blackcat | 0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479

Analysis

max time kernel
600s
max time network
485s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
18/10/2022, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blackcat.exe
Size

2.6MB
MD5

bb266486ee8ac70c0687989e02cefa14
SHA1

11203786b17bb3873d46acae32a898c8dac09850
SHA256

0c6f444c6940a3688ffc6f8b9d5774c032e3551ebbccb64e4280ae7fc1fac479
SHA512

a167779fc95a5cf0a3eff86211e9e08c282470e050b17ae62c7499a82ea59b3447446eafea9d7b5c5ba833b7a2d060f76530b00509dd5ff7904a0735d83e14c4
SSDEEP

49152:rEqvaaAjc2hdKjb8WXqE1PiEbE/TKMt3/RgaJ2wW4PRT8O1:rbyaALKjwWXV1P9oVvwwW4JT8

Score

10^/10

blackcat discovery evasion ransomware trojan

Malware Config

Extracted

Path

C:\RECOVER-sykffle-FILES.txt

Ransom Note

>> Introduction Important files on your system was ENCRYPTED and now they have have "sykffle" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=pO%2FtDZUkDJmLRDFtacf9XDzvNOCDaxV1DmGGOW0NemMFziuDeq6qjLVkYVkAnFmH8oACAox3qG8j5UWMe96jz2HYBbI%2Fch6iShOVsiRC4QlIV3wYzxY9Tun8gTFdJFfVBQLIiCPCw17WA9lcE%2FcDWZnQuvzEX%2FCT5KWn7IrgjvsMccXyY2nVgzeh209K9lWKPRZeVbRE2N2DU3PNy1VLPS0dxzr%2F7Z%2BRFCOYy5GLm2u2W3o4C5%2FbveLywDlUDc5IC7GNbPh%2FvlNeRUm%2Fe0TwvZP5kXKhG56mnIm6xQCMPvNwckGrtA9CGzCk6hduJ7Hg1gyMaMH4U70afYmiez0fRQ%3D%3D

URLs

http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21

http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=pO%2FtDZUkDJmLRDFtacf9XDzvNOCDaxV1DmGGOW0NemMFziuDeq6qjLVkYVkAnFmH8oACAox3qG8j5UWMe96jz2HYBbI%2Fch6iShOVsiRC4QlIV3wYzxY9Tun8gTFdJFfVBQLIiCPCw17WA9lcE%2FcDWZnQuvzEX%2FCT5KWn7IrgjvsMccXyY2nVgzeh209K9lWKPRZeVbRE2N2DU3PNy1VLPS0dxzr%2F7Z%2BRFCOYy5GLm2u2W3o4C5%2FbveLywDlUDc5IC7GNbPh%2FvlNeRUm%2Fe0TwvZP5kXKhG56mnIm6xQCMPvNwckGrtA9CGzCk6hduJ7Hg1gyMaMH4U70afYmiez0fRQ%3D%3D

Extracted

Family

blackcat

Credentials

Username:
KELLERSUPPLY\Administrator
Password:
d@gw00d

Username:
KELLERSUPPLY\AdminRecovery
Password:
K3ller!$Supp1y

Username:
.\Administrator
Password:
d@gw00d

Username:
.\Administrator
Password:
K3ller!$Supp1y

Attributes

enable_network_discovery
true
enable_self_propagation
false
enable_set_wallpaper
true
extension
sykffle
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> Introduction Important files on your system was ENCRYPTED and now they have have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your system was DOWNLOADED and it will be PUBLISHED if you refuse to cooperate. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... Private preview is published here: http://zujgzbu5y64xbmvc42addp4lxkoosb4tslf5mehnh7pvqjpwxn5gokyd.onion/b21e1fb6-ff88-425b-8339-3523179a1e3e/886cf430a907bbe9a3fd38fb704d524dbd199c1b042ad6f65dc72ad78704e21 >> CAUTION DO NOT MODIFY FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. YOUR DATA IS STRONGLY ENCRYPTED, YOU CAN NOT DECRYPT IT WITHOUT CIPHER KEY. >> Recovery procedure Follow these simple steps to get in touch and recover your data: 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://mu75ltv3lxd24dbyu6gtvmnwybecigs5auki7fces437xvvflzva2nqd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 29 IoCs

