bat<\/td><td>iconcache.db<\/td><\/tr><tr><td>bootfont.bin<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Processes terminated:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>teracopy<\/td><td>teamviewer<\/td><td>nsservice<\/td><td>nsctrl<\/td><td>uranium<\/td><\/tr><tr><td>processhacker<\/td><td>procmon<\/td><td>pestudio<\/td><td>procmon64<\/td><td>x32dbg<\/td><\/tr><tr><td>x64dbg<\/td><td>cff explorer<\/td><td>procexp<\/td><td>pslist<\/td><td>tcpview<\/td><\/tr><tr><td>tcpvcon<\/td><td>dbgview<\/td><td>rammap<\/td><td>rammap64<\/td><td>vmmap<\/td><\/tr><tr><td>ollydbg<\/td><td>autoruns<\/td><td>autorunssc<\/td><td>filemon<\/td><td>regmon<\/td><\/tr><tr><td>idaq<\/td><td>idaq64<\/td><td>immunitydebugger<\/td><td>wireshark<\/td><td>dumpcap<\/td><\/tr><tr><td>hookexplorer<\/td><td>importrec<\/td><td>petools<\/td><td>lordpe<\/td><td>sysinspector<\/td><\/tr><tr><td>proc_analyzer<\/td><td>sysanalyzer<\/td><td>sniff_hit<\/td><td>windbg<\/td><td>joeboxcontrol<\/td><\/tr><tr><td>joeboxserver<\/td><td>resourcehacker<\/td><td>fiddler<\/td><td>httpdebugger<\/td><td>dumpit<\/td><\/tr><tr><td>rammap<\/td><td>rammap64<\/td><td>vmmap<\/td><td>agntsvc<\/td><td>cntaosmgr<\/td><\/tr><tr><td>dbeng50<\/td><td>dbsnmp<\/td><td>encsvc<\/td><td>infopath<\/td><td>isqlplussvc<\/td><\/tr><tr><td>mbamtray<\/td><td>msaccess<\/td><td>msftesql<\/td><td>mspub<\/td><td>mydesktopqos<\/td><\/tr><tr><td>mydesktopservice<\/td><td>mysqld<\/td><td>mysqld-nt<\/td><td>mysqld-opt<\/td><td>Ntrtscan<\/td><\/tr><tr><td>ocautoupds<\/td><td>ocomm<\/td><td>ocssd<\/td><td>onenote<\/td><td>oracle<\/td><\/tr><tr><td>outlook<\/td><td>PccNTMon<\/td><td>powerpnt<\/td><td>sqbcoreservice<\/td><td>sql<\/td><\/tr><tr><td>sqlagent<\/td><td>sqlbrowser<\/td><td>sqlservr<\/td><td>sqlwriter<\/td><td>steam<\/td><\/tr><tr><td>synctime<\/td><td>tbirdconfig<\/td><td>thebat<\/td><td>thebat64<\/td><td>thunderbird<\/td><\/tr><tr><td>tmlisten<\/td><td>visio<\/td><td>winword<\/td><td>wordpad<\/td><td>xfssvccon<\/td><\/tr><tr><td>zoolz<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Services terminated:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>CybereasonRansomFree<\/td><td>vnetd<\/td><td>bpcd<\/td><td>SamSs<\/td><td>TeraCopyService<\/td><\/tr><tr><td>msftesql<\/td><td>nsService<\/td><td>klvssbridge64<\/td><td>vapiendpoint<\/td><td>ShMonitor<\/td><\/tr><tr><td>Smcinst<\/td><td>SmcService<\/td><td>SntpService<\/td><td>svcGenericHost<\/td><td>Swi_<\/td><\/tr><tr><td>TmCCSF<\/td><td>tmlisten<\/td><td>TrueKey<\/td><td>TrueKeyScheduler<\/td><td>TrueKeyServiceHelper<\/td><\/tr><tr><td>WRSVC<\/td><td>McTaskManager<\/td><td>OracleClientCache80<\/td><td>mfefire<\/td><td>wbengine<\/td><\/tr><tr><td>mfemms<\/td><td>RESvc<\/td><td>mfevtp<\/td><td>sacsvr<\/td><td>SAVAdminService<\/td><\/tr><tr><td>SepMasterService<\/td><td>PDVFSService<\/td><td>ESHASRV<\/td><td>SDRSVC<\/td><td>FA_Scheduler<\/td><\/tr><tr><td>KAVFS<\/td><td>KAVFS_KAVFSGT<\/td><td>kavfsslp<\/td><td>klnagent<\/td><td>macmnsvc<\/td><\/tr><tr><td>masvc<\/td><td>MBAMService<\/td><td>MBEndpointAgent<\/td><td>McShield<\/td><td>audioendpointbuilder<\/td><\/tr><tr><td>Antivirus<\/td><td>AVP<\/td><td>DCAgent<\/td><td>bedbg<\/td><td>EhttpSrv<\/td><\/tr><tr><td>MMS<\/td><td>ekrn<\/td><td>EPSecurityService<\/td><td>EPUpdateService<\/td><td>ntrtscan<\/td><\/tr><tr><td>EsgShKernel<\/td><td>msexchangeadtopology<\/td><td>AcrSch2Svc<\/td><td>MSOLAP$TPSAMA<\/td><td>Intel(R) PROSet Monitoring<\/td><\/tr><tr><td>msexchangeimap4<\/td><td>ARSM<\/td><td>unistoresvc_1af40a<\/td><td>ReportServer$TPS<\/td><td>MSOLAP$SYSTEM_BGC<\/td><\/tr><tr><td>W3Svc<\/td><td>MSExchangeSRS<\/td><td>ReportServer$TPSAMA<\/td><td>Zoolz 2 Service<\/td><td>MSOLAP$TPS<\/td><\/tr><tr><td>aphidmonitorservice<\/td><td>SstpSvc<\/td><td>MSExchangeMTA<\/td><td>ReportServer$SYSTEM_BGC<\/td><td>Symantec System Recovery<\/td><\/tr><tr><td>UI0Detect<\/td><td>MSExchangeSA<\/td><td>MSExchangeIS<\/td><td>ReportServer<\/td><td>MsDtsServer110<\/td><\/tr><tr><td>POP3Svc<\/td><td>MSExchangeMGMT<\/td><td>SMTPSvc<\/td><td>MsDtsServer<\/td><td>IisAdmin<\/td><\/tr><tr><td>MSExchangeES<\/td><td>EraserSvc11710<\/td><td>Enterprise Client Service<\/td><td>MsDtsServer100<\/td><td>NetMsmqActivator<\/td><\/tr><tr><td>stc_raw_agent<\/td><td>VSNAPVSS<\/td><td>PDVFSService<\/td><td>AcrSch2Svc<\/td><td>Acronis<\/td><\/tr><tr><td>CASAD2DWebSvc<\/td><td>CAARCUpdateSvc<\/td><td>McAfee<\/td><td>avpsus<\/td><td>DLPAgentService<\/td><\/tr><tr><td>mfewc<\/td><td>BMR Boot Service<\/td><td>DefWatch<\/td><td>ccEvtMgr<\/td><td>ccSetMgr<\/td><\/tr><tr><td>SavRoam<\/td><td>RTVsc