Analysis Overview
SHA256
1102534d7ed22c361f26d196c9170d977ea3b0eb8b4ce5746236e3e2418451a4
Threat Level: Likely malicious
The file 89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VMWare Tools registry key
Checks BIOS information in registry
Registers COM server for autorun
Reads user/profile data of web browsers
Checks whether UAC is enabled
Enumerates connected drives
Drops file in System32 directory
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
Checks system information in the registry
Executes dropped EXE
Program crash
Unsigned PE
Enumerates physical storage devices
NSIS installer
Kills process with taskkill
Uses Volume Shadow Copy WMI provider
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Modifies data under HKEY_USERS
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240508-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 240
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
142s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe
"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe
"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsd895C.tmp\nsDialogs.dll
| MD5 | eac1c3707970fe7c71b2d760c34763fa |
| SHA1 | f275e659ad7798994361f6ccb1481050aba30ff8 |
| SHA256 | 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3 |
| SHA512 | 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09 |
\Users\Admin\AppData\Local\Temp\nsd895C.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 220
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240226-en
Max time kernel
163s
Max time network
175s
Command Line
Signatures
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4916 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe |
| PID 4916 wrote to memory of 1172 | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe |
| PID 4916 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe |
| PID 4916 wrote to memory of 1388 | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ByteFence.exe
"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
"c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i
\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
"c:\users\admin\appdata\local\temp\ByteFenceService.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 2128
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
Files
memory/4916-0-0x00007FFBEED75000-0x00007FFBEED76000-memory.dmp
memory/4916-1-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-2-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-3-0x000000001C8D0000-0x000000001CDF6000-memory.dmp
memory/4916-4-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-5-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-6-0x000000001E0E0000-0x000000001E5AE000-memory.dmp
memory/4916-7-0x00007FFBEED75000-0x00007FFBEED76000-memory.dmp
memory/4916-8-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-9-0x000000001C7F0000-0x000000001C88C000-memory.dmp
memory/4916-10-0x000000001C890000-0x000000001C8CA000-memory.dmp
memory/4916-11-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-12-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-13-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-15-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-16-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-18-0x0000000020A30000-0x0000000020B06000-memory.dmp
memory/4916-19-0x0000000020C10000-0x0000000020C62000-memory.dmp
memory/4916-20-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-21-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-22-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-23-0x0000000001EC0000-0x0000000001EC8000-memory.dmp
memory/4916-26-0x000000001D780000-0x000000001D7A0000-memory.dmp
memory/4916-28-0x0000000001930000-0x0000000001936000-memory.dmp
memory/4916-27-0x0000000001920000-0x0000000001926000-memory.dmp
memory/4916-29-0x0000000021F90000-0x0000000022108000-memory.dmp
memory/4916-40-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/1172-45-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-46-0x0000000022180000-0x00000000221E2000-memory.dmp
memory/1172-47-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/1172-48-0x0000000000ED0000-0x0000000000EE8000-memory.dmp
memory/1172-49-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/1172-50-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/1172-53-0x000000001BB90000-0x000000001BBB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog
| MD5 | 6eaa1926a6ef20c0742b1344bf1d8a14 |
| SHA1 | a9ba7268b609d64e0434d9a8f3f78d2371a2ac1d |
| SHA256 | 119aacf78c0083c15adc496df961bb78fe33efac6d3f41227d903f6c63b3ee28 |
| SHA512 | f4fef01bcded694a182440501f7a0dd47d6441e2558f1df26d019697a2f9372fd0f0e6ba8e1bb2b30b4fe34f53eefbc439e7ead6f1d726fd465543c9fccc9889 |
memory/1172-77-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/3160-78-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/3160-79-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/4916-80-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
\??\c:\users\admin\appdata\local\temp\rsEngine.config
| MD5 | 56471e1d552cf365892a221059747376 |
| SHA1 | 89cb5955b2ea777edd6366c5139029946310bafd |
| SHA256 | d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50 |
| SHA512 | a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972 |
memory/4916-91-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Logs\err.dat
| MD5 | c50464a6337a533dc2edaa31a80662a8 |
| SHA1 | 967ca7bd671d58ddd791214043a791315fe7c73e |
| SHA256 | cadb9baecf6ad2473b97f67ef4f0ef93cd95a02d924bcc4a1fb17572af3ba5a8 |
| SHA512 | 668e6f481b38129053028834a3d542848485be33e07ef5f3dac83e0f2321629c7d94a9423dc6e7436779ffd9965e973b3b5f7efa0944980c41b314f3a05321c3 |
C:\Users\Admin\AppData\Local\Temp\Errors.dat
| MD5 | af1cbbf38f1a43db153df455ae5923c3 |
| SHA1 | b07b4eaad7fa713c206227672c94eb1ad5686aee |
| SHA256 | 1176e2572eff93a2574e8264dcf54436b1dc3c6afb1f7cfc7061834d110f881b |
| SHA512 | 0ee847cb7ef6af1b8af002dd058bc7ccea6810f8e7ffd41895db1f1e8fc1910f9adabeb52ad540cf582ff701959dcd6f48c8f99b01b8f5eb4f30df27812e14c5 |
memory/4916-213-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
memory/3160-214-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp
\??\c:\users\admin\appdata\local\temp\Errors.dat
| MD5 | 5bff40a52cf1b455c98ef866cd14b69d |
| SHA1 | 4dccbe4c71573350e59385a857742d0a39afbc49 |
| SHA256 | 693282321c3d491c51072c9aaa43b672294ae76213986f3456065f23f091b0c1 |
| SHA512 | 8109c0faa6a6f601c1328c4c416d5be202ec2437012fc1217e1c66eec150f3ab40a65a9e6a9408db9af0d9ba060a6ad9b0f788b84fc6f70231b69226f48c5fb9 |
\??\c:\users\admin\appdata\local\temp\Logs\err.dat
| MD5 | b997e4136d83f6b8da47ce20740961ac |
| SHA1 | 1b9d97bae4f1603f1c204ae5cd04c02242eb4915 |
| SHA256 | d2b0cb1dea27ecc18f0afc9aee4c584fcbe68fef1b4f6e6e1a4bd93397566bc9 |
| SHA512 | 6a2b512f90b3a15641037955e030aedf81cd70dc1969766c8f27332d0309b59416ca32f7b9f86074f32cb75b87719c467a01ba88108c221bf0a602021a01ecbc |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe
"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"
Network
Files
memory/2192-0-0x000007FEF5C5E000-0x000007FEF5C5F000-memory.dmp
memory/2192-1-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/2192-2-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/2192-3-0x000000001AF50000-0x000000001B476000-memory.dmp
memory/2192-4-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
memory/2192-5-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ByteFence\Cache\SRb0eabbd37a97a1abcd90bd56394f5c45585699eb | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR59549d367a7eca13225a2cc432f4ec06632ba0e7 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2a3ec95cb473d5666e9c9f66c33c80e001e39561 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRae38ca93e3870805a334fcc8929709d38a748fa0 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR0f98f1d3d8a047bd9b68a75251ac8db46a0fca57 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR079180ea081869278b27acfbfe75250d69465996 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRb31d16d4fad2767262ed2edb0dde8cb310a837dd | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR939e6ffb298749d8b3bc002a3476c3f899f3d30a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\x86\KernelTraceControl.dll | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRbcf2b2d687a58650214a94001a2fe5c2c92c9d74 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR0e89c929d13d470d7ba8cd9443db8f40822ff393 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR1b8005cf8d5cbc655e9cfb6dae11d16f09f179f2 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR3eb8461ffc219f6cf85f9fe93bae94c9992bf29c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRa8757b0f5c73459ef182c89c6554fd69081b5590 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SReeb87baecb169a3a8653e0ba38f2e756615ba6b1 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR3b3d4b8e4df75365c9924c203732159f5f138263 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRede8453f26e48de6539e35879142d216c446c754 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR133e9bb3c136093e28bd27cc1b8d6d1d2c441495 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\x86\System.Data.SQLite.dll | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRc3c193e0baab96c5541942c73fa61861bf45ed0c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRca9ca4e0ad75d05a0cbb10069a3de784218ede21 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR167e549bf81e0c9d27f8481ce4904d8627549e1e | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRd11ce21a6b9e2bec6e53baec95ad20404b4031a3 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR6c8ae73cbd4b2bdf3b0cfd12408aefb56a45894f | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf3235ac1dd7d78b6eecacc11de01c1c514c832cf | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRd65dda3b5ed1bb3b23a8919f4609e9834cde8deb | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR6f6275c3521ed70d78bc059efdc39917e923336c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR064bdfa92ba0036f9a135887dbff4a5a4f73bc70 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRafdbf106e79af8ec45a1f0533af86019e59f9614 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRad3aea8e31b398e8e740be5afeb007e27304ec72 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR90cabc7f791e719063d32090ed5080615c975f73 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR8aa451681ae53d126eebc712ed2c9bee04f6b0f0 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf27d5c6d56c84ba9f4414dd223f7ad69c89540f8 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\x64\System.Data.SQLite.dll | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2ba179dad9f6ad4cbcccc0de3d984098e41a2289 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2e03f11361ca76c5fb2c8c8f196e7455cf86efab | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR90f870f43852b3fd62110692030bd20887777c0e | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2f23968ff651232cd8e74ba7ce308ecd4e91e405 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR88ae12ad459843942e74893a843f7b57203d80e6 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRaaba6f3f82a2630f4e43cfebb970d3542425786a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR41110d339b29c410d6ebf92cd72794173ef43c8c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRd56614e23a02d7939b165f44c8802b7da7196a40 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR8b8edfbc7b5f34bee340897a343f605d87318297 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRb9fe46827a9d327bbd54bba73b6bd0cb75cda520 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR4e359a0ffd8f97f1e935f5a0ba8fd4880e077d05 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRc620f8ab8c725ba70cf4d785035c795baaf307e1 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR4c92bf0e57ce6b8d790dc022ffceae834ce2374b | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR0261c48f5b5f1caaeade4fe99acc982488375077 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR5db2daab29805715422c1879cc375aafdfa23c66 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRd9b3af28c0dd54260ec2995e1610568dbb23c48e | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR0a6a4f28e743ec3eaf2320ff9c58168ed02ecc4a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR8bb47cf2af65fdd55ee41f36a09dad9a7538f56e | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf8098fe4b494ef5d635684cc61eb2fc64136a053 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR84cdd4ed7c9005e4fa862ba9cc0cb4d9cd8f2016 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR8981c79fa6f87cb34b3078c62754a7be2786ad55 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR268d921b176bf3e466a527718d21518dc017f322 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRca777eebdb4eef5617fd4ea976f6465b7f718914 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR10466d401f7ec85bd184b7f6355aff4733d68d4c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR066d532ecab5a4fc94f403953b44a6d8a8822612 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR08fc2a8850ddf94af5d83d03e6caf192d392ccea | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRc8f918bac3d721bdf895f3423d72cffdf65f5a03 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR535053509b1cdd9aa17fd50ed298ff2182d4be84 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRee0ecaedf725849dac93d4f32a4fd7ee3a448c3c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR57631fda7ed916781b37480f3cd560a894c59499 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | \??\c:\program files\bytefence\ByteFenceService.exe | N/A |
| N/A | N/A | \??\c:\program files\bytefence\ByteFenceService.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | \??\c:\program files\bytefence\ByteFenceService.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | \??\c:\program files\bytefence\ByteFenceService.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe"
C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
"C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe" /S
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ByteFence.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ByteFenceService.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ByteFenceScan.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rsEngineHelper.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rsLggr.exe
C:\Program Files\ByteFence\ByteFence.exe
"C:\Program Files\ByteFence\ByteFence.exe"
\??\c:\program files\bytefence\ByteFenceService.exe
"c:\program files\bytefence\ByteFenceService.exe" /i
\??\c:\program files\bytefence\ByteFenceService.exe
"c:\program files\bytefence\ByteFenceService.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" winsock show catalog
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" winsock show catalog
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /rawreturn /nowrap /list /allusers /verbose
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.reason.technology | udp |
| US | 8.8.8.8:53 | proxel.bytefence.com | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.reasonsecurity.com | udp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.bytefence.com | udp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | 68.9.67.172.in-addr.arpa | udp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.thawte.com | udp |
| US | 152.199.19.74:80 | ocsp.thawte.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.thawte.com | udp |
| SE | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.trust-provider.com | udp |
| US | 172.64.149.23:80 | ocsp.trust-provider.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.trust-provider.com | udp |
| US | 104.18.38.233:80 | crl.trust-provider.com | tcp |
| US | 8.8.8.8:53 | www.intel.com | udp |
| BE | 104.68.78.119:80 | www.intel.com | tcp |
| US | 8.8.8.8:53 | certificates.intel.com | udp |
| GB | 104.91.71.134:80 | certificates.intel.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.78.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
Files
C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
| MD5 | c4951a516fe1b3a8a579e73877a4b1a4 |
| SHA1 | 400acb837edec53c746be0ccb2bb9d774fa150e9 |
| SHA256 | 61dc83d20af7bfa9458a4ee7b08bc05fc33b09aa5f04bf655f9f607125d1934b |
| SHA512 | a6933dab647728a2ccfaabdcb7561ab804efdf9ba6193d920712d04c842400b6c975bb0c0228a03f2a3b7dce3019397615267e2905cda73441abc6ef1978faeb |
C:\Users\Admin\AppData\Local\Temp\nsu468F.tmp\nsisdl.dll
| MD5 | a95c7af96416b2cd084fed4c07c8c291 |
| SHA1 | 0c62c2fd843ccb59784404ed36369784dc557671 |
| SHA256 | a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0 |
| SHA512 | 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc |
C:\Users\Admin\AppData\Local\Temp\nsu468F.tmp\nsExec.dll
| MD5 | 1f49d8af9be9e915d54b2441c4a79adf |
| SHA1 | 1ee4f809c693e31f34bc6d8153664a6dc2c3e499 |
| SHA256 | b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782 |
| SHA512 | c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4 |
C:\Program Files\ByteFence\ByteFence.exe
| MD5 | ae114355b714bc831f641ffc1fd5d96b |
| SHA1 | 52885c21ee681f3b0dbb7d13191fbbb141fdf906 |
| SHA256 | 517516b4fe19c58397a703bed0884cd439a6ad7ddadfd3de2b9d40d035659448 |
| SHA512 | 7db682dc63cae4ca91085f34788af53bc2cfd350af476749a4045ff2d751d810d5a8a140b28800ef284aed17cf87c5173f8bc107c73fe75555506fad66358dfe |
C:\Program Files\ByteFence\ByteFence.exe.config
| MD5 | e3d5f62b7b28176a510484e465fa0f18 |
| SHA1 | d9d4f8875c6d96f57549abf06eb336650595ab5a |
| SHA256 | 827cda24df7876010d5239fe2b8af49472442d899f9c0f6d9ff53b4ff6860946 |
| SHA512 | 8c27c69e010d263cb5599a2c38a58b3b9ad61983c512ab4f7d3b46b859393468ad09d6423013ae808c3d243a9b8cb479e499d128539a3959bede78ad145b85be |
C:\Program Files\ByteFence\rsEngine.dll
| MD5 | 38bfe41fef177604494f49ee8023b887 |
| SHA1 | fca37c9a1f3b9eaa68b489b091020cff0f672e6b |
| SHA256 | 65555310943571e3d7cdb37c8a5cfa6e332400397d4d1dcbe4033370a5db81f6 |
| SHA512 | f0b3dd5b27893ccfce43a033cd89ae190bf9d016711e85cea2d3ecf8478db365d47a7f8b86c08bb0941ebff3522f0b6b093c9e5c9527c2737da7ded2614401c2 |
memory/3400-73-0x000000001C7E0000-0x000000001CD06000-memory.dmp
memory/3400-74-0x000000001ECD0000-0x000000001F19E000-memory.dmp
memory/3400-75-0x000000001C710000-0x000000001C7AC000-memory.dmp
C:\Program Files\ByteFence\rsUtils.dll
| MD5 | 7e8e3b06787101511fdbadd6ed070ee1 |
| SHA1 | 71e4c41f92ed47daeeee0aab732ddc8e5acd21de |
| SHA256 | b89c0d12a3caa4a663277ce1f0da91efa497515ebca0d18f60c5e65c9920868f |
| SHA512 | 254422dc751dbf5758434a980fefa5e47caa6c28bcaff4bf2e53cc467fc35cd8627787099d8960f2d64351d4706e2a53071dc1daed2b1ce8516e8cee9c5db3dc |
memory/3400-77-0x000000001C5F0000-0x000000001C62A000-memory.dmp
memory/3400-81-0x0000000020E50000-0x0000000020F26000-memory.dmp
C:\Program Files\ByteFence\Microsoft.Win32.TaskScheduler.dll
| MD5 | 1802e6df96046cfee62c63c4c8469a3e |
| SHA1 | c5d6444fcd8f46e1832c99614f5e71adff582f6d |
| SHA256 | cc6c472f666239ed270cc3754852f536b8981d6fd22e4ad1ee15a1aa788a3ba9 |
| SHA512 | 339f5b917c4afbc25175bd173cebefdd8f4671e157ecfb8a9c21b78db9d34fd9757787c231575e8849509cac59162c6c67fb32af6febd6903ec285e21c0fd304 |
memory/3400-83-0x000000001F830000-0x000000001F882000-memory.dmp
C:\Program Files\ByteFence\ByteFenceGUI.dll
| MD5 | 637e8fcc69c33392335ffeaaca446a1b |
| SHA1 | 91a56d770a3731310c412cd0c9cea9439594f593 |
| SHA256 | 496378bea9a3d62401744cd3941eda5177dc54733cd45735acf0c373372b5c5e |
| SHA512 | ffd8deba9afea17cf93219774e5d576b4bb39c4db710caa9634e5821cbb40e000f446017bf116bbdd475243dc397d4f038bff8f236e1ad9c002604249761fa08 |
memory/3400-84-0x00000000214F0000-0x0000000021552000-memory.dmp
memory/3400-85-0x000000001DDA0000-0x000000001DDC0000-memory.dmp
memory/3400-86-0x000000001DB50000-0x000000001DB58000-memory.dmp
memory/3400-87-0x000000001C170000-0x000000001C176000-memory.dmp
memory/3400-88-0x0000000021280000-0x00000000213F8000-memory.dmp
\??\c:\program files\bytefence\ByteFenceService.exe
| MD5 | ac384df8fbe8a76815fab3a2659f4bc4 |
| SHA1 | c3cf899ade1ec94e7d8a7a4dc64950de99096b4f |
| SHA256 | 0e262b5c4390c353bf98298631877913f6940e9c5042c0979060fca6c964fc17 |
| SHA512 | a27ba4f9d167ba81a053067de6e27d1a81646c640e5246f0036c8758f123209206f187fb8b3a073bf3f31717b80cafc3d78add7fc4e33204b87460e14fad4d90 |
memory/2240-95-0x000000001BBD0000-0x000000001BBE8000-memory.dmp
memory/2240-98-0x000000001C330000-0x000000001C354000-memory.dmp
C:\Program Files\ByteFence\ByteFenceService.InstallLog
| MD5 | b75675a3fa5eae4d7e2fc5d76897e783 |
| SHA1 | 2784b755b8d201ada3226d1880733c0bca1b377e |
| SHA256 | 417c7f1cbe0ff4278c75ef62ae5f22dba53e79f7952334d3a35bc735b9ff8a43 |
| SHA512 | 57c099075d1c8cf46fb3dc1072b155bcbac58763b4afca4377a9c870febb42c020af98ae442afc38811e43e8f41818ab10163410737b77c52adaeea4ee8f60db |
C:\Program Files\ByteFence\ByteFenceService.InstallLog
| MD5 | 0b2464c9e3d3e45297239acb697f0a2c |
| SHA1 | b105043b8da6b88f6f7dc25ec00cf6ecdbd1b21e |
| SHA256 | 180e58c7b156a7fb934c2e974d90b96d24a2a2e08ef0ec3485512f7b681c766c |
| SHA512 | 9e7411f50ad97fc3eff8f54779f00420f74e1a13f9e5d52961b4fe31ddd1b6a6e603aa49a2ba0769d94af857957b59ae1ee9e725cca3419af8facca1249882ea |
\??\c:\program files\bytefence\rsEngine.config
| MD5 | 427ce4103a0794e3a06d9a2ad0a9d9de |
| SHA1 | aed628de425a84acfe6cd300b27d90d18d802620 |
| SHA256 | 1ad12e7ac644dd4975412378ce13b89a211c64ab6b19af537f86a4b218cd313c |
| SHA512 | c60c310ea901159c3fbfd8ed7474e9528613363eb9ccb21a1667890316438d2f6ef284f14130732197d4428c56153d39da656681419b53e62d7813efdd03bf17 |
\??\c:\program files\bytefence\x64\rsLggrServer_x64.dll
| MD5 | 27236a42b9810c5db8490693c158c838 |
| SHA1 | 3cb8d0f4b818f120afe2447c9b01af674af3a9f2 |
| SHA256 | d67999fe774e5e0f1c18cd5a4da7d6518faa00b8e950e41737e225b615a1b4f5 |