pid	Process
464	Process not Found
832	alg.exe
1660	aspnet_state.exe
2024	mscorsvw.exe
1456	mscorsvw.exe
1980	mscorsvw.exe
1464	mscorsvw.exe
2032	mscorsvw.exe
276	mscorsvw.exe
1788	mscorsvw.exe
1176	mscorsvw.exe
1728	mscorsvw.exe
796	mscorsvw.exe
1648	mscorsvw.exe
1480	mscorsvw.exe
216	mscorsvw.exe
2012	mscorsvw.exe
1640	mscorsvw.exe
1176	mscorsvw.exe
1364	mscorsvw.exe
1360	mscorsvw.exe
2032	mscorsvw.exe
1480	mscorsvw.exe
1736	mscorsvw.exe
2012	mscorsvw.exe
1708	mscorsvw.exe
1068	mscorsvw.exe
1364	mscorsvw.exe
796	mscorsvw.exe

Modifies extensions of user files 17 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\UnblockExit.tif.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff	blackcat.exe
File renamed	C:\Users\Admin\Pictures\ExpandGet.png => C:\Users\Admin\Pictures\ExpandGet.png.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\MountGrant.raw.sykffle	blackcat.exe
File renamed	C:\Users\Admin\Pictures\UnblockExit.tif => C:\Users\Admin\Pictures\UnblockExit.tif.sykffle	blackcat.exe
File renamed	C:\Users\Admin\Pictures\UpdateGet.tiff => C:\Users\Admin\Pictures\UpdateGet.tiff.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGet.tiff.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\StopSet.tiff	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateGet.tiff	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\PushUnregister.raw.sykffle	blackcat.exe
File renamed	C:\Users\Admin\Pictures\StopSet.tiff => C:\Users\Admin\Pictures\StopSet.tiff.sykffle	blackcat.exe
File renamed	C:\Users\Admin\Pictures\MountGrant.raw => C:\Users\Admin\Pictures\MountGrant.raw.sykffle	blackcat.exe
File renamed	C:\Users\Admin\Pictures\PushUnregister.raw => C:\Users\Admin\Pictures\PushUnregister.raw.sykffle	blackcat.exe
File renamed	C:\Users\Admin\Pictures\ShowGrant.tiff => C:\Users\Admin\Pictures\ShowGrant.tiff.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\StopSet.tiff.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandGet.png.sykffle	blackcat.exe
File opened for modification	C:\Users\Admin\Pictures\ShowGrant.tiff.sykffle	blackcat.exe