screenconnect<\/td><td>ransom<\/td><td>sqltelemetry<\/td><td>msexch<\/td><\/tr><tr><td>vnc<\/td><td>teamviewer<\/td><td>msolap<\/td><td>veeam<\/td><td>backup<\/td><\/tr><tr><td>sql<\/td><td>memtas<\/td><td>vss<\/td><td>sophos<\/td><td>svc$<\/td><\/tr><tr><td>mepocs<\/td><td>wuauserv<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Drivers that Blackbyte can bypass:<\/p>\n\n\n\n<figure class=\"wp-block-table table\"><table><tbody><tr><td>360avflt.sys<\/td><td>360box.sys<\/td><td>360fsflt.sys<\/td><td>360qpesv.sys<\/td><td>5nine.cbt.sys<\/td><\/tr><tr><td>a2acc.sys<\/td><td>a2acc64.sys<\/td><td>a2ertpx64.sys<\/td><td>a2ertpx86.sys<\/td><td>a2gffi64.sys<\/td><\/tr><tr><td>a2gffx64.sys<\/td><td>a2gffx86.sys<\/td><td>aaf.sys<\/td><td>aalprotect.sys<\/td><td>abrpmon.sys<\/td><\/tr><tr><td>accessvalidator.sys<\/td><td>acdriver.sys<\/td><td>acdrv.sys<\/td><td>adaptivaclientcache32.sys<\/td><td>adaptivaclientcache64.sys<\/td><\/tr><tr><td>adcvcsnt.sys<\/td><td>adspiderdoc.sys<\/td><td>aefilter.sys<\/td><td>agentrtm64.sys<\/td><td>agfsmon.sys<\/td><\/tr><tr><td>agseclock.sys<\/td><td>agsyslock.sys<\/td><td>ahkamflt.sys<\/td><td>ahksvpro.sys<\/td><td>ahkusbfw.sys<\/td><\/tr><tr><td>ahnrghlh.sys<\/td><td>aictracedrv_am.sys<\/td><td>airship-filter.sys<\/td><td>ajfsprot.sys<\/td><td>alcapture.sys<\/td><\/tr><tr><td>alfaff.sys<\/td><td>altcbt.sys<\/td><td>amfd.sys<\/td><td>amfsm.sys<\/td><td>amm6460.sys<\/td><\/tr><tr><td>amm8660.sys<\/td><td>amsfilter.sys<\/td><td>amznmon.sys<\/td><td>antileakfilter.sys<\/td><td>antispyfilter.sys<\/td><\/tr><tr><td>anvfsm.sys<\/td><td>apexsqlfilterdriver.sys<\/td><td>appcheckd.sys<\/td><td>appguard.sys<\/td><td>appvmon.sys<\/td><\/tr><tr><td>arfmonnt.sys<\/td><td>arta.sys<\/td><td>arwflt.sys<\/td><td>asgard.sys<\/td><td>ashavscan.sys<\/td><\/tr><tr><td>asiofms.sys<\/td><td>aswfsblk.sys<\/td><td>aswmonflt.sys<\/td><td>aswsnx.sys<\/td><td>aswsp.sys<\/td><\/tr><tr><td>aszfltnt.sys<\/td><td>atamptnt.sys<\/td><td>atc.sys<\/td><td>atdragent.sys<\/td><td>atdragent64.sys<\/td><\/tr><tr><td>aternityregistryhook.sys<\/td><td>atflt.sys<\/td><td>atrsdfw.sys<\/td><td>auditflt.sys<\/td><td>aupdrv.sys<\/td><\/tr><tr><td>avapsfd.sys<\/td><td>avc3.sys<\/td><td>avckf.sys<\/td><td>avfsmn.sys<\/td><td>avgmfi64.sys<\/td><\/tr><tr><td>avgmfrs.sys<\/td><td>avgmfx64.sys<\/td><td>avgmfx86.sys<\/td><td>avgntflt.sys<\/td><td>avgtpx64.sys<\/td><\/tr><tr><td>avgtpx86.sys<\/td><td>avipbb.sys<\/td><td>avkmgr.sys<\/td><td>avmf.sys<\/td><td>awarecore.sys<\/td><\/tr><tr><td>axfltdrv.sys<\/td><td>axfsysmon.sys<\/td><td>ayfilter.sys<\/td><td>b9kernel.sys<\/td><td>backupreader.sys<\/td><\/tr><tr><td>bamfltr.sys<\/td><td>bapfecpt.sys<\/td><td>bbfilter.sys<\/td><td>bd0003.sys<\/td><td>bddevflt.sys<\/td><\/tr><tr><td>bdfiledefend.sys<\/td><td>bdfilespy.sys<\/td><td>bdfm.sys<\/td><td>bdfsfltr.sys<\/td><td>bdprivmon.sys<\/td><\/tr><tr><td>bdrdfolder.sys<\/td><td>bdsdkit.sys<\/td><td>bdsfilter.sys<\/td><td>bdsflt.sys<\/td><td>bdsvm.sys<\/td><\/tr><tr><td>bdsysmon.sys<\/td><td>bedaisy.sys<\/td><td>bemk.sys<\/td><td>bfaccess.sys<\/td><td>bfilter.sys<\/td><\/tr><tr><td>bfmon.sys<\/td><td>bhdrvx64.sys<\/td><td>bhdrvx86.sys<\/td><td>bhkavka.sys<\/td><td>bhkavki.sys<\/td><\/tr><tr><td>bkavautoflt.sys<\/td><td>bkavsdflt.sys<\/td><td>blackbirdfsa.sys<\/td><td>blackcat.sys<\/td><td>bmfsdrv.sys<\/td><\/tr><tr><td>bmregdrv.sys<\/td><td>boscmflt.sys<\/td><td>bosfsfltr.sys<\/td><td>bouncer.sys<\/td><td>boxifier.sys<\/td><\/tr><tr><td>brcow_x_x_x_x.sys<\/td><td>brfilter.sys<\/td><td>brnfilelock.sys<\/td><td>brnseclock.sys<\/td><td>browsermon.sys<\/td><\/tr><tr><td>bsrfsflt.sys<\/td><td>bssaudit.sys<\/td><td>bsyaed.sys<\/td><td>bsyar.sys<\/td><td>bsydf.sys<\/td><\/tr><tr><td>bsyirmf.sys<\/td><td>bsyrtm.sys<\/td><td>bsysp.sys<\/td><td>bsywl.sys<\/td><td>bwfsdrv.sys<\/td><\/tr><tr><td>bzsenspdrv.sys<\/td><td>bzsenth.sys<\/td><td>bzsenyaradrv.sys<\/td><td>caadflt.sys<\/td><td>caavfltr.sys<\/td><\/tr><tr><td>cancelsafe.sys<\/td><td>carbonblackk.sys<\/td><td>catflt.sys<\/td><td>catmf.sys<\/td><td>cbelam.sys<\/td><\/tr><tr><td>cbfilter20.sys<\/td><td>cbfltfs4.sys<\/td><td>cbfsfilter2017.sys<\/td><td>cbfsfilter2020.sys<\/td><td>cbsampledrv.sys<\/td><\/tr><tr><td>cdo.sys<\/td><td>cdrrsflt.sys<\/td><td>cdsgfsfilter.sys<\/td><td>centrifyfsf.sys<\/td><td>cfrmd.sys<\/td><\/tr><tr><td>cfsfdrv<\/td><td>cgwmf.sys<\/td><td>change.sys<\/td><td>changelog.sys<\/td><td>chemometecfilter.sys<\/td><\/tr><tr><td>ciscoampcefwdriver.sys<\/td><td>ciscoampheurdriver.sys<\/td><td>ciscosam.sys<\/td><td>clumiochangeblockmf.sys<\/td><td>cmdccav.sys<\/td><\/tr><tr><td>cmdcwagt.sys<\/td><td>cmdguard.sys<\/td><td>cmdmnefs.sys<\/td><td>cmflt.sys<\/td><td>code42filter.sys<\/td><\/tr><tr><td>codex.sys<\/td><td>conduantfsfltr.sys<\/td><td>containermonitor.sys<\/td><td>cpavfilter.sys<\/td><td>cpavkernel.sys<\/td><\/tr><tr><td>cpepmon.sys