| SHA512 | 97e9c8921caeecbe144ba11be3675365b5bbd92bf45bbe91e9a37c472fe2153f1f250e8e5b8a37d927605a0897d997228d7351476bbc40f9647737c14022411f |
C:\Program Files\ByteFence\x64\rsEngineFW_x64.dll
| MD5 | a82484553da1a7a4ce4f5eda236b7207 |
| SHA1 | 3e56d504d2283653165d78a238c97469a28e5de2 |
| SHA256 | 8a1eff4a86e223dbe808bde5d728367b03e7593b514f5cd9c49387e6ac4b57c5 |
| SHA512 | 03d193de85c8022c746e9f99a0e989cc42445d67fe32a31093e66b4e5e9dd25a4103fbb2e93ffc54401d99d40c3ae519dff7db999d64bc7f3cf0af59d82f3681 |
C:\Program Files\ByteFence\Signatures.dat
| MD5 | f0f375247de1b9e526c4017f2fadeffb |
| SHA1 | 9517426f632818af694335abe475b9e7852ca4b1 |
| SHA256 | 91a803a30b82888c437c9f5c1f6579b4ce070625b4e1664e14105156b360ab17 |
| SHA512 | e532f9fe55952e26fe315d16a2e676e233f3bae35629f4b977e17ac3ca96c6b280c39f1854d175a81811c5aa5042d86367b31f7844c99239a0f074e2458239b2 |
C:\Program Files\ByteFence\x64\rsEnginePM_x64.dll
| MD5 | 15cf59afcaff08b12d37f2d7c9f6ed81 |
| SHA1 | 1d0464d1f13ffe71ff12556c433d95f168a1cfb2 |
| SHA256 | a4d7f4259cf04e7299f5ab6fe2ceb95680e35427d613aff26dc27d954b8311c2 |
| SHA512 | e35196ae1367a7cae677f1c90dff7a186a03a95a9b7ede67e1c2d5c98db03d1b6e2ae868efae0c8ee12ee8b4067d0fa36139cb514d7d01982f756c0c6db47629 |
C:\Program Files\ByteFence\Signatures.dat
| MD5 | fb84325fd7362b5634c4de62b3a2c001 |
| SHA1 | ebb54ec78a071ce47a1c86f47903d56d77b34cf7 |
| SHA256 | 23bdccb16e5900857c621b67c779b2a49179aca564eeaf1e74fd10c4eb1651ef |
| SHA512 | d59933302521c9b3eead330a38577faf1df0378aa926690c6001186d495abe4fc470bf578bc9deabd82e26d7b1f8ed446957494122bd65047456c657dc9bade2 |
C:\Program Files\ByteFence\WhiteList.dat
| MD5 | 899c70dd0bdda61514bff5c51a4a0a20 |
| SHA1 | 0fff58ba69a11d1e01c6e2704e553abec1352ce9 |
| SHA256 | 0f9ac436356203842c619d27b8b805e034cfa420e94495170d089629e52038a9 |
| SHA512 | b13691ad0d3768eb6a9e4ea30e9a2ceabdaa1d13730cdda81f18696412ebb4589ee859f422ccf9b01c3399b5dbbcb317e0d6aee91cad10a7985ea8e87148ed9f |
C:\Windows\System32\catroot2\dberr.txt
| MD5 | 773cb06bb43f9562c3b6e05e97788ab7 |
| SHA1 | b10dd5cd80fec68ca183c4d17e1ff423166388d1 |
| SHA256 | 5ee6aac36da9ed2a07b02f1709bfdc6d585f7bbe1cbb2fa3a36879d3f26f6ff1 |
| SHA512 | 9aa526a954ce047bee05c726994149e271ad36da1d805f7c445e34c69d015849730e00206d45e9e75406ed5d5eadf2e5e154efdfc10c07b4b51278d1b16fe94c |
C:\Program Files\ByteFence\Cache\SRc6e63c7aae9c4e07e15c1717872c0c73f3d4fb09
| MD5 | 4c14dc3a32baf44289afd12c946c14b7 |
| SHA1 | 9fb38df47bc27d5e6e53bdec1d0b1b0a5c8a4d48 |
| SHA256 | 20936855cfdb1d7e16996c3eb5d680e19586667bbb81a0cfa15fa33fa23b97b9 |
| SHA512 | 3beefea56a73d3aa2c6386f7f3cac9dca2838d31417a39e59d07a683ba28f00be607cee8604e091e5c612c787e2971fc9ff24a9fe7c8fbb5ca6f014f24aec32f |
C:\Program Files\ByteFence\Cache\SR29fb9af50458df43ef40bfc8f0f516d0c0a106fd
| MD5 | 369195a15fd800aa89a2d13f8797468f |
| SHA1 | 39ea1b9a2f418683c6c536f8840d940d9f0d323e |
| SHA256 | d23173f772aff0e04ed25efe0b8e3c00ddb7e5962935cd9314e25cea66830ae5 |
| SHA512 | f34a985fd88f596b901dee494c013ee47b07c856970f08a12f918f28f3fb8edb480bbee65815d38e39790f3b209c0701f9b2ef2ed3e5900194c3e01152ae6683 |
memory/3400-1279-0x0000000022360000-0x00000000223BE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9EC3B71635F8BA3FC68DE181A104A0EF_10CFC0D4C45D2E76B7EA49C8C22BEDFE
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
\??\c:\program files\bytefence\Logs\err.dat
| MD5 | 28ba9d52be22fdff15f2d632f7a2a3cf |
| SHA1 | fce7ce7d5c0f708a334a9760e0f5ac8acb47e46b |
| SHA256 | 227742df1e6fba613863fb3466129ea1ce2d63a90fbc39b760a1064cfc6c9acf |
| SHA512 | e45732848e3625edc1e457bfd1cd5f9c695391f0ae3acc6986ab967d8e5ce77417701163b59e91ff0ab3f38d3cf1cdc98ac96d7fec725a2b5ef2359a54c5a535 |
\??\c:\program files\bytefence\Errors.dat
| MD5 | 8b13b7e35c735410574ffbe21979663b |
| SHA1 | c6509bb2cf82bfe795bce18ff52fb8b35b2ff82a |
| SHA256 | cd9a913bde58aeb69eb85c0ff6566ffd5d2fafc07b13c47769d590928723b4e8 |
| SHA512 | 8c983595e6025ab49761622efa2ebaa93d44918e64eff0f14fb302bc3ed23a56ca728a3745215edb2ab2be3764d6a9efd1ca3f5273f6b467734254b42a790a76 |
memory/3400-2157-0x0000000026790000-0x0000000026A9E000-memory.dmp
C:\Program Files\ByteFence\x64\System.Data.SQLite.dll
| MD5 | e83262d8b431e2fe508bc4a113baff16 |
| SHA1 | 45f849fa7471b6803c721d7c115a301e7d01ee3d |
| SHA256 | 96e8dad51e66b3ee02a5ff00a310fdbfa1d7946d1c92b40fd65acc55de10a738 |
| SHA512 | 15e8e9f4acf2bc0456ae273d4e52243ebdc3dd6074fc20b2524b54b7aad436cd803c5618fa105464040c96acabf0b40cda15c98a2b78d28d3251cbbc3acf22ae |
memory/3400-2162-0x0000000026AA0000-0x0000000026C38000-memory.dmp
memory/3400-2164-0x0000000022460000-0x00000000224A9000-memory.dmp
memory/3400-2165-0x00000000244B0000-0x00000000244EE000-memory.dmp
\??\c:\program files\bytefence\installutil.installlog
| MD5 | 00e3f226484ab07ba503afe751c3571d |
| SHA1 | 47e83a6fdf812648a4dedfc61432fb88c93fe720 |
| SHA256 | 6003bd3edb8914f499a86eb1cd4f5e87585d915d2bf2626ad6f55c8abc53f662 |
| SHA512 | 0f7d65aad26320297f9ff91b11ff7d36c878bb3d318941067783c9e334bb4bbcfb6dc837598a04440f8409dd6b21d4ee5e83cdfa4cdfec0c4a3e0e472c9c8b68 |
\??\c:\program files\bytefence\bytefenceservice.installstate
| MD5 | 4f130e22d88664a9fc01d4e1350ef1b5 |
| SHA1 | 76504e0aeae03d51e2ce52a11d59f5ff18254d86 |
| SHA256 | b80d9b6e89383642c68bcb2285af4746101fa6470fccfccee210790fce79e9ab |
| SHA512 | 6777bc2866092dc417c37ebf3dfa64598c719e037316b69d816fb53e9c89a474a7b2f71cf937212574107a44c8efe035b838393fc9bef1d8c8ffec110dc9df30 |
C:\Program Files\ByteFence\Cache\SR010db07461e45b41c886192df6fd425ba8d42d82
| MD5 | 0d882e5226a5f27aba5b72709917947a |
| SHA1 | 7a6e245b9ed12537fb86bf3d1d05b28c65af60f6 |
| SHA256 | b45be79e87295267cc1d876f0c5b5a4991aa99601e537bad2f9ada53c47ae62b |
| SHA512 | 2488d7b95fd51acc42cc6a6307d0bd857e0c2f558e2d5a2ac3d13c7e4a2de8199d3847ef5ba3dc58c93ee2b6531456e4020b74f4228a7977287109a85e90762b |
C:\Program Files\ByteFence\Cache\SR03aaa61cfdd8c9830383dee534fc984ef0b815f7
| MD5 | 661cc97ca1f78f8bbb1ef084906774a9 |
| SHA1 | abe8c6fb7a87404a19ecc5fffae08f8b6ad0fe4c |
| SHA256 | 48edb2d4f00763e6ea435846d52a7b5cfaa0326e34c646ec9dd9234d65a50e3d |
| SHA512 | 39c31cb299979b20c84caf0e3f9a1bf5c9ce553c42dc52d118fad016c187b44ea56eaa90d6dd3c68f72b7cc7968f3ad154b4c916274c44666280987b113421ff |
C:\Program Files\ByteFence\Cache\SR1c241020754267181dd501949e0d43f35f0a4d10
| MD5 | 485d0c8f502fc8071b6958e315b30026 |
| SHA1 | c7d1abdc75a72e485f8857fbc075c391ed2dbb40 |
| SHA256 | 1bca3f08368c6b083c266a0e8d43caf2c95b42d2c09cf5e450cb80409951c216 |
| SHA512 | 6d3124bf188f4186e44c659d6a304419e85b380956d68d67e9dc495ccddcc029402d28b9f9254f99dec982406d8b354a0ccc1244cd6bb54aba70291243c5f318 |
C:\Program Files\ByteFence\Cache\SR26cdb289cf36d0a0649d99b0ae001a3ac5c3c66b
| MD5 | ebe08eef6af7ae25fc624107e69a7eb2 |
| SHA1 | 500375aa6ffd03f72b8132e0053e12d38053c52f |
| SHA256 | d81a3b1b4f4f53a7fc4f055a5461f3d47f6d2aa7754b3c9a260e96c5a498f437 |
| SHA512 | 502a593c8020e66b638d8fd9f2d2e8a76271885eecbad5f395d7c9461c75e720afd0ec008b6807383de7139d62227d8afafb89f88315c9eb1a4e7ff855d550d7 |
C:\Program Files\ByteFence\Cache\SR4172ec95a16a929de11c7027a878cdd25d86fb8c
| MD5 | 81958e135ce60f3fd4b5ede2e44bfc75 |
| SHA1 | ceea98a62711678a20fe92d032e27e6c7443d08d |
| SHA256 | c0185bf9b1c6465ca93ffc030aa98bff02c6aa8ff121587c3a4d78ce3500df5f |
| SHA512 | 5ea78fe6e0c680fc3e7f38d8e49c440d15b7ebe13e3bc0d9bf3ea088b60126386c490d964cda7fded52a67c9d6739300be15ddeeaaf4e2c95d268df987e7dee5 |
C:\Program Files\ByteFence\Cache\SR6859b01d4b86fca42f316afd98d171fd554bbdb5
| MD5 | 50a1427ccbf38909f0bab54942dddc55 |
| SHA1 | 98c674619b6e91a26c23971e8cb5a3a0baf0780f |
| SHA256 | 1340765286ed2cf8c13c540e108c8d1c182e0c416418564a14cd24af10c94303 |
| SHA512 | 5097c88b315b019f188b6f4cf9af51f64298163a6dac01b4ff566af89b41dd2af965d606e508c7742e1fabf6ed7407b9333b4cb387f0b3708258b7f0c422cdad |
C:\Program Files\ByteFence\Cache\SR751d72d8c6fbcb759e93cbfb9048025aaddc243c
| MD5 | b94d537662c70fd54fe93bb1474d74ba |
| SHA1 | 7d28e787b678d61b4b1a94dcda13ba55561d61b9 |
| SHA256 | 6ddc5f9bacd33f42bb0de18dd18ebe5337179612f3383ebc479060430f06b3b4 |
| SHA512 | e42009f3d9c46667515da14ec40418c6399e15c43511925bcc4598098fa13d870b989fa5023d13c4dc9d3de30b5e748c6eb763be856c3ca319e4ccba172932b1 |
C:\Program Files\ByteFence\Cache\SRe115cbe52e4581d30b7fc44e6ebf860156e88722
| MD5 | bfad40f3d76802af7350010e0587ecd0 |
| SHA1 | c0ea8c94adf0e002261823e7bcacff93ee934634 |
| SHA256 | ee764d92844f2a1e6c736dda6e8c36e64fabc7e33ebefa2b0fe013cac5b83bd3 |
| SHA512 | 8bc4581397adfca20805916806b98b9165879fb9f4baa36c478808d936b90608493d92a5e3fa2f04429463cd2be3143ac9b0886e3747bbab473b773b0ed77b0b |
C:\Program Files\ByteFence\Cache\SRc9e5761e95871b119b53fc3e1e9d7279ba4a1151
| MD5 | 77382804a0d42311ee49de21b1622ce7 |
| SHA1 | 790ae462d2146eee63071339d47e7844533a76c3 |
| SHA256 | 0728cef889a0410d28aae48c370d0a5d381758de36003ec5f82b8f446bd1f564 |
| SHA512 | 479552ea8502bf3775e6ff5b4f017cebef7b9c588ba26cef2d48693e79cda73ebea279532eedff4d11a00ec78e16b056c5a474b62ac83bf03fa2b97258dc7023 |
C:\Program Files\ByteFence\Cache\SR66b6158b28cc2b970e454b6a8cf1824dd99e4029
| MD5 | 4d9868731c4c8e27603621711929bda7 |
| SHA1 | dec5372b7c28b6a16425352de6e82bc6a75555a4 |
| SHA256 | c292f6ab16f8c6a8da509c08454b11a43f0cd81825714201699157999607f7d4 |
| SHA512 | f535cc4c006b79c918ae86e37bfddc325f2a153fcee55bc5ff5f01a815f42f5b81e58a7ee52da1c8c26bf835035abe0b7226ad68c16c516d7e57a46b04adb8ff |
C:\Program Files\ByteFence\Cache\SRf3f9c84d62768898765c3b7140bf952346c9bf9d
| MD5 | 4f10a47190779507658a7cf34b2cf7f9 |
| SHA1 | a65db875c1c9bdae7cac36c84ed256cf81f8cea3 |
| SHA256 | cd02a15f3eeaaae61c69bec6f69991d96b921c20be09b16924b3ac63272f5f50 |
| SHA512 | 996abac9b32726e68f643454b804feb912bc79a06e6f1bab632f555e7956f672e88ae22aea2ac29cc3fd055e5da42763e763f208b2a4d5250d677d9da69df18c |
C:\Program Files\ByteFence\Cache\SR0292a5c4a4d0babb464e87166838be377a59b1ab
| MD5 | a57a3181db3414f9af77742a31a5828f |
| SHA1 | 69751962f87c892b2f8d62fab64d63e43bc20f3f |
| SHA256 | c60ab51ef52fd819a571ea354369a4e7299a2fd2264695bc6848a1f9fb45b5e3 |
| SHA512 | 7fc10cf6f8e2eedc123fdb6bb720b1a38a0948ac89a2e8c44138ca7c2ada934cb9919f056d562b6cc6106f283b8c83e2725e19f9f0f0b59384030fc6e418cd39 |
C:\Program Files\ByteFence\Cache\SR2f8b58ac5e555761dc2ef2e515f054b64d514688
| MD5 | fc3a6ef31a11885d4d5d0e2902da5d23 |
| SHA1 | aacbf983ab9598ac3e0d1810ee7b762a8012509f |
| SHA256 | bde39eaf3a7f3e4cbe669c121fcfaf423e1699b4e5a2d2d7208d93a8345bd6e8 |
| SHA512 | 6234219a744b5d4fe4e686721071efe6e6377c384e8f225d3b1a9e43ceba2ca5e78b6f57676ecc22486c6e2e95c033979f5170f4c042e7957d20f1949ea86ba8 |
C:\Program Files\ByteFence\Cache\SR98a85358eccb159bd83464024ed950911d9f2fb8
| MD5 | e8880063fcc5cf1da407cb5c3eb2f503 |
| SHA1 | 8c5b7a29fb3343e773d15740851f33f4cfb35724 |
| SHA256 | 2da50fd6dd4b0fa2ce81ef9b337006c3f0a053183b4c62c8635070a754bb41e5 |
| SHA512 | 187e9b0f84eeb2344f084cf47adf7a2cad0216105dd40ae3421fc5a6f606c91cab3b8aa4845fdc7599aaf40b16928ccd291253f13de494225b4f1d4211305de1 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240508-en