Loads dropped DLL 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-4063495947-34355257-727531523-1000\EnableNotifications = "0"	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\Z:	blackcat.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\F:	alg.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\E:	alg.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\alg.exe	blackcat.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File created	\??\c:\windows\system32\jnlklcai.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	blackcat.exe
File created	\??\c:\windows\SysWOW64\jaceljeb.tmp	blackcat.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	blackcat.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ieetwcollector.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File opened for modification	\??\c:\windows\system32\ui0detect.exe	alg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\RECOVER-sykffle-FILES.txt.png"	blackcat.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	\??\c:\program files\google\chrome\Application\89.0.4389.114\inkoifpf.tmp	alg.exe
File created	\??\c:\program files (x86)\microsoft office\office14\lbiimmjd.tmp	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\microsoft office\office14\groove.exe	alg.exe
File created	C:\Program Files\7-Zip\hlepeenn.tmp	alg.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	alg.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\eofomopm.tmp	alg.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\iaecfajb.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	alg.exe
File created	C:\Program Files\7-Zip\mnmjadqg.tmp	alg.exe
File opened for modification	\??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	alg.exe
File created	C:\Program Files\7-Zip\cedpmnkl.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File created	C:\Program Files\7-Zip\mgecidfd.tmp	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\klccldlg.tmp	blackcat.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\cfogligp.tmp	blackcat.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	blackcat.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\noaedjml.tmp	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\eanflkpg.tmp	blackcat.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	alg.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\pjgppeqo.tmp	blackcat.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	alg.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	alg.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	blackcat.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	blackcat.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	blackcat.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1640	vssadmin.exe
2000	vssadmin.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\WallpaperStyle = "0"	blackcat.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1364	blackcat.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe
832	alg.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe
Token: SeSecurityPrivilege	1948	WMIC.exe
Token: SeTakeOwnershipPrivilege	1948	WMIC.exe
Token: SeLoadDriverPrivilege	1948	WMIC.exe
Token: SeSystemProfilePrivilege	1948	WMIC.exe
Token: SeSystemtimePrivilege	1948	WMIC.exe
Token: SeProfSingleProcessPrivilege	1948	WMIC.exe
Token: SeIncBasePriorityPrivilege	1948	WMIC.exe
Token: SeCreatePagefilePrivilege	1948	WMIC.exe
Token: SeBackupPrivilege	1948	WMIC.exe
Token: SeRestorePrivilege	1948	WMIC.exe
Token: SeShutdownPrivilege	1948	WMIC.exe
Token: SeDebugPrivilege	1948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1948	WMIC.exe
Token: SeRemoteShutdownPrivilege	1948	WMIC.exe
Token: SeUndockPrivilege	1948	WMIC.exe
Token: SeManageVolumePrivilege	1948	WMIC.exe
Token: 33	1948	WMIC.exe
Token: 34	1948	WMIC.exe
Token: 35	1948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe
Token: SeSecurityPrivilege	1948	WMIC.exe
Token: SeTakeOwnershipPrivilege	1948	WMIC.exe
Token: SeLoadDriverPrivilege	1948	WMIC.exe
Token: SeSystemProfilePrivilege	1948	WMIC.exe
Token: SeSystemtimePrivilege	1948	WMIC.exe
Token: SeProfSingleProcessPrivilege	1948	WMIC.exe