<\/td><td>crexecprev.sys<\/td><td>crncache32.sys<\/td><td>crncache64.sys<\/td><td>crnsysm.sys<\/td><\/tr><tr><td>cruncopy.sys<\/td><td>csaam.sys<\/td><td>csaav.sys<\/td><td>csacentr.sys<\/td><td>csaenh.sys<\/td><\/tr><tr><td>csagent.sys<\/td><td>csareg.sys<\/td><td>csascr.sys<\/td><td>csbfilter.sys<\/td><td>csdevicecontrol.sys<\/td><\/tr><tr><td>csfirmwareanalysis.sys<\/td><td>csflt.sys<\/td><td>csmon.sys<\/td><td>cssdlp.sys<\/td><td>ctamflt.sys<\/td><\/tr><tr><td>ctifile.sys<\/td><td>ctinet.sys<\/td><td>ctrpamon.sys<\/td><td>ctx.sys<\/td><td>cvcbt.sys<\/td><\/tr><tr><td>cvofflineflt32.sys<\/td><td>cvofflineflt64.sys<\/td><td>cvsflt.sys<\/td><td>cwdriver.sys<\/td><td>cwmem2k64.sys<\/td><\/tr><tr><td>cybkerneltracker.sys<\/td><td>cylancedrv64.sys<\/td><td>cyoptics.sys<\/td><td>cyprotectdrv32.sys<\/td><td>cyprotectdrv64.sys<\/td><\/tr><tr><td>cytmon.sys<\/td><td>cyverak.sys<\/td><td>cyvrfsfd.sys<\/td><td>cyvrlpc.sys<\/td><td>cyvrmtgn.sys<\/td><\/tr><tr><td>datanow_driver.sys<\/td><td>dattofsf.sys<\/td><td>da_ctl.sys<\/td><td>dcfafilter.sys<\/td><td>dcfsgrd.sys<\/td><\/tr><tr><td>dcsnaprestore.sys<\/td><td>deepinsfs.sys<\/td><td>delete_flt.sys<\/td><td>devmonminifilter.sys<\/td><td>dfmfilter.sys<\/td><\/tr><tr><td>dgedriver.sys<\/td><td>dgfilter.sys<\/td><td>dgsafe.sys<\/td><td>dhwatchdog.sys<\/td><td>diflt.sys<\/td><\/tr><tr><td>diskactmon.sys<\/td><td>dkdrv.sys<\/td><td>dkrtwrt.sys<\/td><td>dktlfsmf.sys<\/td><td>dnafsmonitor.sys<\/td><\/tr><tr><td>docvmonk.sys<\/td><td>docvmonk64.sys<\/td><td>dpmfilter.sys<\/td><td>drbdlock.sys<\/td><td>drivesentryfilterdriver2lite.sys<\/td><\/tr><tr><td>drsfile.sys<\/td><td>drvhookcsmf.sys<\/td><td>drvhookcsmf_amd64.sys<\/td><td>drwebfwflt.sys<\/td><td>drwebfwft.sys<\/td><\/tr><tr><td>dsark.sys<\/td><td>dsdriver.sys<\/td><td>dsfemon.sys<\/td><td>dsflt.sys<\/td><td>dsfltfs.sys<\/td><\/tr><tr><td>dskmn.sys<\/td><td>dtdsel.sys<\/td><td>dtpl.sys<\/td><td>dwprot.sys<\/td><td>dwshield.sys<\/td><\/tr><tr><td>dwshield64.sys<\/td><td>eamonm.sys<\/td><td>easeflt.sys<\/td><td>easyanticheat.sys<\/td><td>eaw.sys<\/td><\/tr><tr><td>ecatdriver.sys<\/td><td>edevmon.sys<\/td><td>ednemfsfilter.sys<\/td><td>edrdrv.sys<\/td><td>edrsensor.sys<\/td><\/tr><tr><td>edsigk.sys<\/td><td>eectrl.sys<\/td><td>eetd32.sys<\/td><td>eetd64.sys<\/td><td>eeyehv.sys<\/td><\/tr><tr><td>eeyehv64.sys<\/td><td>egambit.sys<\/td><td>egfilterk.sys<\/td><td>egminflt.sys<\/td><td>egnfsflt.sys<\/td><\/tr><tr><td>ehdrv.sys<\/td><td>elock2fsctldriver.sys<\/td><td>emxdrv2.sys<\/td><td>enigmafilemondriver.sys<\/td><td>enmon.sys<\/td><\/tr><tr><td>epdrv.sys<\/td><td>epfw.sys<\/td><td>epfwwfp.sys<\/td><td>epicfilter.sys<\/td><td>epklib.sys<\/td><\/tr><tr><td>epp64.sys<\/td><td>epregflt.sys<\/td><td>eps.sys<\/td><td>epsmn.sys<\/td><td>equ8_helper.sys<\/td><\/tr><tr><td>eraser.sys<\/td><td>esensor.sys<\/td><td>esprobe.sys<\/td><td>estprmon.sys<\/td><td>estprp.sys<\/td><\/tr><tr><td>estregmon.sys<\/td><td>estregp.sys<\/td><td>estrkmon.sys<\/td><td>estrkr.sys<\/td><td>eventmon.sys<\/td><\/tr><tr><td>evmf.sys<\/td><td>evscase.sys<\/td><td>excfs.sys<\/td><td>exprevdriver.sys<\/td><td>failattach.sys<\/td><\/tr><tr><td>failmount.sys<\/td><td>fam.sys<\/td><td>fangcloud_autolock_driver.sys<\/td><td>fapmonitor.sys<\/td><td>farflt.sys<\/td><\/tr><tr><td>farwflt.sys<\/td><td>fasdriver<\/td><td>fcnotify.sys<\/td><td>fcontrol.sys<\/td><td>fdrtrace.sys<\/td><\/tr><tr><td>fekern.sys<\/td><td>fencry.sys<\/td><td>ffcfilt.sys<\/td><td>ffdriver.sys<\/td><td>fildds.sys<\/td><\/tr><tr><td>filefilter.sys<\/td><td>fileflt.sys<\/td><td>fileguard.sys<\/td><td>filehubagent.sys<\/td><td>filemon.sys<\/td><\/tr><tr><td>filemonitor.sys<\/td><td>filenamevalidator.sys<\/td><td>filescan.sys<\/td><td>filesharemon.sys<\/td><td>filesightmf.sys<\/td><\/tr><tr><td>filesystemcbt.sys<\/td><td>filetrace.sys<\/td><td>file_monitor.sys<\/td><td>file_protector.sys<\/td><td>file_tracker.sys<\/td><\/tr><tr><td>filrdriver.sys<\/td><td>fim.sys<\/td><td>fiometer.sys<\/td><td>fiopolicyfilter.sys<\/td><td>fjgsdis2.sys<\/td><\/tr><tr><td>fjseparettifilterredirect.sys<\/td><td>flashaccelfs.sys<\/td><td>flightrecorder.sys<\/td><td>fltrs329.sys<\/td><td>flyfs.sys<\/td><\/tr><tr><td>fmdrive.sys<\/td><td>fmkkc.sys<\/td><td>fmm.sys<\/td><td>fortiaptfilter.sys<\/td><td>fortimon2.sys<\/td><\/tr><tr><td>fortirmon.sys<\/td><td>fortishield.sys<\/td><td>fpav_rtp.sys<\/td><td>fpepflt.sys<\/td><td>fsafilter.sys<\/td><\/tr><tr><td>fsatp.sys<\/td><td>fsfilter.sys<\/td><td>fsgk.sys<\/td><td>fshs.sys<\/td><td>fsmon.sys<\/td><\/tr><tr><td>fsmonitor.sys<\/td><td>fsnk.sys<\/td><td>fsrfilter.sys<\/td><td>fstrace.sys<\/td><td>fsulgk.sys<\/td><\/tr><tr><td>fsw31rj1.sys<\/td><td>gagsecurity.sys<\/td><td>gbpkm.sys<\/td><td>gcffilter.sys<\/td><td>gddcv.sys<\/td><\/tr><tr><td>gefcmp.sys<\/td><td>gemma.sys<\/td><td>geprotection.sys<\/td><td>ggc.sys<\/td><td>gibepcore.sys<\/td><\/tr><tr><td>gkff.sys<\/td><td>gkff64.sys<\/td><td>gkpfcb.sys<\/td><td>gkpfcb64.sys<\/td><td>gofsmf.sys<\/td><\/tr><tr><td>gpminifilter.sys<\/td><td>groundling32.sys<\/td><td>groundling64.sys<\/td><td>gtkdrv.sys<\/td><td>gumhfilter.sys<\/td><\/tr><tr><td>gzflt.sys<\/td><td>hafsnk.sys<\/td><td>hbflt.sys<\/td><td>hbfsfltr.sys<\/td><td>hcp_kernel_acq.sys<\/td><\/tr><tr><td>hdcorrelatefdrv.sys<\/td><td>hdfilemon.sys<\/td><td>hdransomoffdrv.sys<\/td><td>hdrfs.sys<\/td><td>heimdall.sys<\/td><\/tr><tr><td>hexisfsmonitor.sys<\/td><td>hfileflt.sys<\/td><td>hiofs.sys<\/td><td>hmpalert.sys<\/td><td>hookcentre.sys<\/td><\/tr><tr><td>hooksys.sys<\/td><td>hpreg.sys<\/td><td>hsmltmon.sys<\/td><td>hsmltwhl.sys<\/td><td>hssfwhl.sys<\/td><\/tr><tr><td>hvlminifilter.sys<\/td><td>ibr2fsk.sys<\/td><td>iccfileioad.sys<\/td><td>iccfilteraudit.sys<\/td><td>iccfiltersc.sys<\/td><\/tr><tr><td>icfclientflt.sys<\/td><td>icrlmonitor.sys<\/td><td>iderafilterdriver.sys<\/td><td>ielcp.sys<\/td><td>ieslp.sys<\/td><\/tr><tr><td>ifs64.sys<\/td><td>ignis.sys<\/td><td>iguard.sys<\/td><td>iiscache.sys<\/td><td>ikfilesec.sys<\/td><\/tr><tr><td>im.sys<\/td><td>imffilter.sys<\/td><td>imfilter.sys<\/td><td>imgguard.sys<\/td><td>immflex.sys<\/td><\/tr><tr><td>immunetprotect.sys<\/td><td>immunetselfprotect.sys<\/td><td>inisbdrv64.sys<\/td><td>ino_fltr.sys<\/td><td>intelcas.sys<\/td><\/tr><tr><td>intmfs.sys<\/td><td>inuse.sys<\/td><td>invprotectdrv.sys<\/td><td>invprotectdrv64.sys<\/td><td>ionmonwdrv.sys<\/td><\/tr><tr><td>iothorfs.sys<\/td><td>ipcomfltr.sys<\/td><td>ipfilter.sys<\/td><td>iprotect.sys<\/td><td>iridiumswitch.sys<\/td><\/tr><tr><td>irongatefd.sys<\/td><td>isafekrnl.sys<\/td><td>isafekrnlmon.sys<\/td><td>isafermon<\/td><td>isecureflt.sys<\/td><\/tr><tr><td>isedrv.sys<\/td><td>isfpdrv.sys<\/td><td>isirmfmon.sys<\/td><td>isregflt.sys<\/td><td>isregflt64.sys<\/td><\/tr><tr><td>issfltr.sys<\/td><td>issregistry.sys<\/td><td>it2drv.sys<\/td><td>it2reg.sys<\/td><td>ivappmon.sys<\/td><\/tr><tr><td>iwdmfs.sys<\/td><td>iwhlp.sys<\/td><td>iwhlp2.sys<\/td><td>iwhlpxp.sys<\/td><td>jdppsf.sys<\/td><\/tr><tr><td>jdppwf.sys<\/td><td>jkppob.sys<\/td><td>jkppok.sys<\/td><td>jkpppf.sys<\/td><td>jkppxk.sys<\/td><\/tr><tr><td>k7sentry.sys<\/td><td>kavnsi.sys<\/td><td>kawachfsminifilter.sys<\/td><td>kc3.sys<\/td><td>kconv.sys<\/td><\/tr><tr><td>kernelagent32.sys<\/td><td>kewf.sys<\/td><td>kfac.sys<\/td><td>kfileflt.sys<\/td><td>kisknl.sys<\/td><\/tr><tr><td>klam.sys<\/td><td>klbg.sys<\/td><td>klboot.sys<\/td><td>kldback.sys<\/td><td>kldlinf.sys<\/td><\/tr><tr><td>kldtool.sys<\/td><td>klfdefsf.sys<\/td><td>klflt.sys<\/td><td>klgse.sys<\/td><td>klhk.sys<\/td><\/tr><tr><td>klif.sys<\/td><td>klifaa.sys<\/td><td>klifks.sys<\/td><td>klifsm.sys<\/td><td>klrsps.sys<\/td><\/tr><tr><td>klsnsr.sys<\/td><td>klupd_klif_arkmon.sys<\/td><td>kmkuflt.sys<\/td><td>kmnwch.sys<\/td><td>kmxagent.sys<\/td><\/tr><tr><td>kmxfile.sys<\/td><td>kmxsbx.sys<\/td><td>ksfsflt.sys<\/td><td>ktfsfilter.sys<\/td><td>ktsyncfsflt.sys<\/td><\/tr><tr><td>kubwksp.sys<\/td><td>lafs.sys<\/td><td>lbd.sys<\/td><td>lbprotect.sys<\/td><td>lcgadmon.sys<\/td><\/tr><tr><td>lcgfile.sys<\/td><td>lcgfilemon.sys<\/td><td>lcmadmon.sys<\/td><td>lcmfile.sys<\/td><td>lcmfilemon.sys<\/td><\/tr><tr><td>lcmprintmon.sys<\/td><td>ldsecdrv.sys<\/td><td>libwamf.sys<\/td><td>livedrivefilter.sys<\/td><td>llfilter.sys<\/td><\/tr><tr><td>lmdriver.sys<\/td><td>lnvscenter.sys<\/td><td>locksmith.sys<\/td><td>lragentmf.sys<\/td><td>lrtp.sys<\/td><\/tr><tr><td>magicbackupmonitor.sys<\/td><td>magicprotect.sys<\/td><td>majoradvapi.sys<\/td><td>marspy.sys<\/td><td>maxcryptmon.sys<\/td><\/tr><tr><td>maxproc64.sys<\/td><td>maxprotector.sys<\/td><td>mbae64.sys<\/td><td>mbam.sys<\/td><td>mbamchameleon.sys<\/td><\/tr><tr><td>mbamshuriken.sys<\/td><td>mbamswissarmy.sys<\/td><td>mbamwatchdog.sys<\/td><td>mblmon.sys<\/td><td>mcfilemon32.sys<\/td><\/tr><tr><td>mcfilemon64.sys<\/td><td>mcstrg.sys<\/td><td>mearwfltdriver.sys<\/td><td>message.sys<\/td><td>mfdriver.sys<\/td><\/tr><tr><td>mfeaack.sys<\/td><td>mfeaskm.sys<\/td><td>mfeavfk.sys<\/td><td>mfeclnrk.sys<\/td><td>mfeelamk.sys<\/td><\/tr><tr><td>mfefirek.sys<\/td><td>mfehidk.sys<\/td><td>mfencbdc.sys<\/td><td>mfencfilter.sys<\/td><td>mfencoas.sys<\/td><\/tr><tr><td>mfencrk.sys<\/td><td>mfeplk.sys<\/td><td>mfewfpk.sys<\/td><td>miniicpt.sys<\/td><td>minispy.sys<\/td><\/tr><tr><td>minitrc.sys<\/td><td>mlsaff.sys<\/td><td>mmpsy32.sys<\/td><td>mmpsy64.sys<\/td><td>monsterk.sys<\/td><\/tr><tr><td>mozycorpfilter.sys<\/td><td>mozyenterprisefilter.sys<\/td><td>mozyentfilter