Max time kernel
144s
Max time network
155s
Command Line
Signatures
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFence.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ByteFence.exe
"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"
\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
"c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i
\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
"c:\users\admin\appdata\local\temp\ByteFenceService.exe"
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" winsock show catalog
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" winsock show catalog
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /rawreturn /nowrap /list /allusers /verbose
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.reason.technology | udp |
| US | 8.8.8.8:53 | api.reason.technology | udp |
| US | 8.8.8.8:53 | proxel.bytefence.com | udp |
| US | 8.8.8.8:53 | api.reasonsecurity.com | udp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | cdn.bytefence.com | udp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 172.67.9.68:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| BE | 2.17.107.9:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | ocsp.thawte.com | udp |
| US | 152.199.19.74:80 | ocsp.thawte.com | tcp |
| US | 8.8.8.8:53 | crl.thawte.com | udp |
| SE | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:80 | www.microsoft.com | tcp |
Files
memory/1956-0-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp
memory/1956-1-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-2-0x000000001B540000-0x000000001BA66000-memory.dmp
memory/1956-3-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-4-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-5-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-6-0x000000001B160000-0x000000001B19A000-memory.dmp
memory/1956-7-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-10-0x000000001BA70000-0x000000001BAC2000-memory.dmp
memory/1956-11-0x000000001C7F0000-0x000000001C8C6000-memory.dmp
memory/1956-12-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-13-0x0000000000AA0000-0x0000000000AA6000-memory.dmp
memory/1956-14-0x0000000020430000-0x00000000205A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog
| MD5 | 52d87ff3819227abcf76102dc6cb005b |
| SHA1 | d97fa5e8d58e11e2c8475d8c947a65e289ed27a9 |
| SHA256 | eaeb8578f5838d4b335e0af96af0ad69c6b09acb1f633c5e4e3c0f6fb2653838 |
| SHA512 | 601f0ff34d1fc89beb10255c8796c497ea87dac1c39e355df961d6e1ca52085937042ecea83f5086962febcd89f745c086494a59571f65af1ec212c2e9f5ae40 |
C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog
| MD5 | 69b661f1c5111bab508264cdc91e33ef |
| SHA1 | d2b443a7aa799e0bd48124e6583ed92b591ffc3d |
| SHA256 | 2d60399359ec8f2906cac7f836a0f10162c961b89eae1e849073acbbb6d3d84d |
| SHA512 | cf132dc26464264d2c6ec093efc7aa0b64afdbb9ad0e2f1ce0faf8f54447f0588627677de33a67e30a12110aea3d1103be7e4d00fc8dc30cf85b314a73b63c07 |
\??\c:\users\admin\appdata\local\temp\rsEngine.config
| MD5 | 56471e1d552cf365892a221059747376 |
| SHA1 | 89cb5955b2ea777edd6366c5139029946310bafd |
| SHA256 | d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50 |
| SHA512 | a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972 |
C:\Users\Admin\AppData\Local\Temp\Signatures.dat
| MD5 | fb84325fd7362b5634c4de62b3a2c001 |
| SHA1 | ebb54ec78a071ce47a1c86f47903d56d77b34cf7 |
| SHA256 | 23bdccb16e5900857c621b67c779b2a49179aca564eeaf1e74fd10c4eb1651ef |
| SHA512 | d59933302521c9b3eead330a38577faf1df0378aa926690c6001186d495abe4fc470bf578bc9deabd82e26d7b1f8ed446957494122bd65047456c657dc9bade2 |
memory/1956-60-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-59-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp
C:\Windows\System32\catroot2\dberr.txt
| MD5 | 184d76db9ec82923fcf8fd1c0ad7ea30 |
| SHA1 | 70fadc92eab22c565eee49ca6f7ca0b178468e64 |
| SHA256 | 26ae27bcfe1604e5cf4810b1d74199994192387dde8a2cc259650c9457f51b61 |
| SHA512 | 722ed98ee072374f8dff798969cc221fd4b049357bbedfdb3b0ef1ccfdaf469232ef604a56d559bd98a4c5951fb7c632dbbbc083a86ea2fe9c0d375bc1efda4e |
memory/1956-147-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-148-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
C:\Windows\System32\catroot2\dberr.txt
| MD5 | afdcebb1365df2e3346b8b294ebd2b17 |
| SHA1 | b08e8a482c91f62ca8e0928954a8a4f8c9f2d07d |
| SHA256 | a353b5e26aafff0f95d144a8299a7fdb0161e0b2ad6cae989da1ca5c59df3807 |
| SHA512 | 273a20ec9abd6b9f79871705f7a955eb90be60155a78f561eeff3cac6aad8ab9ee144b55727a07024a0053cd8290af453a07e677d74dd1e3d898853701be2597 |
memory/1956-381-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-516-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
memory/1956-657-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7ACD.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar8012.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7b5f1b8b8e3ae01a9782e940784085a5 |
| SHA1 | 513dfc5664c3c0e4d8474d130e2f35a6d1d25c85 |
| SHA256 | fd0059d237d8959671382a4eed4cfd4438a0479d052330bd4eed1cb3ea4cfe29 |
| SHA512 | 789d2d11efc8a31dd7d1695f6567fa8955a8ff253ace88d658f2429bbcad2336a4f8675245d8fcdc7480b4c6e651ab9b3e80ce65a85120058d77e9f77e9ef73c |
memory/1956-1019-0x000007FEF6480000-0x000007FEF6512000-memory.dmp
memory/1956-1020-0x000000001CE30000-0x000000001CEB9000-memory.dmp
memory/1956-1023-0x000000001B420000-0x000000001B42F000-memory.dmp
memory/1956-1022-0x000000001BD40000-0x000000001BD5E000-memory.dmp
memory/1956-1021-0x000000001CE30000-0x000000001CE8E000-memory.dmp
memory/1956-1024-0x000000001BD40000-0x000000001BD54000-memory.dmp
memory/1956-1026-0x000000001BDE0000-0x000000001BE1A000-memory.dmp
memory/1956-1025-0x000000001B420000-0x000000001B42F000-memory.dmp
memory/1956-1031-0x000000001B420000-0x000000001B428000-memory.dmp
memory/1956-1030-0x000000001BD40000-0x000000001BD5A000-memory.dmp
memory/1956-1029-0x000000001BDE0000-0x000000001BE03000-memory.dmp
memory/1956-1028-0x000000001B420000-0x000000001B429000-memory.dmp
memory/1956-1027-0x000000001F570000-0x000000001F639000-memory.dmp
memory/1956-1032-0x000000001BD40000-0x000000001BD52000-memory.dmp
memory/1956-1034-0x000000001B420000-0x000000001B42C000-memory.dmp
memory/1956-1035-0x000000001BD40000-0x000000001BD55000-memory.dmp
memory/1956-1033-0x000000001BF20000-0x000000001BF65000-memory.dmp
memory/1956-1036-0x000000001BDE0000-0x000000001BE06000-memory.dmp
memory/1956-1046-0x000000001BD40000-0x000000001BD54000-memory.dmp
memory/1956-1045-0x000000001B420000-0x000000001B42E000-memory.dmp
memory/1956-1044-0x000000001B420000-0x000000001B42F000-memory.dmp
memory/1956-1043-0x000000001BD40000-0x000000001BD5E000-memory.dmp
memory/1956-1042-0x000000001CE30000-0x000000001CE8E000-memory.dmp
memory/1956-1041-0x000000001B420000-0x000000001B429000-memory.dmp
memory/1956-1040-0x000000001B420000-0x000000001B429000-memory.dmp
memory/1956-1048-0x000000001BDE0000-0x000000001BE1A000-memory.dmp
memory/1956-1047-0x000000001B420000-0x000000001B42F000-memory.dmp
memory/1956-1039-0x000000001B420000-0x000000001B429000-memory.dmp
memory/1956-1038-0x000000001B420000-0x000000001B430000-memory.dmp
memory/1956-1037-0x000000001CE30000-0x000000001CEB9000-memory.dmp
memory/1956-1054-0x000000001BDE0000-0x000000001BE04000-memory.dmp
memory/1956-1053-0x000000001BD40000-0x000000001BD55000-memory.dmp
memory/1956-1052-0x000000001BDE0000-0x000000001BE03000-memory.dmp
memory/1956-1051-0x000000001B420000-0x000000001B429000-memory.dmp
memory/1956-1050-0x000000001BD40000-0x000000001BD5A000-memory.dmp
memory/1956-1049-0x000000001F570000-0x000000001F639000-memory.dmp
memory/1956-1057-0x000000001CE30000-0x000000001CE8C000-memory.dmp
memory/1956-1056-0x000000001BD40000-0x000000001BD52000-memory.dmp
memory/1956-1055-0x000000001B420000-0x000000001B428000-memory.dmp
memory/1956-1059-0x000000001B420000-0x000000001B42B000-memory.dmp
memory/1956-1058-0x000000001B420000-0x000000001B42D000-memory.dmp
memory/1956-1065-0x000000001B420000-0x000000001B42C000-memory.dmp
memory/1956-1064-0x000000001BF20000-0x000000001BF65000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_59C6B5742244136A08A70F9396A5A57A
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
memory/1956-1109-0x000000001BD40000-0x000000001BD55000-memory.dmp
memory/1956-1148-0x000000001BD10000-0x000000001BD4E000-memory.dmp
memory/1956-1147-0x000000001BD10000-0x000000001BD4E000-memory.dmp
memory/1956-1146-0x000000001BDE0000-0x000000001BE06000-memory.dmp
memory/1956-1156-0x000000001AC90000-0x000000001AC9A000-memory.dmp
memory/1956-1155-0x000000001AC90000-0x000000001AC9A000-memory.dmp
memory/1956-1154-0x000000001CE30000-0x000000001CE87000-memory.dmp
memory/1956-1152-0x000000001B420000-0x000000001B429000-memory.dmp
memory/1956-1151-0x000000001B420000-0x000000001B430000-memory.dmp
memory/1956-1161-0x000000001CE30000-0x000000001CEAB000-memory.dmp
memory/1956-1159-0x000000001B420000-0x000000001B42E000-memory.dmp
memory/1956-1164-0x000000001CE30000-0x000000001CE86000-memory.dmp
memory/1956-1163-0x000000001CE30000-0x000000001CE86000-memory.dmp
memory/1956-1162-0x000000001B420000-0x000000001B42F000-memory.dmp
memory/1956-1167-0x000000001BDE0000-0x000000001BE04000-memory.dmp
memory/1956-1168-0x000000001CE30000-0x000000001CE8C000-memory.dmp
memory/1956-1170-0x000000001BD10000-0x000000001BD3F000-memory.dmp
memory/1956-1171-0x000000001CE30000-0x000000001CEB9000-memory.dmp
memory/1956-1169-0x000000001BD10000-0x000000001BD3F000-memory.dmp
memory/1956-1176-0x000000001BAD0000-0x000000001BAE2000-memory.dmp
memory/1956-1175-0x000000001BAD0000-0x000000001BAE2000-memory.dmp
memory/1956-1177-0x000000001AC90000-0x000000001AC97000-memory.dmp
memory/1956-1185-0x000000001AC90000-0x000000001AC9A000-memory.dmp
memory/1956-1184-0x000000001BAD0000-0x000000001BAE7000-memory.dmp
memory/1956-1183-0x000000001BAD0000-0x000000001BAE7000-memory.dmp
memory/1956-1182-0x000000001CE30000-0x000000001CE87000-memory.dmp
memory/1956-1181-0x000000001BD10000-0x000000001BD4E000-memory.dmp
memory/1956-1180-0x000000001BD10000-0x000000001BD4E000-memory.dmp
memory/1956-1189-0x000000001CE30000-0x000000001CEAB000-memory.dmp
memory/1956-1188-0x000000001AC90000-0x000000001AC9A000-memory.dmp
memory/1956-1191-0x000000001BAD0000-0x000000001BAE5000-memory.dmp
memory/1956-1190-0x000000001BAD0000-0x000000001BAE5000-memory.dmp
memory/1956-1194-0x000000001BAD0000-0x000000001BAEE000-memory.dmp
\??\c:\users\admin\appdata\local\temp\bytefenceservice.installstate
| MD5 | 4f130e22d88664a9fc01d4e1350ef1b5 |
| SHA1 | 76504e0aeae03d51e2ce52a11d59f5ff18254d86 |
| SHA256 | b80d9b6e89383642c68bcb2285af4746101fa6470fccfccee210790fce79e9ab |
| SHA512 | 6777bc2866092dc417c37ebf3dfa64598c719e037316b69d816fb53e9c89a474a7b2f71cf937212574107a44c8efe035b838393fc9bef1d8c8ffec110dc9df30 |
\??\c:\users\admin\appdata\local\temp\installutil.installlog
| MD5 | 4bb9c11a69ca4bd01f4c1fcd74fc3133 |
| SHA1 | 7902de60e6f8d0f9d5da9116fe3882c3191b65c8 |
| SHA256 | dd5d3c883641e6e6f1a522b723772040e0160e968988463845dc6383ca8d38c7 |
| SHA512 | fe86117c0af64f490f9334158ed7734b5b766d6481686fa32ed8c749aaaf059a486437e3284b18d1ce0b4b6968e7c347f8e8e2bb0e9b9bd7589db2fdf1b8617a |
C:\Users\Admin\AppData\Local\Temp\Cache\SR9f5a4796b58d8b104a1c0f5a63daf0032b947966
| MD5 | cbd13481cccb7d9b8154890c570f2b1b |
| SHA1 | 38a44766951b4cb2311db41295b3cd03eac5ad14 |
| SHA256 | cf3d9ee3321ddd0d09a911f4166fc8f7bc93790f077926d304cfb83cfc24f5f2 |
| SHA512 | 3f69778eb75c666e166eb5eb41d055ff3398293b74f41913c06480e52705bc0f6059baf37d542c62077e0ac9eb68570114fb44a22abe86e369510e68bb2c2673 |
C:\Users\Admin\AppData\Local\Temp\Cache\SR9e7aeae1e6c2ec2003d35b7f1338027b7e39a5b7
| MD5 | ad65676257079c7719fc5a87c9e871aa |
| SHA1 | b4b862ea7c717cfd01a45d736765abefcf07eafd |
| SHA256 | ea2ebb9dd2e906d84b4c3439d3d99c23a7bce1372c6e343a9b443a8e95d8a1b3 |
| SHA512 | dfeb9004a99ffd65dae2c1c808404b93ad69c87983ceb9ed2aae53e84dfdd85102b2e38e26e00967ed6ad410cd85110475c3141c8c6890c1f68ff1734957fd80 |
C:\Users\Admin\AppData\Local\Temp\Cache\SRba9eea5fd300dc931c974fa9ef871c290ab0962f
| MD5 | 1e03d20d5689c4c3c59529cae652a2d6 |
| SHA1 | 309e7a36eab4c8dcb81daa2eece86f4c92126d4f |
| SHA256 | f2063fc8cbc12c2ef7538ded36cdd31eae76c8b0c4f9f9ab2b1c0b87144ddf8b |
| SHA512 | 39178f432cdcb3ef7d38ab4706cd97e9eef37c53c28fd79e486d8f468e185d9f6fa49088f239b347b5402b1d1aa8335660f527cbc77bb1c086555d529d0b962a |
C:\Users\Admin\AppData\Local\Temp\Cache\SR7636c6cfcda9a3c3ee8d5299ae532cf713299313
| MD5 | bd50651ab8bf62dfd1f3c90eef5839cc |
| SHA1 | 0bae210a2bf218caa16b17efc6268da66f219eae |
| SHA256 | 80329e0fd18297082a3380089d6cbcf04b4da7d8a6b39a8d1b16f1c471898795 |
| SHA512 | fb0fe2c34b2aeee7a466be63677a9d5a9264b9fd1ef02641745228431483071cd0cbbb91ea745e789ff0fca037d7790f85454136539c007fd3b7f8dcc5c91df7 |
\??\c:\users\admin\appdata\local\temp\Logs\err.dat
| MD5 | ba758cfbf254ac7a427a745ac5fe2563 |
| SHA1 | 559653d153ea7c7edb60f17eeb851722dc2dbdf9 |
| SHA256 | 80c29fd80672f504f66ebef40ac5a21f0f191e05c8c1c35775465069e989efbb |
| SHA512 | ff07b71ad89b593e785bbfad1fd73f0a3841b46a7e4ec00a8b798be081d4ff8150d41afd7413ca8dcec3f7894e99ff0827890acca9cd7a972f2ba09749f71b0d |
\??\c:\users\admin\appdata\local\temp\Errors.dat
| MD5 | 8fd2fd44c0369334ee06218b2c4c0c26 |
| SHA1 | 4471dfee9667d8083bcd747a0fa8ab719199379b |
| SHA256 | 34605fd5d265c44a0ea9a2b913026937a2cd9cca371e804f397525a9231eb114 |
| SHA512 | 73d60c89ef8830dfd82818d5ea74dc8e8b455ff981a0356f1638027dd1ef7bff7eab3c9fc7978a6798f9c4e811d2ac5da5dd52c067ff734359161ebbaa10cefe |
C:\Users\Admin\AppData\Local\Temp\Cache\SR835e982347db919a681ba12f3891f62152e50f0d
| MD5 | df1004d3af3b5815c9651654aed90ec6 |
| SHA1 | 03494c9b874c9a772e4bf8dcc5e2f839ff7e7e16 |
| SHA256 | b9fa02b5e1cd1386fb118e11f56c4d05dfa7655df7381683133d9c112698de31 |
| SHA512 | 8f49d9f9d29591fa1afcc65e791953238d0d838e44dbbf59866215f61e311a70f86be47c9455930de28293c83d2c49d2311caff7d0ff853d5dac1a18ba57c292 |
C:\Users\Admin\AppData\Local\Temp\Cache\SR7eb0139d2175739b3ccb0d1110067820be6abd29
| MD5 | 1f324c52814df3ad112617757195ad9b |
| SHA1 | cc01d5a92978f09bd255dded21fe76feb5a06250 |
| SHA256 | 0b814722a1c71e5eaa1e7d3ea2239f47840e3619073dfc1cd330aa429ea2ec25 |
| SHA512 | ee6c14e7601bcb0eddf17f59aade7a1ecd14ffcf87878fda652c336f8694f33781a28923bb0a99e13def0c5f01602579f2a31ed90854b4b35985568804f4dc08 |
C:\Users\Admin\AppData\Local\Temp\Cache\SR768ec16982ac19d4ada5b740bcae740a46c294e1
| MD5 | 5250f508594160b6d90fcf45f879cb0e |
| SHA1 | b8408395b7b7fbbd14ef10ceb3daf60965ee1c03 |
| SHA256 | 796802ad1e6b4e625ece632d6c3d5d100bc17291221ba9f6c170ab3cf4ce841e |
| SHA512 | 1edb0cb9f61b665f475611f384226d29d08943c95ad922fd6191d3bdba777f224084bbc0d0bfb48dd3b9c584b486791a477b2a4d0b723558f9f9e24c372b6594 |
C:\Users\Admin\AppData\Local\Temp\Cache\SR1b82498270f06a06e6ae63a3d3204a630f21f23a
| MD5 | e9fdf2f43a0acf6d2113b1bfff07cb4e |
| SHA1 | eabc036ce7588fee6712ae10cfbe10493b0386f3 |
| SHA256 | 1f5d06d51fbdf7698c4fad7e24270b0a2043f1724e26cf83f4cd7b44a0dcf418 |
| SHA512 | a58b0a77ad11e6b0e33f4f6cff6df12d839f5b8cf09b9c94f8cea797b8f4644d6dfc893b31d835fee79ce0f2a72b5ee2a668f73fc4bb47792060dad62631f298 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73ab424c2cbbad194a535a83d1cf5c48 |
| SHA1 | 7eae8f717f81cac0ee890cf0b6d15e6ce36eff46 |
| SHA256 | 1cbc3ba88a5c4e5643dd6db11801f03f47338b9e0b9bb990ddf714d58eb2a1e5 |
| SHA512 | 4681747ed755973d25e6d7cef8dcb74ca6579efe94bd6d499ffc23e09a88d0cc00d8944f5dc188d2ef8d0381024c7cc06e2259af6143fe80f6a7b52639ca078b |
C:\Users\Admin\AppData\Local\Temp\Cache\SRb31133cdf6d2817a618dd8ddcc400a26ff3e3a57
| MD5 | abe10134f9f99b7670f8ef67220be7e3 |
| SHA1 | 36be12e252cb7d87a1392dc6bd9cea0dc344d0c1 |
| SHA256 | 3dbedac050d62a3099a289ba7978900f8eac8811bf820a05c5a8b9b67ad03664 |
| SHA512 | ab0f53be46a99b55cb0b3686f73c86d420d3f2c50527fe5ae7aa5cec82bb1bccb9a8b41e62eb9bb26aabca7e22bf9ad5dfa3c3d286ee1a01fed0cdb3f1c35645 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20231129-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240508-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 220
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20231129-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 220
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
131s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\amd64\KernelTraceControl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
129s
Max time network
127s
Command Line
Signatures
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rsEngineHelper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\rsEngineHelper.exe
"C:\Users\Admin\AppData\Local\Temp\rsEngineHelper.exe"
Network
Files
memory/1876-0-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp
memory/1876-2-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
memory/1876-1-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
memory/1876-3-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
memory/1876-4-0x000000001B070000-0x000000001B596000-memory.dmp
memory/1876-5-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
memory/1876-6-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
memory/1876-7-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 912 wrote to memory of 2744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 912 wrote to memory of 2744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 912 wrote to memory of 2744 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
133s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3764 wrote to memory of 1228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 1228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3764 wrote to memory of 1228 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe
"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240508-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
96s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
67s
Max time network
133s
Command Line
Signatures
Enumerates VirtualBox registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\f: | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot2\dberr.txt | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Checks installed software on the system
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ByteFence\Cache\SRf291ea8416c1b38d4bcb3b6f0ae40fa19c1e2045 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR71650b21e3642d35aff665d29313c0e576214947 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR63e99b0fb7207e5b6ae794d007793dcd5aa41170 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRea1f3b03f46db029a955190692cecbc571e1d46c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRc7cc44a34eb4151e55c5404bf0f97b5ee49df86a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR88d664f6a9648ebe06b30aff799ad5e0f23f1722 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR65d44461b6e6d5e441e961c192faa83c5c3a54c3 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR9140538b467c370e96133c01f6aaa6cb6d569896 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2ac7387fef462c834cc067f0296366ffbb5c4daa | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2dd2bebaa81a8c7331a22e338be267167b6d80c7 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR78ba8d596c0ac4c38acb498416957891570a2a1d | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRc816b897a56e7d95a2aa0ca8ab38ed9d597d9a06 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRa490c8f4c501652cb732b63620bebe261f457117 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRd374a045611e81ade3509ed7d6d6155e08b5d104 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRd9255474e8093a68b1348b830d0b26e0299612c7 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR49273211486b7cf863519881ac7ef966995b626c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRc5a8866590ea0cc3f1c1085bac7e137c089dc379 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR6de6381112f1916f26ab263c1a34d88bba4ad28b | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR1c036b15d66b58d3cb87bf65db78538b8fce7a34 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf510de6c4b4a28a4bfafde036da0dab45a69e3a6 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR0827ddf85ccd2455aea261cd2ff5a9cfacb31b3b | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR0dd460f0a2c1c724bc8ec5767dc1e56fc493e1c6 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR63aa1a310bab654f4c6a5b4eeae5d06d8837e3f8 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR958a7ba90043f8e3b94da849a2da8bb139fc39c9 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR9208f94662cfe80a92d7b271838add91b8616618 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRde9e4b3f4144bcf1a87c4c387f59efbf432c5a8b | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR606e9e47fff3a1a6cc74ca6182ef97235b4f7bbb | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR835e982347db919a681ba12f3891f62152e50f0d | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR01eb358c13a516018cc65ea0117284098e61f594 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf1fb058529e4d4137437c969120fa261f1680d21 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR718d8e21d8d8e36bb8b3f391ccac776a1a48ea5e | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR6ddd1581f4b155404a8b554df8f013b15009d5de | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRe97ee1efaae7c9903f0845c4be1d49b4b8c7ac43 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR84da342d9d6f96527e4e685451216e423aa64be9 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2ece29e4ae3fdb713c18152f5c7556a1aa8a7c83 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR4e835fdadd0c67fde44e385f69a1014d6ad11f4f | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRd0a7b3233bc878ea03bd803068afa66363178d93 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf63165ad82e683b150d7a626da70cacbb7e7cd01 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR30cff16f17833aa042d8b6cc32d86c4a39c77c67 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR9dcdca64f3f8c2e6fef7a9951b5c2e3c7f10643a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR31b410e029bba87d2068c65a80b88882f9f8ea25 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR012b333916f2f83707db93476588b84c52d50335 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRcadb428fa7669365dcf6b7c692d2d75f4d188c08 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR2b12984b7680fbe7a9266c664548a4fb67a10841 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRb6ba05757689aad0298e69617181671aa1c69f37 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRc740ce1ae87c3c71076286b637474f830ba0dbc3 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRa84cb4755b2a9e80edfcfe2cbe15e00a8f1fb8b2 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR768ec16982ac19d4ada5b740bcae740a46c294e1 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRed5ec55dbc6b3bda505f0a4c699c257c90c02020 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | \??\c:\program files\bytefence\rsEngine.config | \??\c:\program files\bytefence\ByteFenceService.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR98521b4dfcb56c5f955772e9d20ecb672ad61b94 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR80b603f7ca32a96cd5ec1495569829efb44d3c65 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR545575d30ba620329109d9bfcad8c037d758556c | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRbd3c8cabc03116b88f22ee64ca8059caa5b492ec | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR169edb65e0e362410fcef0e86dd1f951a1eb3ea0 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRbb5c57bea3dab595720ecd0b0f7f68fc8087c53e | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRb8f907e6c26216e1b8534d37361c5f63d23e640b | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR9ba9889f46feb82c698158d8a09223ef5357de86 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR090353ab84e2af51ecdcd481bdf627a656a0a1c5 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR7bcc04348145501294745d58a2f9f702a76e794f | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf14d2014bf6c08d37560af3a67bce19d5b43a3ef | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRf8e32204f157ffb25415505b1c787f8be520a020 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SR55f1afb45e3e725eb17bc8d5a114070f9e1416a1 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| File created | C:\Program Files\ByteFence\Cache\SRa8b1e9e92eada2cba819df5d416453e003502e63 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | \??\c:\program files\bytefence\ByteFenceService.exe | N/A |
| N/A | N/A | \??\c:\program files\bytefence\ByteFenceService.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
| N/A | N/A | C:\Program Files\ByteFence\ByteFence.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe"
C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
"C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe" /S
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ByteFence.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ByteFenceService.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ByteFenceScan.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rsEngineHelper.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rsLggr.exe
C:\Program Files\ByteFence\ByteFence.exe
"C:\Program Files\ByteFence\ByteFence.exe"
\??\c:\program files\bytefence\ByteFenceService.exe
"c:\program files\bytefence\ByteFenceService.exe" /i
\??\c:\program files\bytefence\ByteFenceService.exe
"c:\program files\bytefence\ByteFenceService.exe"
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" winsock show catalog
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" winsock show catalog
C:\Windows\System32\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe" /rawreturn /nowrap /list /allusers /verbose
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | api.reason.technology | udp |
| US | 8.8.8.8:53 | api.reason.technology | udp |
| US | 8.8.8.8:53 | proxel.bytefence.com | udp |
| US | 8.8.8.8:53 | logs.bytefence.com | udp |
| US | 8.8.8.8:53 | api.reasonsecurity.com | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | cdn.bytefence.com | udp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 104.22.0.235:443 | api.reasonsecurity.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| BE | 2.17.107.9:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | ocsp.thawte.com | udp |
| US | 152.199.19.74:80 | ocsp.thawte.com | tcp |
| US | 8.8.8.8:53 | crl.thawte.com | udp |
| SE | 192.229.221.95:80 | crl.thawte.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
| MD5 | c4951a516fe1b3a8a579e73877a4b1a4 |
| SHA1 | 400acb837edec53c746be0ccb2bb9d774fa150e9 |
| SHA256 | 61dc83d20af7bfa9458a4ee7b08bc05fc33b09aa5f04bf655f9f607125d1934b |
| SHA512 | a6933dab647728a2ccfaabdcb7561ab804efdf9ba6193d920712d04c842400b6c975bb0c0228a03f2a3b7dce3019397615267e2905cda73441abc6ef1978faeb |
\Users\Admin\AppData\Local\Temp\nso2953.tmp\nsisdl.dll
| MD5 | a95c7af96416b2cd084fed4c07c8c291 |
| SHA1 | 0c62c2fd843ccb59784404ed36369784dc557671 |
| SHA256 | a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0 |
| SHA512 | 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc |
\Users\Admin\AppData\Local\Temp\nso2953.tmp\nsExec.dll
| MD5 | 1f49d8af9be9e915d54b2441c4a79adf |
| SHA1 | 1ee4f809c693e31f34bc6d8153664a6dc2c3e499 |
| SHA256 | b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782 |
| SHA512 | c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4 |
\Program Files\ByteFence\ByteFence.exe
| MD5 | ae114355b714bc831f641ffc1fd5d96b |
| SHA1 | 52885c21ee681f3b0dbb7d13191fbbb141fdf906 |
| SHA256 | 517516b4fe19c58397a703bed0884cd439a6ad7ddadfd3de2b9d40d035659448 |
| SHA512 | 7db682dc63cae4ca91085f34788af53bc2cfd350af476749a4045ff2d751d810d5a8a140b28800ef284aed17cf87c5173f8bc107c73fe75555506fad66358dfe |
C:\Program Files\ByteFence\ByteFence.exe.config
| MD5 | e3d5f62b7b28176a510484e465fa0f18 |
| SHA1 | d9d4f8875c6d96f57549abf06eb336650595ab5a |
| SHA256 | 827cda24df7876010d5239fe2b8af49472442d899f9c0f6d9ff53b4ff6860946 |
| SHA512 | 8c27c69e010d263cb5599a2c38a58b3b9ad61983c512ab4f7d3b46b859393468ad09d6423013ae808c3d243a9b8cb479e499d128539a3959bede78ad145b85be |
C:\Program Files\ByteFence\rsEngine.dll
| MD5 | 38bfe41fef177604494f49ee8023b887 |
| SHA1 | fca37c9a1f3b9eaa68b489b091020cff0f672e6b |
| SHA256 | 65555310943571e3d7cdb37c8a5cfa6e332400397d4d1dcbe4033370a5db81f6 |
| SHA512 | f0b3dd5b27893ccfce43a033cd89ae190bf9d016711e85cea2d3ecf8478db365d47a7f8b86c08bb0941ebff3522f0b6b093c9e5c9527c2737da7ded2614401c2 |
memory/1696-83-0x000000001B620000-0x000000001BB46000-memory.dmp
C:\Program Files\ByteFence\rsUtils.dll
| MD5 | 7e8e3b06787101511fdbadd6ed070ee1 |
| SHA1 | 71e4c41f92ed47daeeee0aab732ddc8e5acd21de |
| SHA256 | b89c0d12a3caa4a663277ce1f0da91efa497515ebca0d18f60c5e65c9920868f |
| SHA512 | 254422dc751dbf5758434a980fefa5e47caa6c28bcaff4bf2e53cc467fc35cd8627787099d8960f2d64351d4706e2a53071dc1daed2b1ce8516e8cee9c5db3dc |
memory/1696-85-0x0000000000CA0000-0x0000000000CDA000-memory.dmp
C:\Program Files\ByteFence\ByteFenceGUI.dll
| MD5 | 637e8fcc69c33392335ffeaaca446a1b |
| SHA1 | 91a56d770a3731310c412cd0c9cea9439594f593 |
| SHA256 | 496378bea9a3d62401744cd3941eda5177dc54733cd45735acf0c373372b5c5e |
| SHA512 | ffd8deba9afea17cf93219774e5d576b4bb39c4db710caa9634e5821cbb40e000f446017bf116bbdd475243dc397d4f038bff8f236e1ad9c002604249761fa08 |
memory/1696-90-0x000000001BD00000-0x000000001BD52000-memory.dmp
memory/1696-91-0x000000001C7F0000-0x000000001C8C6000-memory.dmp
C:\Program Files\ByteFence\Microsoft.Win32.TaskScheduler.dll
| MD5 | 1802e6df96046cfee62c63c4c8469a3e |
| SHA1 | c5d6444fcd8f46e1832c99614f5e71adff582f6d |
| SHA256 | cc6c472f666239ed270cc3754852f536b8981d6fd22e4ad1ee15a1aa788a3ba9 |
| SHA512 | 339f5b917c4afbc25175bd173cebefdd8f4671e157ecfb8a9c21b78db9d34fd9757787c231575e8849509cac59162c6c67fb32af6febd6903ec285e21c0fd304 |
memory/1696-92-0x000000001FB50000-0x000000001FB56000-memory.dmp
memory/1696-93-0x00000000244D0000-0x0000000024648000-memory.dmp
\??\c:\program files\bytefence\ByteFenceService.exe
| MD5 | ac384df8fbe8a76815fab3a2659f4bc4 |
| SHA1 | c3cf899ade1ec94e7d8a7a4dc64950de99096b4f |
| SHA256 | 0e262b5c4390c353bf98298631877913f6940e9c5042c0979060fca6c964fc17 |
| SHA512 | a27ba4f9d167ba81a053067de6e27d1a81646c640e5246f0036c8758f123209206f187fb8b3a073bf3f31717b80cafc3d78add7fc4e33204b87460e14fad4d90 |
C:\Program Files\ByteFence\ByteFenceService.InstallLog
| MD5 | 30fdf3f1adcbf879ee4b629f430ab652 |
| SHA1 | daa220eda83fb6e429c8742382bb95889fed4689 |
| SHA256 | 4049cadfdb4843884bd6d4332cfac55ae073c1210158aef57122c0e0269a63bf |
| SHA512 | b0f2e0922552202937f1f389ff5b6fe450fab1a0c4fd2f39252182b27750b7edda5d0ca859176758ba97edb51b71d54e055f2dbd24d4bdc9b042bea466dca328 |
C:\Program Files\ByteFence\InstallUtil.InstallLog
| MD5 | 00e3f226484ab07ba503afe751c3571d |
| SHA1 | 47e83a6fdf812648a4dedfc61432fb88c93fe720 |
| SHA256 | 6003bd3edb8914f499a86eb1cd4f5e87585d915d2bf2626ad6f55c8abc53f662 |
| SHA512 | 0f7d65aad26320297f9ff91b11ff7d36c878bb3d318941067783c9e334bb4bbcfb6dc837598a04440f8409dd6b21d4ee5e83cdfa4cdfec0c4a3e0e472c9c8b68 |
C:\Program Files\ByteFence\ByteFenceService.InstallLog
| MD5 | 0b2464c9e3d3e45297239acb697f0a2c |
| SHA1 | b105043b8da6b88f6f7dc25ec00cf6ecdbd1b21e |
| SHA256 | 180e58c7b156a7fb934c2e974d90b96d24a2a2e08ef0ec3485512f7b681c766c |
| SHA512 | 9e7411f50ad97fc3eff8f54779f00420f74e1a13f9e5d52961b4fe31ddd1b6a6e603aa49a2ba0769d94af857957b59ae1ee9e725cca3419af8facca1249882ea |
\??\c:\program files\bytefence\rsEngine.config
| MD5 | 427ce4103a0794e3a06d9a2ad0a9d9de |
| SHA1 | aed628de425a84acfe6cd300b27d90d18d802620 |
| SHA256 | 1ad12e7ac644dd4975412378ce13b89a211c64ab6b19af537f86a4b218cd313c |
| SHA512 | c60c310ea901159c3fbfd8ed7474e9528613363eb9ccb21a1667890316438d2f6ef284f14130732197d4428c56153d39da656681419b53e62d7813efdd03bf17 |
\Program Files\ByteFence\x64\rsLggrServer_x64.dll
| MD5 | 27236a42b9810c5db8490693c158c838 |
| SHA1 | 3cb8d0f4b818f120afe2447c9b01af674af3a9f2 |
| SHA256 | d67999fe774e5e0f1c18cd5a4da7d6518faa00b8e950e41737e225b615a1b4f5 |
| SHA512 | 97e9c8921caeecbe144ba11be3675365b5bbd92bf45bbe91e9a37c472fe2153f1f250e8e5b8a37d927605a0897d997228d7351476bbc40f9647737c14022411f |
\Program Files\ByteFence\x64\rsEngineFW_x64.dll
| MD5 | a82484553da1a7a4ce4f5eda236b7207 |
| SHA1 | 3e56d504d2283653165d78a238c97469a28e5de2 |
| SHA256 | 8a1eff4a86e223dbe808bde5d728367b03e7593b514f5cd9c49387e6ac4b57c5 |
| SHA512 | 03d193de85c8022c746e9f99a0e989cc42445d67fe32a31093e66b4e5e9dd25a4103fbb2e93ffc54401d99d40c3ae519dff7db999d64bc7f3cf0af59d82f3681 |