Token: SeIncBasePriorityPrivilege	1948	WMIC.exe
Token: SeCreatePagefilePrivilege	1948	WMIC.exe
Token: SeBackupPrivilege	1948	WMIC.exe
Token: SeRestorePrivilege	1948	WMIC.exe
Token: SeShutdownPrivilege	1948	WMIC.exe
Token: SeDebugPrivilege	1948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1948	WMIC.exe
Token: SeRemoteShutdownPrivilege	1948	WMIC.exe
Token: SeUndockPrivilege	1948	WMIC.exe
Token: SeManageVolumePrivilege	1948	WMIC.exe
Token: 33	1948	WMIC.exe
Token: 34	1948	WMIC.exe
Token: 35	1948	WMIC.exe
Token: SeBackupPrivilege	1532	vssvc.exe
Token: SeRestorePrivilege	1532	vssvc.exe
Token: SeAuditPrivilege	1532	vssvc.exe
Token: SeTakeOwnershipPrivilege	1364	blackcat.exe
Token: SeTakeOwnershipPrivilege	832	alg.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe
Token: SeShutdownPrivilege	1980	mscorsvw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1356	1364	blackcat.exe	26
PID 1364 wrote to memory of 1356	1364	blackcat.exe	26
PID 1364 wrote to memory of 1356	1364	blackcat.exe	26
PID 1364 wrote to memory of 1356	1364	blackcat.exe	26
PID 1356 wrote to memory of 1948	1356	cmd.exe	28
PID 1356 wrote to memory of 1948	1356	cmd.exe	28
PID 1356 wrote to memory of 1948	1356	cmd.exe	28
PID 1356 wrote to memory of 1948	1356	cmd.exe	28
PID 1364 wrote to memory of 832	1364	blackcat.exe	30
PID 1364 wrote to memory of 832	1364	blackcat.exe	30
PID 1364 wrote to memory of 832	1364	blackcat.exe	30
PID 1364 wrote to memory of 832	1364	blackcat.exe	30
PID 832 wrote to memory of 1120	832	cmd.exe	32
PID 832 wrote to memory of 1120	832	cmd.exe	32
PID 832 wrote to memory of 1120	832	cmd.exe	32
PID 832 wrote to memory of 1120	832	cmd.exe	32
PID 1364 wrote to memory of 2044	1364	blackcat.exe	33
PID 1364 wrote to memory of 2044	1364	blackcat.exe	33
PID 1364 wrote to memory of 2044	1364	blackcat.exe	33
PID 1364 wrote to memory of 2044	1364	blackcat.exe	33
PID 2044 wrote to memory of 684	2044	cmd.exe	35
PID 2044 wrote to memory of 684	2044	cmd.exe	35
PID 2044 wrote to memory of 684	2044	cmd.exe	35
PID 2044 wrote to memory of 684	2044	cmd.exe	35
PID 1364 wrote to memory of 1360	1364	blackcat.exe	36
PID 1364 wrote to memory of 1360	1364	blackcat.exe	36
PID 1364 wrote to memory of 1360	1364	blackcat.exe	36
PID 1364 wrote to memory of 1360	1364	blackcat.exe	36
PID 1364 wrote to memory of 1700	1364	blackcat.exe	37
PID 1364 wrote to memory of 1700	1364	blackcat.exe	37
PID 1364 wrote to memory of 1700	1364	blackcat.exe	37
PID 1364 wrote to memory of 1700	1364	blackcat.exe	37
PID 1700 wrote to memory of 1056	1700	cmd.exe	40
PID 1700 wrote to memory of 1056	1700	cmd.exe	40
PID 1700 wrote to memory of 1056	1700	cmd.exe	40
PID 1700 wrote to memory of 1056	1700	cmd.exe	40
PID 1360 wrote to memory of 1640	1360	cmd.exe	41
PID 1360 wrote to memory of 1640	1360	cmd.exe	41
PID 1360 wrote to memory of 1640	1360	cmd.exe	41
PID 1364 wrote to memory of 748	1364	blackcat.exe	42
PID 1364 wrote to memory of 748	1364	blackcat.exe	42
PID 1364 wrote to memory of 748	1364	blackcat.exe	42
PID 1364 wrote to memory of 748	1364	blackcat.exe	42
PID 748 wrote to memory of 2032	748	cmd.exe	44
PID 748 wrote to memory of 2032	748	cmd.exe	44
PID 748 wrote to memory of 2032	748	cmd.exe	44
PID 748 wrote to memory of 2032	748	cmd.exe	44
PID 1364 wrote to memory of 224	1364	blackcat.exe	53
PID 1364 wrote to memory of 224	1364	blackcat.exe	53
PID 1364 wrote to memory of 224	1364	blackcat.exe	53
PID 1364 wrote to memory of 224	1364	blackcat.exe	53
PID 224 wrote to memory of 2000	224	cmd.exe	55
PID 224 wrote to memory of 2000	224	cmd.exe	55
PID 224 wrote to memory of 2000	224	cmd.exe	55
PID 1980 wrote to memory of 1464	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 1464	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 1464	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 1464	1980	mscorsvw.exe	58
PID 1980 wrote to memory of 2032	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 2032	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 2032	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 2032	1980	mscorsvw.exe	59
PID 1980 wrote to memory of 276	1980	mscorsvw.exe	60
PID 1980 wrote to memory of 276	1980	mscorsvw.exe	60