.sys<\/td><td>mozyhomefilter.sys<\/td><td>mozynextfilter.sys<\/td><\/tr><tr><td>mozyoemfilter.sys<\/td><td>mozyprofilter.sys<\/td><td>mpfilter.sys<\/td><td>mpkernel.sys<\/td><td>mpksldrv.sys<\/td><\/tr><tr><td>mpxmon.sys<\/td><td>mracdrv.sys<\/td><td>mrxgoogle.sys<\/td><td>mscan-rt.sys<\/td><td>msiodrv4.sys<\/td><\/tr><tr><td>msixpackagingtoolmonitor.sys<\/td><td>msnfsflt.sys<\/td><td>mspy.sys<\/td><td>mssecflt.sys<\/td><td>mtsvcdf.sys<\/td><\/tr><tr><td>mumdi.sys<\/td><td>mwac.sys<\/td><td>mwatcher.sys<\/td><td>mwfsmfltr.sys<\/td><td>mydlpmf.sys<\/td><\/tr><tr><td>namechanger.sys<\/td><td>nanoavmf.sys<\/td><td>naswsp.sys<\/td><td>ndgdmk.sys<\/td><td>neokerbyfilter<\/td><\/tr><tr><td>netaccctrl.sys<\/td><td>netaccctrl64.sys<\/td><td>netguard.sys<\/td><td>netpeeker.sys<\/td><td>ngscan.sys<\/td><\/tr><tr><td>nlcbhelpi64.sys<\/td><td>nlcbhelpx64.sys<\/td><td>nlcbhelpx86.sys<\/td><td>nlxff.sys<\/td><td>nmlhssrv01.sys<\/td><\/tr><tr><td>nmpfilter.sys<\/td><td>nntinfo.sys<\/td><td>novashield.sys<\/td><td>nowonmf.sys<\/td><td>npetw.sys<\/td><\/tr><tr><td>nprosec.sys<\/td><td>npxgd.sys<\/td><td>npxgd64.sys<\/td><td>nravwka.sys<\/td><td>nrcomgrdka.sys<\/td><\/tr><tr><td>nrcomgrdki.sys<\/td><td>nregsec.sys<\/td><td>nrpmonka.sys<\/td><td>nrpmonki.sys<\/td><td>nsminflt.sys<\/td><\/tr><tr><td>nsminflt64.sys<\/td><td>ntest.sys<\/td><td>ntfsf.sys<\/td><td>ntguard.sys<\/td><td>ntps_fa.sys<\/td><\/tr><tr><td>nullfilter.sys<\/td><td>nvcmflt.sys<\/td><td>nvmon.sys<\/td><td>nwedriver.sys<\/td><td>nxfsmon.sys<\/td><\/tr><tr><td>nxrmflt.sys<\/td><td>oadevice.sys<\/td><td>oavfm.sys<\/td><td>oczminifilter.sys<\/td><td>odfsfilter.sys<\/td><\/tr><tr><td>odfsfimfilter.sys<\/td><td>odfstokenfilter.sys<\/td><td>offsm.sys<\/td><td>omfltlh.sys<\/td><td>osiris.sys<\/td><\/tr><tr><td>ospfile_mini.sys<\/td><td>ospmon.sys<\/td><td>parity.sys<\/td><td>passthrough.sys<\/td><td>path8flt.sys<\/td><\/tr><tr><td>pavdrv.sys<\/td><td>pcpifd.sys<\/td><td>pctcore.sys<\/td><td>pctcore64.sys<\/td><td>pdgenfam.sys<\/td><\/tr><tr><td>pecfilter.sys<\/td><td>perfectworldanticheatsys.sys<\/td><td>pervac.sys<\/td><td>pfkrnl.sys<\/td><td>pfracdrv.sys<\/td><\/tr><tr><td>pgpfs.sys<\/td><td>pgpwdefs.sys<\/td><td>phantomd.sys<\/td><td>phdcbtdrv.sys<\/td><td>pkgfilter.sys<\/td><\/tr><tr><td>pkticpt.sys<\/td><td>plgfltr.sys<\/td><td>plpoffdrv.sys<\/td><td>pointguardvista64f.sys<\/td><td>pointguardvistaf.sys<\/td><\/tr><tr><td>pointguardvistar32.sys<\/td><td>pointguardvistar64.sys<\/td><td>procmon11.sys<\/td><td>proggerdriver.sys<\/td><td>psacfileaccessfilter.sys<\/td><\/tr><tr><td>pscff.sys<\/td><td>psgdflt.sys<\/td><td>psgfoctrl.sys<\/td><td>psinfile.sys<\/td><td>psinproc.sys<\/td><\/tr><tr><td>psisolator.sys<\/td><td>pwipf6.sys<\/td><td>pwprotect.sys<\/td><td>pzdrvxp.sys<\/td><td>qdocumentref.sys<\/td><\/tr><tr><td>qfapflt.sys<\/td><td>qfilter.sys<\/td><td>qfimdvr.sys<\/td><td>qfmon.sys<\/td><td>qminspec.sys<\/td><\/tr><tr><td>qmon.sys<\/td><td>qqprotect.sys<\/td><td>qqprotectx64.sys<\/td><td>qqsysmon.sys<\/td><td>qqsysmonx64.sys<\/td><\/tr><tr><td>qutmdrv.sys<\/td><td>ranpodfs.sys<\/td><td>ransomdefensexxx.sys<\/td><td>ransomdetect.sys<\/td><td>reaqtor.sys<\/td><\/tr><tr><td>redlight.sys<\/td><td>regguard.sys<\/td><td>reghook.sys<\/td><td>regmonex.sys<\/td><td>repdrv.sys<\/td><\/tr><tr><td>repmon.sys<\/td><td>revefltmgr.sys<\/td><td>reveprocprotection.sys<\/td><td>revonetdriver.sys<\/td><td>rflog.sys<\/td><\/tr><tr><td>rgnt.sys<\/td><td>rmdiskmon.sys<\/td><td>rmphvmonitor.sys<\/td><td>rpwatcher.sys<\/td><td>rrmon32.sys<\/td><\/tr><tr><td>rrmon64.sys<\/td><td>rsfdrv.sys<\/td><td>rsflt.sys<\/td><td>rspcrtw.sys<\/td><td>rsrtw.sys<\/td><\/tr><tr><td>rswctrl.sys<\/td><td>rswmon.sys<\/td><td>rtologon.sys<\/td><td>rtw.sys<\/td><td>ruaff.sys<\/td><\/tr><tr><td>rubrikfileaudit.sys<\/td><td>ruidiskfs.sys<\/td><td>ruieye.sys<\/td><td>ruifileaccess.sys<\/td><td>ruimachine.sys<\/td><\/tr><tr><td>ruiminispy.sys<\/td><td>rvsavd.sys<\/td><td>rvsmon.sys<\/td><td>rw7fsflt.sys<\/td><td>rwchangedrv.sys<\/td><\/tr><tr><td>ryfilter.sys<\/td><td>ryguard.sys<\/td><td>safe-agent.sys<\/td><td>safsfilter.sys<\/td><td>sagntflt.sys<\/td><\/tr><tr><td>sahara.sys<\/td><td>sakfile.sys<\/td><td>sakmfile.sys<\/td><td>samflt.sys<\/td><td>samsungrapidfsfltr.sys<\/td><\/tr><tr><td>sanddriver.sys<\/td><td>santa.sys<\/td><td>sascan.sys<\/td><td>savant.sys<\/td><td>savonaccess.sys<\/td><\/tr><tr><td>scaegis.sys<\/td><td>scauthfsflt.sys<\/td><td>scauthiodrv.sys<\/td><td>scensemon.sys<\/td><td>scfltr.sys<\/td><\/tr><tr><td>scifsflt.sys<\/td><td>sciptflt.sys<\/td><td>sconnect.sys<\/td><td>scred.sys<\/td><td>sdactmon.sys<\/td><\/tr><tr><td>sddrvldr.sys<\/td><td>sdvfilter.sys<\/td><td>se46filter.sys<\/td><td>secdodriver.sys<\/td><td>secone_filemon10.sys<\/td><\/tr><tr><td>secone_proc10.sys<\/td><td>secone_reg10.sys<\/td><td>secone_usb.sys<\/td><td>secrmm.sys<\/td><td>secufile.sys<\/td><\/tr><tr><td>secure_os.sys<\/td><td>secure_os_mf.sys<\/td><td>securofsd_x64.sys<\/td><td>sefo.sys<\/td><td>segf.sys<\/td><\/tr><tr><td>segiraflt.sys<\/td><td>segmd.sys<\/td><td>segmp.sys<\/td><td>sentinelmonitor.sys<\/td><td>serdr.sys<\/td><\/tr><tr><td>serfs.sys<\/td><td>sfac.sys<\/td><td>sfavflt.sys<\/td><td>sfdfilter.sys<\/td><td>sfpmonitor.sys<\/td><\/tr><tr><td>sgresflt.sys<\/td><td>shdlpmedia.sys<\/td><td>shdlpsf.sys<\/td><td>sheedantivirusfilterdriver.sys<\/td><td>sheedselfprotection.sys<\/td><\/tr><tr><td>shldflt.sys<\/td><td>si32_file.sys<\/td><td>si64_file.sys<\/td><td>sieflt.sys<\/td><td>simrep.sys<\/td><\/tr><tr><td>sisipsfilefilter<\/td><td>sk.sys<\/td><td>skyamdrv.sys<\/td><td>skyrgdrv.sys<\/td><td>skywpdrv.sys<\/td><\/tr><tr><td>slb_guard.sys<\/td><td>sld.sys<\/td><td>smbresilfilter.sys<\/td><td>smdrvnt.sys<\/td><td>sndacs.sys<\/td><\/tr><tr><td>snexequota.sys<\/td><td>snilog.sys<\/td><td>snimg.sys<\/td><td>snscore.sys<\/td><td>snsrflt.sys<\/td><\/tr><tr><td>sodatpfl.sys<\/td><td>softfilterxxx.sys<\/td><td>soidriver.sys<\/td><td>solitkm.sys<\/td><td>sonar.sys<\/td><\/tr><tr><td>sophosdt2.sys<\/td><td>sophosed.sys<\/td><td>sophosntplwf.sys<\/td><td>sophossupport.sys<\/td><td>spbbcdrv.sys<\/td><\/tr><tr><td>spellmon.sys<\/td><td>spider3g.sys<\/td><td>spiderg3.sys<\/td><td>spiminifilter.sys<\/td><td>spotlight.sys<\/td><\/tr><tr><td>sprtdrv.sys<\/td><td>sqlsafefilterdriver.sys<\/td><td>srminifilterdrv.sys<\/td><td>srtsp.sys<\/td><td>srtsp64.sys<\/td><\/tr><tr><td>srtspit.sys<\/td><td>ssfmonm.sys<\/td><td>ssrfsf.sys<\/td><td>ssvhook.sys<\/td><td>stcvsm.sys<\/td><\/tr><tr><td>stegoprotect.sys<\/td><td>stest.sys<\/td><td>stflt.sys<\/td><td>stkrnl64.sys<\/td><td>storagedrv.sys<\/td><\/tr><tr><td>strapvista.sys<\/td><td>strapvista64.sys<\/td><td>svcbt.sys<\/td><td>swcommfltr.sys<\/td><td>swfsfltr.sys<\/td><\/tr><tr><td>swfsfltrv2.sys<\/td><td>swin.sys<\/td><td>symafr.sys<\/td><td>symefa.sys<\/td><td>symefa64.sys<\/td><\/tr><tr><td>symefasi.sys<\/td><td>symevent.sys<\/td><td>symevent64x86.sys<\/td><td>symevnt.sys<\/td><td>symevnt32.sys<\/td><\/tr><tr><td>symhsm.sys<\/td><td>symrg.sys<\/td><td>sysdiag.sys<\/td><td>sysmon.sys<\/td><td>sysmondrv.sys<\/td><\/tr><tr><td>sysplant.sys<\/td><td>szardrv.sys<\/td><td>szdfmdrv.sys<\/td><td>szdfmdrv_usb.sys<\/td><td>szedrdrv.sys<\/td><\/tr><tr><td>szpcmdrv.sys<\/td><td>taniumrecorderdrv.sys<\/td><td>taobserveflt.sys<\/td><td>tbfsfilt.sys<\/td><td>tbmninifilter.sys<\/td><\/tr><tr><td>tbrdrv.sys<\/td><td>tdevflt.sys<\/td><td>tedrdrv.sys<\/td><td>tenrsafe2.sys<\/td><td>tesmon.sys<\/td><\/tr><tr><td>tesxnginx.sys<\/td><td>tesxporter.sys<\/td><td>tffregnt.sys<\/td><td>tfsflt.sys<\/td><td>tgfsmf.sys<\/td><\/tr><tr><td>thetta.sys<\/td><td>thfilter.sys<\/td><td>threatstackfim.sys<\/td><td>tkdac2k.sys<\/td><td>tkdacxp.sys<\/td><\/tr><tr><td>tkdacxp64.sys<\/td><td>tkfsavxp.sys<\/td><td>tkfsavxp64.sys<\/td><td>tkfsft.sys<\/td><td>tkfsft64.sys<\/td><\/tr><tr><td>tkpcftcb.sys<\/td><td>tkpcftcb64.sys<\/td><td>tkpl2k.sys<\/td><td>tkpl2k64.sys<\/td><td>tksp2k.sys<\/td><\/tr><tr><td>tkspxp.sys<\/td><td>tkspxp64.sys<\/td><td>tmactmon.sys<\/td><td>tmcomm.sys<\/td><td>tmesflt.sys<\/td><\/tr><tr><td>tmevtmgr.sys<\/td><td>tmeyes.sys<\/td><td>tmfsdrv2.sys<\/td><td>tmkmsnsr.sys<\/td><td>tmnciesc.sys<\/td><\/tr><tr><td>tmpreflt.sys<\/td><td>tmumh.sys<\/td><td>tmums.sys<\/td><td>tmusa.sys<\/td><td>tmxpflt.sys<\/td><\/tr><tr><td>topdogfsfilt.sys<\/td><td>trace.sys<\/td><td>trfsfilter.sys<\/td><td>tritiumfltr.sys<\/td><td>trpmnflt.sys<\/td><\/tr><tr><td>trufos.sys<\/td><td>trustededgeffd.sys<\/td><td>tsifilemon.sys<\/td><td>tss.sys<\/td><td>tstfilter.sys<\/td><\/tr><tr><td>tstfsredir.sys<\/td><td>tstregredir.sys<\/td><td>tsyscare.sys<\/td><td>tvdriver.sys<\/td><td>tvfiltr.sys<\/td><\/tr><tr><td>tvmfltr.sys<\/td><td>tvptfile.sys<\/td><td>tvspfltr.sys<\/td><td>twbdcfilter.sys<\/td><td>txfilefilter.sys<\/td><\/tr><tr><td>txregmon.sys<\/td><td>uamflt.sys<\/td><td>ucafltdriver.sys<\/td><td>ufdfilter.sys<\/td><td>uncheater.sys<\/td><\/tr><tr><td>upguardrealtime.sys<\/td><td>usbl_ifsfltr.sys<\/td><td>usbpdh.sys<\/td><td>usbtest.sys<\/td><td>uvmcifsf.sys<\/td><\/tr><tr><td>uwfreg.sys<\/td><td>uwfs.sys<\/td><td>v3flt2k.sys<\/td><td>v3flu2k.sys<\/td><td>v3ift2k.sys<\/td><\/tr><tr><td>v3iftmnt.sys<\/td><td>v3mifint.sys<\/td><td>varpffmon.sys<\/td><td>vast.sys<\/td><td>vcdriv.sys<\/td><\/tr><tr><td>vchle.sys<\/td><td>vcmfilter.sys<\/td><td>vcreg.sys<\/td><td>veeamfct.sys<\/td><td>vfdrv.sys<\/td><\/tr><tr><td>vfilefilter.sys<\/td><td>vfpd.sys<\/td><td>vfsenc.sys<\/td><td