C:\Program Files\ByteFence\Signatures.dat
| MD5 | fb84325fd7362b5634c4de62b3a2c001 |
| SHA1 | ebb54ec78a071ce47a1c86f47903d56d77b34cf7 |
| SHA256 | 23bdccb16e5900857c621b67c779b2a49179aca564eeaf1e74fd10c4eb1651ef |
| SHA512 | d59933302521c9b3eead330a38577faf1df0378aa926690c6001186d495abe4fc470bf578bc9deabd82e26d7b1f8ed446957494122bd65047456c657dc9bade2 |
C:\Program Files\ByteFence\x64\rsEnginePM_x64.dll
| MD5 | 15cf59afcaff08b12d37f2d7c9f6ed81 |
| SHA1 | 1d0464d1f13ffe71ff12556c433d95f168a1cfb2 |
| SHA256 | a4d7f4259cf04e7299f5ab6fe2ceb95680e35427d613aff26dc27d954b8311c2 |
| SHA512 | e35196ae1367a7cae677f1c90dff7a186a03a95a9b7ede67e1c2d5c98db03d1b6e2ae868efae0c8ee12ee8b4067d0fa36139cb514d7d01982f756c0c6db47629 |
C:\Windows\System32\catroot2\dberr.txt
| MD5 | 112d0c45eb4257acaead2f43359492d8 |
| SHA1 | 9ef6009208622802ed50e5da6a4bdc6c1c4207ca |
| SHA256 | 0ca3fa8d963b4e3fce5032d14bdae00f01bb34abe7c1a3b97a5aec1757d65dfd |
| SHA512 | d9a21d32e0a9d5f8bcce46601cf04ecba84b7c7d2d3d1d65c8ddeb7c6d7fa71b514b143120d5fa596f8f5bb2ebd7c36944ad6b7fafd6baae14ff95034496d1c6 |
C:\Program Files\ByteFence\WhiteList.dat
| MD5 | 899c70dd0bdda61514bff5c51a4a0a20 |
| SHA1 | 0fff58ba69a11d1e01c6e2704e553abec1352ce9 |
| SHA256 | 0f9ac436356203842c619d27b8b805e034cfa420e94495170d089629e52038a9 |
| SHA512 | b13691ad0d3768eb6a9e4ea30e9a2ceabdaa1d13730cdda81f18696412ebb4589ee859f422ccf9b01c3399b5dbbcb317e0d6aee91cad10a7985ea8e87148ed9f |
C:\Windows\System32\catroot2\dberr.txt
| MD5 | aa98885da42934da7c046be55b610209 |
| SHA1 | d198b3ee342577e799f4287d44265712aabe44ee |
| SHA256 | b64595e88f98f43dc9e043577a7a94112ac251a676105d5a75f5eddf21c4b642 |
| SHA512 | e3f516516b7ac64b36e94d853eca821c22c8252bc9bf65ceaf8ffa1af10599887460a915b8aa8906cb539f4a2685113027318d22116c08095fa3679fc3b9d9a3 |
C:\Users\Admin\AppData\Local\Temp\Cab9993.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9EE7.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83e9c0e93032e1db5ad2723eefeb5a45 |
| SHA1 | fa66e3167e22533015d0a6bf966f2ea4c45ae4be |
| SHA256 | 788c7c3cd3816134f6574792776157df94f9df74902266462401e115733a77c2 |
| SHA512 | 17657ebb03601341753a9c76d9afaacb44e5832765ae80f655307ffbfbd6e99b448cc289f224ebab14f63ca213f2715433e6af7413d16f0ea79702321a4b3f3c |
memory/1696-1110-0x000007FEF5230000-0x000007FEF52C2000-memory.dmp
memory/1696-1111-0x000000001D1C0000-0x000000001D249000-memory.dmp
memory/1696-1114-0x000000001CDF0000-0x000000001CE0E000-memory.dmp
memory/1696-1113-0x000000001C0A0000-0x000000001C0AF000-memory.dmp
memory/1696-1112-0x000000001D1C0000-0x000000001D21E000-memory.dmp
memory/1696-1116-0x000000001C0A0000-0x000000001C0AF000-memory.dmp
memory/1696-1115-0x000000001CDF0000-0x000000001CE04000-memory.dmp
memory/1696-1117-0x000000001CE30000-0x000000001CE6A000-memory.dmp
memory/1696-1118-0x00000000200E0000-0x00000000201A9000-memory.dmp
memory/1696-1119-0x000000001C0A0000-0x000000001C0A9000-memory.dmp
memory/1696-1121-0x000000001CDF0000-0x000000001CE0A000-memory.dmp
memory/1696-1120-0x000000001CDF0000-0x000000001CE13000-memory.dmp
memory/1696-1122-0x000000001C0A0000-0x000000001C0A8000-memory.dmp
memory/1696-1123-0x000000001CDF0000-0x000000001CE02000-memory.dmp
memory/1696-1124-0x000000001D1C0000-0x000000001D249000-memory.dmp
memory/1696-1129-0x000000001C0A0000-0x000000001C0B0000-memory.dmp
memory/1696-1128-0x000000001CDF0000-0x000000001CE16000-memory.dmp
memory/1696-1127-0x000000001CDF0000-0x000000001CE05000-memory.dmp
memory/1696-1126-0x000000001C0A0000-0x000000001C0AC000-memory.dmp
memory/1696-1125-0x000000001CE30000-0x000000001CE75000-memory.dmp
memory/1696-1135-0x000000001C0A0000-0x000000001C0AE000-memory.dmp
memory/1696-1134-0x000000001C0A0000-0x000000001C0A9000-memory.dmp
memory/1696-1133-0x000000001C0A0000-0x000000001C0A9000-memory.dmp
memory/1696-1132-0x000000001C0A0000-0x000000001C0A9000-memory.dmp
memory/1696-1131-0x000000001C0A0000-0x000000001C0AF000-memory.dmp
memory/1696-1130-0x000000001D1C0000-0x000000001D21E000-memory.dmp
memory/1696-1137-0x000000001C0A0000-0x000000001C0AF000-memory.dmp
memory/1696-1136-0x000000001CDF0000-0x000000001CE0E000-memory.dmp
memory/1696-1138-0x000000001CDF0000-0x000000001CE04000-memory.dmp
memory/1696-1142-0x00000000200E0000-0x00000000201A9000-memory.dmp
memory/1696-1141-0x000000001CE30000-0x000000001CE6A000-memory.dmp
memory/1696-1140-0x000000001CDF0000-0x000000001CE14000-memory.dmp
memory/1696-1139-0x000000001CDF0000-0x000000001CE05000-memory.dmp
memory/1696-1144-0x000000001C0A0000-0x000000001C0AD000-memory.dmp
memory/1696-1143-0x000000001D1C0000-0x000000001D21C000-memory.dmp
memory/1696-1146-0x00000000006C0000-0x00000000006CB000-memory.dmp
memory/1696-1145-0x000000001C0A0000-0x000000001C0A9000-memory.dmp
memory/1696-1150-0x000000001CDF0000-0x000000001CE0A000-memory.dmp
memory/1696-1149-0x000000001CDF0000-0x000000001CE13000-memory.dmp
memory/1696-1185-0x000000001C0A0000-0x000000001C0A8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_59C6B5742244136A08A70F9396A5A57A
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
memory/1696-1233-0x000000001CDF0000-0x000000001CE02000-memory.dmp
memory/1696-1261-0x000000001D1C0000-0x000000001D21C000-memory.dmp
memory/1696-1260-0x000000001C090000-0x000000001C0BF000-memory.dmp
memory/1696-1259-0x000000001CDF0000-0x000000001CE14000-memory.dmp
memory/1696-1258-0x000000001CDF0000-0x000000001CE05000-memory.dmp
memory/1696-1257-0x000000001C090000-0x000000001C0BF000-memory.dmp
memory/1696-1256-0x000000001C0A0000-0x000000001C0AF000-memory.dmp
memory/1696-1254-0x000000001D1C0000-0x000000001D216000-memory.dmp
memory/1696-1253-0x000000001C0A0000-0x000000001C0AE000-memory.dmp
memory/1696-1252-0x000000001C0A0000-0x000000001C0A9000-memory.dmp
memory/1696-1251-0x000000001D1C0000-0x000000001D216000-memory.dmp
memory/1696-1250-0x000000001D1C0000-0x000000001D23B000-memory.dmp
memory/1696-1249-0x000000001D1C0000-0x000000001D23B000-memory.dmp
memory/1696-1248-0x00000000006C0000-0x00000000006CA000-memory.dmp
memory/1696-1247-0x00000000006C0000-0x00000000006CA000-memory.dmp
memory/1696-1246-0x000000001C0A0000-0x000000001C0B0000-memory.dmp
memory/1696-1245-0x000000001CDF0000-0x000000001CE16000-memory.dmp
memory/1696-1244-0x000000001CDF0000-0x000000001CE05000-memory.dmp
memory/1696-1243-0x000000001C0A0000-0x000000001C0AC000-memory.dmp
memory/1696-1242-0x000000001CE30000-0x000000001CE75000-memory.dmp
memory/1696-1237-0x000000001D1C0000-0x000000001D217000-memory.dmp
memory/1696-1235-0x000000001C090000-0x000000001C0CE000-memory.dmp
memory/1696-1234-0x000000001C090000-0x000000001C0CE000-memory.dmp
memory/1696-1236-0x000000001D1C0000-0x000000001D217000-memory.dmp
memory/1696-1265-0x000000001D1C0000-0x000000001D249000-memory.dmp
memory/1696-1264-0x000000001D1C0000-0x000000001D249000-memory.dmp
memory/1696-1263-0x000000001C0A0000-0x000000001C0AD000-memory.dmp
memory/1696-1286-0x000000001C090000-0x000000001C0D7000-memory.dmp
memory/1696-1285-0x000000001C090000-0x000000001C0A5000-memory.dmp
memory/1696-1284-0x000000001C090000-0x000000001C0A7000-memory.dmp
memory/1696-1283-0x00000000006C0000-0x00000000006C7000-memory.dmp
memory/1696-1282-0x00000000006C0000-0x00000000006C7000-memory.dmp
memory/1696-1281-0x00000000006C0000-0x00000000006C7000-memory.dmp
memory/1696-1280-0x00000000006C0000-0x00000000006C7000-memory.dmp
memory/1696-1279-0x000000001C090000-0x000000001C0A2000-memory.dmp
memory/1696-1278-0x000000001C090000-0x000000001C0A2000-memory.dmp
memory/1696-1289-0x00000000006C0000-0x00000000006CB000-memory.dmp
memory/1696-1288-0x00000000006C0000-0x00000000006CB000-memory.dmp
memory/1696-1287-0x000000001C090000-0x000000001C0D7000-memory.dmp
memory/1696-1292-0x000000001C090000-0x000000001C0A9000-memory.dmp
memory/1696-1293-0x000000001C090000-0x000000001C0A9000-memory.dmp
memory/1696-1296-0x000000001C090000-0x000000001C0AB000-memory.dmp
memory/1696-1297-0x000000001C090000-0x000000001C0AB000-memory.dmp
memory/1696-1302-0x000000001D1C0000-0x000000001D23B000-memory.dmp
memory/1696-1301-0x00000000006C0000-0x00000000006CB000-memory.dmp
memory/1696-1300-0x000000001C090000-0x000000001C0CE000-memory.dmp
memory/1696-1299-0x000000001C090000-0x000000001C0CE000-memory.dmp
memory/1696-1305-0x00000000006C0000-0x00000000006CA000-memory.dmp
memory/1696-1306-0x00000000006C0000-0x00000000006CA000-memory.dmp
memory/1696-1307-0x000000001D1C0000-0x000000001D23B000-memory.dmp
\Program Files\ByteFence\x64\System.Data.SQLite.dll
| MD5 | e83262d8b431e2fe508bc4a113baff16 |
| SHA1 | 45f849fa7471b6803c721d7c115a301e7d01ee3d |
| SHA256 | 96e8dad51e66b3ee02a5ff00a310fdbfa1d7946d1c92b40fd65acc55de10a738 |
| SHA512 | 15e8e9f4acf2bc0456ae273d4e52243ebdc3dd6074fc20b2524b54b7aad436cd803c5618fa105464040c96acabf0b40cda15c98a2b78d28d3251cbbc3acf22ae |
C:\Program Files\ByteFence\Cache\SR7636c6cfcda9a3c3ee8d5299ae532cf713299313
| MD5 | 1d0652ab223524584775f521d970d751 |
| SHA1 | e53c558cee5ea7412ba8573190a9e32417d0daa5 |
| SHA256 | 448feb63b52e9991e1e303e152132f4b46ec50869fb77cc0e92f16fa2df1657e |
| SHA512 | f15b2e95573c430667bb765fe89c6b4200c09f7ae5cde3605a2db207ea6801e6fbc3954a14560b30b99fb5e744fc9890f84d8144deb24c4c68ac014267242ab1 |
\??\c:\program files\bytefence\bytefenceservice.installstate
| MD5 | 4f130e22d88664a9fc01d4e1350ef1b5 |
| SHA1 | 76504e0aeae03d51e2ce52a11d59f5ff18254d86 |
| SHA256 | b80d9b6e89383642c68bcb2285af4746101fa6470fccfccee210790fce79e9ab |
| SHA512 | 6777bc2866092dc417c37ebf3dfa64598c719e037316b69d816fb53e9c89a474a7b2f71cf937212574107a44c8efe035b838393fc9bef1d8c8ffec110dc9df30 |
C:\Program Files\ByteFence\Cache\SR0b5d5f4985fb1f10c66b94ca773929e01074e656
| MD5 | 2e93c85fc0200a4e744a7b89ea9750c2 |
| SHA1 | 323e2894651d113fbc35dffcc96ef6bf0c067d1c |
| SHA256 | c5baec0104281edc0b67c3332e87fbdc646d96adaeec4ee7c200391b385bd9e5 |
| SHA512 | 7009dcf7bafba26d4b31d6c809230cf58583011cb724d1a2a68e9b3cdd4269e5bba09a51e8e4aeb07d7c06c5ce082a02748111b9edab4a5b306e9eafe653681c |
C:\Program Files\ByteFence\Cache\SR3cc2593f67ee97b0be39a741e16b835d76930170
| MD5 | 11e274a1c8276a5df2465a94c42e56b7 |
| SHA1 | 8a339e06e639fc92634617748585336bbabf3883 |
| SHA256 | 31601bce798378c6f422915b922fac5d750badb520b943debddab2e081864cf0 |
| SHA512 | 7846cd20038016185b5e7c246717cb2c23cc6d65c3abddb92ba441be32a35cf656ebb7795828314aaa623daa422532287ef23c2cff9d9e3e0af6dd7d7814045d |
C:\Program Files\ByteFence\Cache\SR81359110f9daf626be21feed6a18c8f5c22c235c
| MD5 | 2590b82662c13dcf3f35b230eb1e5580 |
| SHA1 | 4a3aa85ca1e3ef15038ffd8de17f18d7812360a4 |
| SHA256 | 6b678bcfac498621f1e60516d340f8d4b8054c8147e0c519c790b2ffdf486ca4 |
| SHA512 | ef841ce9ee8a3e31ad6adc580eb6d63c31bf83234017136f21f84446c93ae2c8f4f5bc31fc078c9bde47f33cda6e9e04fd9c96415919e640810da609317ba8b5 |
C:\Program Files\ByteFence\Cache\SR6daf46c2d3e18320d9a4aa60fc4bf1fb8427abe8
| MD5 | ec044c57f563412252f25faa2a73753b |
| SHA1 | 85e39e3e5f407dad44ed30197c0cea744c19d1b7 |