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe

C:\Users\Admin\AppData\Local\Temp\blackcat.exe
C:\Users\Admin\AppData\Local\Temp\blackcat.exe -a 12345
1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "wmic csproduct get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2L:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2L:1
    3⤵
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "fsutil behavior set SymlinkEvaluation R2R:1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil behavior set SymlinkEvaluation R2R:1
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
    3⤵
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c "arp -a"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\SysWOW64\ARP.EXE
    arp -a
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  "cmd" /c "vssadmin.exe delete shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1456

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 1b0 -NGENProcess 1b4 -Pipe 1c0 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 1b0 -NGENProcess 1b4 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 230 -NGENProcess 238 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 220 -NGENProcess 1b4 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 23c -NGENProcess 1b0 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 240 -NGENProcess 238 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1b4 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 248 -NGENProcess 1b0 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 24c -NGENProcess 238 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 250 -NGENProcess 1b4 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 254 -NGENProcess 1b0 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 258 -NGENProcess 238 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 25c -NGENProcess 1b4 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 260 -NGENProcess 1b0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 264 -NGENProcess 238 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 268 -NGENProcess 1b4 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 26c -NGENProcess 1b0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 270 -NGENProcess 238 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 274 -NGENProcess 1b4 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 278 -NGENProcess 1b0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 27c -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 238 -NGENProcess 270 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 238 -NGENProcess 27c -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5ad5e33f57f07f26cbc8f7b31850c1c6

SHA1
71edad8b5b60c845e9ccf27ba91582bd8be51d7d

SHA256
273048ebecb6f61e6693b3280e2783a5e0e295e55521d3aea30d653ce3ef0f36

SHA512
1408cb6e571b8087e9df44789aee1ba58d6fe7d3a80f65c1b5e013b08659f47c8471e9686a1f68cd8f7b0a2da80f7efcaf131981ce15aa49cd093db49eab45bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5ad5e33f57f07f26cbc8f7b31850c1c6

SHA1
71edad8b5b60c845e9ccf27ba91582bd8be51d7d

SHA256
273048ebecb6f61e6693b3280e2783a5e0e295e55521d3aea30d653ce3ef0f36

SHA512
1408cb6e571b8087e9df44789aee1ba58d6fe7d3a80f65c1b5e013b08659f47c8471e9686a1f68cd8f7b0a2da80f7efcaf131981ce15aa49cd093db49eab45bf

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
435KB

MD5
abaed28bed724d9f37f713ed50df6575

SHA1
601a78698c591fabad945906506052f627e1a935

SHA256
ae0e8c90906bd32e54299264a55cc0d9b5cbfc2287d048fceb786dce9141c72c

SHA512
c2d4d2db4e76fc3d412b00d028f1ba2b93cd0eeeee07caa39108742a526bfd4cde6e93899bcbf73cbf68b27e827fbecff6deb5736011130b1e539f240675ffa8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
95afafc3e7c6f0a86088e21a7378db15

SHA1
788ca2366a309a8af4fea39a700225c33ef5c4ce

SHA256
655c1dcd5a6988ba9fbfdd8fa574f510705d3a1e80164f997b8f9c30ee376183

SHA512
f8620326a6335a979e7a18463493a4e9eea6bbba9b0603b11979f3463d31d31ac7c17219eb5eeb1adbac9940a0300b7fde734a289decf4a907eca4be757d43a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
457KB

MD5
95afafc3e7c6f0a86088e21a7378db15

SHA1
788ca2366a309a8af4fea39a700225c33ef5c4ce

SHA256
655c1dcd5a6988ba9fbfdd8fa574f510705d3a1e80164f997b8f9c30ee376183

SHA512
f8620326a6335a979e7a18463493a4e9eea6bbba9b0603b11979f3463d31d31ac7c17219eb5eeb1adbac9940a0300b7fde734a289decf4a907eca4be757d43a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
C:\Windows\System32\alg.exe

Filesize
476KB

MD5
8341838d17fd2568d9284084079a1207

SHA1
3b2e6859e119096e875edbdf295b14f8509bc191

SHA256
c41b5ecff2fc6357f03af835edcb61ebbe9c4323c8b58e7cfc9375adc841f029

SHA512
7473022305f10abc3a813887f4fd9d472ddd9aabf964377458e2aad268ce96d7b0ab618d8b19b8b88c4c996fdf1e9253e28edcfb0f8aa96c046f224894650a16

Download Submit
\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe

Filesize
488KB

MD5
43b358697cdcd6948513ee81af0134a0

SHA1
5081236d488a154f74823a4ddbda8d678ffb0b76

SHA256
f68f917dd821ff70a88f3881c9fd3b29393bd09728d74161c316dac1bdb5e072

SHA512
df2b12ab47261598932c6bc9a07099c3deb369c732da75f4cb42cdc1ff94488bb7b83b0c542f7780bbed7f2a2ac909faaa005bfa469ef6624d54332ecefdce59

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5ad5e33f57f07f26cbc8f7b31850c1c6

SHA1
71edad8b5b60c845e9ccf27ba91582bd8be51d7d

SHA256
273048ebecb6f61e6693b3280e2783a5e0e295e55521d3aea30d653ce3ef0f36

SHA512
1408cb6e571b8087e9df44789aee1ba58d6fe7d3a80f65c1b5e013b08659f47c8471e9686a1f68cd8f7b0a2da80f7efcaf131981ce15aa49cd093db49eab45bf

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
480KB

MD5
5ad5e33f57f07f26cbc8f7b31850c1c6

SHA1
71edad8b5b60c845e9ccf27ba91582bd8be51d7d

SHA256
273048ebecb6f61e6693b3280e2783a5e0e295e55521d3aea30d653ce3ef0f36

SHA512
1408cb6e571b8087e9df44789aee1ba58d6fe7d3a80f65c1b5e013b08659f47c8471e9686a1f68cd8f7b0a2da80f7efcaf131981ce15aa49cd093db49eab45bf

Download Submit
\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
435KB

MD5
abaed28bed724d9f37f713ed50df6575

SHA1
601a78698c591fabad945906506052f627e1a935

SHA256
ae0e8c90906bd32e54299264a55cc0d9b5cbfc2287d048fceb786dce9141c72c

SHA512
c2d4d2db4e76fc3d412b00d028f1ba2b93cd0eeeee07caa39108742a526bfd4cde6e93899bcbf73cbf68b27e827fbecff6deb5736011130b1e539f240675ffa8

Download Submit
\Windows\System32\alg.exe

Filesize
476KB

MD5
8341838d17fd2568d9284084079a1207

SHA1
3b2e6859e119096e875edbdf295b14f8509bc191

SHA256
c41b5ecff2fc6357f03af835edcb61ebbe9c4323c8b58e7cfc9375adc841f029

SHA512
7473022305f10abc3a813887f4fd9d472ddd9aabf964377458e2aad268ce96d7b0ab618d8b19b8b88c4c996fdf1e9253e28edcfb0f8aa96c046f224894650a16

Download Submit
memory/216-133-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/276-109-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/796-177-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/796-123-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/832-72-0x00000000FFB40000-0x00000000FFC0F000-memory.dmp

Filesize
828KB

Download
memory/832-95-0x00000000FFB40000-0x00000000FFC0F000-memory.dmp

Filesize
828KB

Download
memory/832-94-0x00000000FFB40000-0x00000000FFC0F000-memory.dmp

Filesize
828KB

Download
memory/832-71-0x00000000FFB40000-0x00000000FFC0F000-memory.dmp

Filesize
828KB

Download
memory/832-80-0x00000000FFB40000-0x00000000FFC0F000-memory.dmp

Filesize
828KB

Download
memory/1068-170-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1068-173-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1176-116-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1176-145-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1360-154-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1360-150-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1360-149-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1360-151-0x0000000003380000-0x000000000343A000-memory.dmp

Filesize
744KB

Download
memory/1364-76-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1364-68-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1364-67-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1364-148-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1364-66-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1364-90-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/1364-176-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1456-84-0x0000000010000000-0x00000000100D2000-memory.dmp

Filesize
840KB

Download
memory/1456-86-0x0000000010000000-0x00000000100D2000-memory.dmp

Filesize
840KB

Download
memory/1464-100-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1464-103-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1480-160-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1480-127-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1480-130-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1640-139-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1640-142-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1640-138-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1648-126-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1660-96-0x000000013F870000-0x000000013F938000-memory.dmp

Filesize
800KB

Download
memory/1660-75-0x000000013F870000-0x000000013F938000-memory.dmp

Filesize
800KB

Download
memory/1708-169-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1728-120-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1728-117-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1736-163-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1788-113-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1788-110-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1980-91-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1980-93-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/1980-137-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/2012-136-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/2012-166-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/2024-79-0x0000000010000000-0x00000000100A5000-memory.dmp

Filesize
660KB

Download
memory/2032-106-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download
memory/2032-157-0x0000000000060000-0x000000000010E000-memory.dmp

Filesize
696KB

Download