>vhddelta.sys<\/td><td>vhdtrack.sys<\/td><\/tr><tr><td>vidderfs.sys<\/td><td>vintmfs.sys<\/td><td>virtfile.sys<\/td><td>virtualagent.sys<\/td><td>vk_fsf.sys<\/td><\/tr><tr><td>vlflt.sys<\/td><td>vmwvvpfsd.sys<\/td><td>vollock.sys<\/td><td>vpdrvnt.sys<\/td><td>vradfil2.sys<\/td><\/tr><tr><td>vraptdef.sys<\/td><td>vraptflt.sys<\/td><td>vrarnflt.sys<\/td><td>vrbbdflt.sys<\/td><td>vrexpdrv.sys<\/td><\/tr><tr><td>vrfsftm.sys<\/td><td>vrfsftmx.sys<\/td><td>vrnsfilter.sys<\/td><td>vrsdam.sys<\/td><td>vrsdcore.sys<\/td><\/tr><tr><td>vrsdetri.sys<\/td><td>vrsdetrix.sys<\/td><td>vrsdfmx.sys<\/td><td>vrvbrfsfilter.sys<\/td><td>vsepflt.sys<\/td><\/tr><tr><td>vsscanner.sys<\/td><td>vtsysflt.sys<\/td><td>vxfsrep.sys<\/td><td>wats_se.sys<\/td><td>wbfilter.sys<\/td><\/tr><tr><td>wcsdriver.sys<\/td><td>wdcfilter.sys<\/td><td>wdfilter.sys<\/td><td>wdocsafe.sys<\/td><td>wfp_mrt.sys<\/td><\/tr><tr><td>wgfile.sys<\/td><td>whiteshield.sys<\/td><td>windbdrv.sys<\/td><td>windd.sys<\/td><td>winfladrv.sys<\/td><\/tr><tr><td>winflahdrv.sys<\/td><td>winfldrv.sys<\/td><td>winfpdrv.sys<\/td><td>winload.sys<\/td><td>winteonminifilter.sys<\/td><\/tr><tr><td>wiper.sys<\/td><td>wlminisecmod.sys<\/td><td>wntgpdrv.sys<\/td><td>wraekernel.sys<\/td><td>wrcore.sys<\/td><\/tr><tr><td>wrcore.x64.sys<\/td><td>wrdwizfileprot.sys<\/td><td>wrdwizregprot.sys<\/td><td>wrdwizscanner.sys<\/td><td>wrdwizsecure64.sys<\/td><\/tr><tr><td>wrkrn.sys<\/td><td>wrpfv.sys<\/td><td>wsafefilter.sys<\/td><td>wscm.sys<\/td><td>xcpl.sys<\/td><\/tr><tr><td>xendowflt.sys<\/td><td>xfsgk.sys<\/td><td>xhunter1.sys<\/td><td>xhunter64.sys<\/td><td>xiaobaifs.sys<\/td><\/tr><tr><td>xiaobaifsr.sys<\/td><td>xkfsfd.sys<\/td><td>xoiv8x64.sys<\/td><td>xomfcbt8x64.sys<\/td><td>yahoostorage.sys<\/td><\/tr><tr><td>yfsd.sys<\/td><td>yfsd2.sys<\/td><td>yfsdr.sys<\/td><td>yfsrd.sys<\/td><td>zampit_ml.sys<\/td><\/tr><tr><td>zesfsmf.sys<\/td><td>zqfilter.sys<\/td><td>zsfprt.sys<\/td><td>zwasatom.sys<\/td><td>zwpxesvr.sys<\/td><\/tr><tr><td>zxfsfilt.sys<\/td><td>zyfm.sys<\/td><td>zzpensys.sys<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"further-reading\">Further reading<\/h2>\n\n\n\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: <a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n\n\n\n<p>To get notified about new publications and to join discussions on social media, follow us on Twitter at <a href=\"https:\/\/twitter.com\/MsftSecIntel\">https:\/\/twitter.com\/MsftSecIntel<\/a>. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a recent investigation by Microsoft Incident Response of a BlackByte 2.0 ransomware attack, we found that the threat actor progressed through the full attack chain, from initial access to impact, in less than five days, causing significant business disruption for the victim organization. <\/p>\n","protected":false},"author":153,"featured_media":130850,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3674,3687],"products":[3690,3694,3856,3693,3854,3720,3726],"threat-intelligence":[3727,3730,3735,3739],"tags":[3896,3898,3921],"coauthors":[2064],"class_list":["post-130822","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-incident-response","topic-threat-intelligence","products-microsoft-defender","products-microsoft-defender-for-endpoint","products-microsoft-defender-vulnerability-management","products-microsoft-defender-xdr","products-microsoft-incident-response","products-microsoft-security-experts","products-microsoft-sentinel","threat-intelligence-attacker-techniques-tools-and-infrastructure","threat-intelligence-cybercrime","threat-intelligence-ransomware","threat-intelligence-vulnerabilities-and-exploits","tag-credential-theft","tag-elevation-of-privilege","tag-living-off-the-land","review-flag-1694638272-264","review-flag-1694638265-576","review-flag-1694638265-310","review-flag-1694638271-781","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-8-1694638266-352","review-flag-disable","review-flag-disabled","review-flag-lever-1694638263-909","review-flag-new-1694638263-340"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"Microsoft IR investigation of a BlackByte 2.0 ransomware attack progressed thru full attack chain from initial access to impact in five days.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft IR investigation of a BlackByte 2.0 ransomware attack progressed thru full attack chain from initial access to impact in five days.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-06T17:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-03T18:59:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-ransomware-social.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1803\" \/>\n\t<meta property=\"og:image:height\" content=\"903\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Incident Response\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-ransomware-social.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Incident Response\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Incident Response\"}],\"headline\":\"The five-day job: A BlackByte ransomware intrusion case study\",\"datePublished\":\"2023-07-06T17:00:00+00:00\",\"dateModified\":\"2024-07-03T18:59:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/\"},\"wordCount\":5444,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg\",\"keywords\":[\"Credential theft\",\"Elevation of privilege\",\"Living off the land\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/\",\"name\":\"The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg\",\"datePublished\":\"2023-07-06T17:00:00+00:00\",\"dateModified\":\"2024-07-03T18:59:34+00:00\",\"description\":\"Microsoft IR investigation of a BlackByte 2.0 ransomware attack progressed thru full attack chain from initial access to impact in five days.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg\",\"width\":1199,\"height\":800,\"caption\":\"Looking into a conference room or board room meeting including people sitting around table in a room with international time clocks.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The five-day job: A BlackByte ransomware intrusion case study\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog","description":"Microsoft IR investigation of a BlackByte 2.0 ransomware attack progressed thru full attack chain from initial access to impact in five days.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/","og_locale":"en_US","og_type":"article","og_title":"The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog","og_description":"Microsoft IR investigation of a BlackByte 2.0 ransomware attack progressed thru full attack chain from initial access to impact in five days.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/","og_site_name":"Microsoft Security Blog","article_published_time":"2023-07-06T17:00:00+00:00","article_modified_time":"2024-07-03T18:59:34+00:00","og_image":[{"width":1803,"height":903,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-ransomware-social.png","type":"image\/png"}],"author":"Microsoft Incident Response","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/BlackByte-ransomware-social.png","twitter_misc":{"Written by":"Microsoft Incident Response","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/detection-and-response-team-dart\/","@type":"Person","@name":"Microsoft Incident Response"}],"headline":"The five-day job: A BlackByte ransomware intrusion case study","datePublished":"2023-07-06T17:00:00+00:00","dateModified":"2024-07-03T18:59:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/"},"wordCount":5444,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg","keywords":["Credential theft","Elevation of privilege","Living off the land"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/","name":"The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg","datePublished":"2023-07-06T17:00:00+00:00","dateModified":"2024-07-03T18:59:34+00:00","description":"Microsoft IR investigation of a BlackByte 2.0 ransomware attack progressed thru full attack chain from initial access to impact in five days.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/07\/Featured-image-BlackByte.jpg","width":1199,"height":800,"caption":"Looking into a conference room or board room meeting including people sitting around table in a room with international time clocks."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/06\/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"The five-day job: A BlackByte ransomware intrusion case study"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/130822"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/153"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=130822"}],"version-history":[{"count":4,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/130822\/revisions"}],"predecessor-version":[{"id":134942,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/130822\/revisions\/134942"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/130850"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=130822"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=130822"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=130822"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=130822"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=130822"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=130822"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=130822"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}