| SHA256 | ca70a4876ccf0ec134a8382f886d7cd62329c8dc4cdeb5d8f4b9ff5be8e6f90a |
| SHA512 | ec9cc46659c9bf552446cb0a5105bb273f8603ae52ee229dbbd4f01649ed3e53d0bf7ffa4197c365f01df0b8f85d8a381ff10f69376ae679c0cbe9e7176a9115 |
C:\Program Files\ByteFence\Cache\SR5cce991ea888ffae04d593717f7c7a3411ef5aff
| MD5 | f50210d9416d187b03c07ad2c33bad97 |
| SHA1 | 72551a5f95b97fbc731bf35e5696e2d306ba36a8 |
| SHA256 | c2d56645bd2d89e3f7985d8c2b644194a779f2401f2981a2ce094e7df6959b39 |
| SHA512 | 79138642a6aab10b3827dac29ee809f7639cbf615395e00fd941de15ebc9c21c08c9a084f7acf151e44e1f4772564564cc6db963dd71fba2c4622d4b8c0c2e56 |
C:\Program Files\ByteFence\Cache\SRedb7b954ac306d50337cc191783c764c54255675
| MD5 | 2866e0f61b470767af730c5b9c0af622 |
| SHA1 | 8b0967602a6cdf657f04d423cd95e2bdf886104f |
| SHA256 | acd632f4c734db5f08fdea7ed3824cade39e77b13c224965a3e31cb600fd8eec |
| SHA512 | f356568ec3038033c70217ea1759f67deec1eca95a37208228eef9489a148f7c4360901a38d5e6d8562d79846dd0d4247f0305974569b33fa06f4a360f77e390 |
C:\Program Files\ByteFence\Cache\SRe81e6138fc3185fba4cc8827f4122403516011e5
| MD5 | 4992e143f2b596c93e620ad3db562039 |
| SHA1 | f61f20b310b611e37491163658f7598d612ee2a6 |
| SHA256 | 8e950300e559646937c67efe54ec49d88a5b7ad04835a2511b3c2a96623acb5b |
| SHA512 | 52871cf16910711574e1eb2c68721c3edab071a97277877cb3a713f58add255c32773e3af371f941e2e7adac1c75c3b4aee1981913f2a15f9813b138e20869ed |
C:\Program Files\ByteFence\Cache\SRd1cbfbc3eab77fafae000de4b58a8301b0cca719
| MD5 | 5d2d823be2d1940ffbfc3dfc6c8af257 |
| SHA1 | 45205e7ac413a4cac58151f8ef67dcd766443c82 |
| SHA256 | 1200d4c554c4f4e3c6dcb7626878ab54dfd0870483a60e2980cb9e165f56c471 |
| SHA512 | 708ba5712db27bc3be4220bd6657b05c5de8ce252aa1c5e8a6a26e344a09a16007d44dc5ae340a9b3bdd87e3a8143c13d0a4d0c2bb6f5ed5ff049cfe8c4bd2b4 |
C:\Program Files\ByteFence\Cache\SRbe6a56b561319da5969d2854d1604a2a1413a746
| MD5 | 6f09f587b6b2e2082910b3c38e3fbe3e |
| SHA1 | 6c565f0a50669c602644a273d2af37a0e10dfbe4 |
| SHA256 | b458e4ab1ef11469288236cb0308ba98a4187747fdef6d355514289658e889c6 |
| SHA512 | aee88be449f337c45ac978157e0036f5db19b3055dbbe4053f7d1c37e2a20f42fe47f00c683f9c5aafb0c7cf6f7b4959ef6bed1df2ec8e446c9cf97f9709b681 |
C:\Program Files\ByteFence\Cache\SR9f5a4796b58d8b104a1c0f5a63daf0032b947966
| MD5 | c4c7d0c175a7f34da8a47060632ffc62 |
| SHA1 | fc008e80cf32168780a67f59db0aa643174be981 |
| SHA256 | de0432b922f6685c1eae6a1fc6dc41bfe6481e6f7e478cbb830727c158a7eb8f |
| SHA512 | 3ba4f34d07c511de32ab303cd550bf29b0807c4d2261fff8a41901cfa5d645358ef801b7f5a4a009bbc5b6ffbce3651d311724e194d6bcb17e6e1837d08aa93f |
C:\Program Files\ByteFence\Cache\SR9e7aeae1e6c2ec2003d35b7f1338027b7e39a5b7
| MD5 | 0672bb77e5bc5cfec532037585f6b866 |
| SHA1 | bcd810e746d361b81fae53ff42b254aaf7f44016 |
| SHA256 | 5edccfde0f31465499db7d27e5ef02b5588020134268a62e751638a989e0c470 |
| SHA512 | d189266b7706963f7f4cdfbc2a0d1c7f1aa73bc19ff87693b9fc63e009e161e14a33f531cde4441d8d55094f360b3075e65736b699e9f359e5f2c37494c0ee6f |
C:\Program Files\ByteFence\Cache\SR98cc3b8f38311abfdf577be403ff9f74aa55f745
| MD5 | 0e0a9533686763c59f14513dc950450f |
| SHA1 | 3e520fddb3bac112444fbc39eab6ba20e0bb60b0 |
| SHA256 | 716233c45ce6df9abd90288e54f4523e8071b99c0a5cecfcacac5e28e75778eb |
| SHA512 | f1d36d146c4da85bbc20a11a74dcc8234d51558eb8c2bcbce5095770b19c272eea78af6d9d4191ec90b3cb096fe1d62fa6f331e133b1ffb18a96feccc4d36a21 |
C:\Program Files\ByteFence\Cache\SR8bcb89cbdd3471e576d044c6e3fbea77d4f33020
| MD5 | 700ddb84260dc4bcbb2c12a61ef42d3d |
| SHA1 | 1fc05175f05520f52d26d07ebce50f9204fc16ed |
| SHA256 | f1acd834eb27a99d370e29e0a5f7d35f21ee0b6c96284850fb8db0ac6bc07d7f |
| SHA512 | f757e2bab83ba59a400bdb64b65bb66ea18454369ec551a00a3dae044aa54121985b981b8ae3ca56c82dc0d1da758e309e350c2cad430b11cd71740ecd1bb56b |
C:\Program Files\ByteFence\Cache\SR88daac0b40508822e58e251b9e83005d6dce7deb
| MD5 | eb693c9b28dca110cebe0efb0ddf428a |
| SHA1 | 7d354e5c2c6e5b3755184c7e677032b4dea03016 |
| SHA256 | b86a3494ef955d88d03356ebaaa3125bfb6182d1b1002dd3d96d39368a600650 |
| SHA512 | d79a800fe801e1a81f03c27a57f235f43b94d63443684c0ce331f0d0983b72b2870ba4e7a3c60cf6fd720132143490729ba3f2b06d43785900d719658ad95920 |
C:\Program Files\ByteFence\Cache\SR5b978fa62373a62dfe562729549f651ab42fadd5
| MD5 | 79b228aabd056e9264b4fe474a6c2ddf |
| SHA1 | 598c9df5dcca0860244568132c46c54f45fccd21 |
| SHA256 | 2415b9003c526c9549bc658c7d2748ebf0409096ace20fc750bd26757bf404c9 |
| SHA512 | 42c95a4e0ccc5658c90977f932c19551d6f78d18b9eaf2e069a469431eb13052dfef3f7a7d64a9771364e6b6c133a897aba31cc417079b905702064841375a2c |
C:\Program Files\ByteFence\Cache\SR5f2c1b67988654a1cf9d21fd177db11baa329bfb
| MD5 | ed9320b53058bbd7785cab8b03163815 |
| SHA1 | 9b3ab0dd45112ac62ae83460d6b0062baac94568 |
| SHA256 | 1581282d4589056a119c03f56ee76cc4fdfc8e6ff3bf3a198d69ea967ca3255e |
| SHA512 | 76d136d1fc64065899bdb2915616cd8df5c83759ffc5831b55d55869daa86c48ca72a40ce94b8b0b6d0b0a5bc1f386f778da3602ce6efa5ab79de76203832951 |
C:\Program Files\ByteFence\Cache\SR835e982347db919a681ba12f3891f62152e50f0d
| MD5 | 4c30885b314375cdce7d98e82035d792 |
| SHA1 | 5497d31a1bad80b9d75025d8180e83ce20b9ecd7 |
| SHA256 | a5f9b737bbd2b8a653652e1e6784988a31ad94026976b4286844c91de896e798 |
| SHA512 | 7452e989a24366ea0ec9b1bff6bc4f28a2855213962cfb49c9bd6270c76d96b7d5c5424b18ce40e6bce81d7d2306e77eb80c345112cee71e258a9772a3555661 |
C:\Program Files\ByteFence\Cache\SR7eb0139d2175739b3ccb0d1110067820be6abd29
| MD5 | baf7cf82fdd38c64b63267337ca77213 |
| SHA1 | 4c717d7cbf7c4c455a169f3c27cf1e47013b7b27 |
| SHA256 | 33f87d43d72224031bbc6fa4699ca3a01ee991de32b8aa6705b92bf3949a2c33 |
| SHA512 | 0e47bf647dc76b728bb838abbb9278a9ebe6d5972515ec6e1db7d0c5c961c5d5835cca19a2875ddb6c8a05960b71ab8d54dbf0e6a262ccfc1037f69169b51a45 |
C:\Program Files\ByteFence\Cache\SRf8ffa7825a628ae2d3be6d1a82281985f8029427
| MD5 | d0da74a877fe8efc21a3cf156d424489 |
| SHA1 | a1c28828a9de39c5bddf30e18dee096d87899354 |
| SHA256 | 8ab05a5c299c2db4dd182b6af8214b40e3a7586ce8316fc420cec76ac0a29db9 |
| SHA512 | fd8bb47bce5dc243cb0575b827e12d9f4f2457878296ba1a3afae297150e7c36f466baabbe04a78dc08920f57054b4b530194b980f25ed6850269caa7cc9299d |
C:\Program Files\ByteFence\Cache\SR768ec16982ac19d4ada5b740bcae740a46c294e1
| MD5 | a45298071f74977335f063d221ba8296 |
| SHA1 | 1239467c10e98610b46967477e3b1f99e6a98437 |
| SHA256 | 7e0245a4acdd63546d438744d47f9a488ac283a9a864271e2c4bee0a0c8d604f |
| SHA512 | a69f946f056b3989ff362621b7937bb2594c5e7340f9e0d19a7ce5dbea04ac74709454b8edb6070ba011dba03e21f1ebbc238a1a10ac0273ba7befc94cd8c2fd |
C:\Program Files\ByteFence\Cache\SR1b82498270f06a06e6ae63a3d3204a630f21f23a
| MD5 | 80ecd32cb58e407e9d18ca515d4a67c9 |
| SHA1 | 1f546af600d4fe3578920ee183aedf6a338d6d24 |
| SHA256 | cb32388840b9b4669aa6e4ee09c2dbb9d568c6526ab290ddd2e5a708f6de3764 |
| SHA512 | 4f3e89d9cb39b4ae5c5f4454b3c3c219747b9d8a8051e01248f20018c80c49b9c10c4935521c64cb11cd17da2af88e9679a7c6c774c31409267dacb72e47b643 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5be5977422a4b524a2006c5e5454645c |
| SHA1 | 3dc6d1475047a3a56acb1179c188828ff968e84a |
| SHA256 | dcf3a986cc3536f4b7e4fe9e8436a7af5a797231f3945df6547a8e8f863ffa90 |
| SHA512 | 11efa264251bb6661385285188b48a2585c9c4eed76ca3c9c9e89a461f22606c08646ee6d9aa22d1fc765cc8dfbd2fb151adea3366d0cf6b3f11bdef2fc4f287 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 13d055f9956c3ce94edc67c773d2477c |
| SHA1 | 52282ccac9fcd693f5c65c02a27366517fb31e1d |
| SHA256 | e0b9a330c5085829554a8d1cdf9652f0b8d5fc89183ead88f2fa69d097aae174 |
| SHA512 | 080849b1e23dfc10fe5bcf389a2161968cda9c0b59677015d2d2a122347fc9c42c28df7a8a78304c8c62a61fe495dc263d2562506175bf353515f55a1dba1179 |
\??\c:\program files\bytefence\Logs\err.dat
| MD5 | 5d7986fe6e3939eb454ddc7bdb15af85 |
| SHA1 | f608ccc869407385bfc5b280922816f0d28772a4 |
| SHA256 | f87cc7443f2037203c495cf291f3d8c4c8d515302e93caece004fc20947c62fb |
| SHA512 | 1d3393c2be36f53983fb8f0ed2c60ba6ceb4cb482de13a3e1577bf4c4b8bfc6354685cccf37acbdb7a5ec15ab13b9e1fdca29b1bd9500fa7fa13d3dd34521136 |
\??\c:\program files\bytefence\Errors.dat
| MD5 | c7acfc06950e688b282cf9db0458fc8f |
| SHA1 | b5e5798d500cb4065d1d25b2887e0f932271db61 |
| SHA256 | 3530869e7bfc906661cb94bd96f0feb6b81281fa4e702ac1687e1cdb94d3fcde |
| SHA512 | d0083400f8a519979d495547c95c9d96344e7922d05c3ae21cef7180c08e079b2b2518ad0737d6cd3b3a234684f2a78395f6bbd6769120516bffe1052d88a498 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3608 wrote to memory of 368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3608 wrote to memory of 368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3608 wrote to memory of 368 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 368 -ip 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1380 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1380 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1380 wrote to memory of 2696 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2696 -ip 2696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 620
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
157s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe
"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/1268-0-0x00007FFD3E845000-0x00007FFD3E846000-memory.dmp
memory/1268-1-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp
memory/1268-2-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp
memory/1268-3-0x000000001B0A0000-0x000000001B0B8000-memory.dmp
memory/1268-4-0x000000001BCE0000-0x000000001C206000-memory.dmp
memory/1268-5-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp
memory/1268-6-0x000000001B710000-0x000000001B730000-memory.dmp
memory/1268-7-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp
memory/1268-9-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240226-en
Max time kernel
167s
Max time network
175s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe
"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 23.44.234.16:80 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nse8F8A.tmp\nsDialogs.dll
| MD5 | eac1c3707970fe7c71b2d760c34763fa |
| SHA1 | f275e659ad7798994361f6ccb1481050aba30ff8 |
| SHA256 | 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3 |
| SHA512 | 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09 |
C:\Users\Admin\AppData\Local\Temp\nse8F8A.tmp\System.dll
| MD5 | b0c77267f13b2f87c084fd86ef51ccfc |
| SHA1 | f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 |
| SHA256 | a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 |
| SHA512 | f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e |
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
104s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win7-20240221-en
Max time kernel
117s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-01 07:37
Reported
2024-06-01 07:40
Platform
win10v2004-20240226-en
Max time kernel
163s
Max time network
175s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |