Malware Analysis Report

2024-11-30 06:57

Sample ID 240601-jf1tvseb8v
Target 89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118
SHA256 1102534d7ed22c361f26d196c9170d977ea3b0eb8b4ce5746236e3e2418451a4
Tags
evasion spyware stealer trojan discovery persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1102534d7ed22c361f26d196c9170d977ea3b0eb8b4ce5746236e3e2418451a4

Threat Level: Likely malicious

The file 89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion spyware stealer trojan discovery persistence

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VMWare Tools registry key

Checks BIOS information in registry

Registers COM server for autorun

Reads user/profile data of web browsers

Checks whether UAC is enabled

Enumerates connected drives

Drops file in System32 directory

Loads dropped DLL

Checks installed software on the system

Drops file in Program Files directory

Checks system information in the registry

Executes dropped EXE

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Kills process with taskkill

Uses Volume Shadow Copy WMI provider

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240508-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 240

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd895C.tmp\nsDialogs.dll

MD5 eac1c3707970fe7c71b2d760c34763fa
SHA1 f275e659ad7798994361f6ccb1481050aba30ff8
SHA256 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3
SHA512 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

\Users\Admin\AppData\Local\Temp\nsd895C.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFence.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 2128

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp

Files

memory/4916-0-0x00007FFBEED75000-0x00007FFBEED76000-memory.dmp

memory/4916-1-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-2-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-3-0x000000001C8D0000-0x000000001CDF6000-memory.dmp

memory/4916-4-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-5-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-6-0x000000001E0E0000-0x000000001E5AE000-memory.dmp

memory/4916-7-0x00007FFBEED75000-0x00007FFBEED76000-memory.dmp

memory/4916-8-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-9-0x000000001C7F0000-0x000000001C88C000-memory.dmp

memory/4916-10-0x000000001C890000-0x000000001C8CA000-memory.dmp

memory/4916-11-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-12-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-13-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-15-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-16-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-18-0x0000000020A30000-0x0000000020B06000-memory.dmp

memory/4916-19-0x0000000020C10000-0x0000000020C62000-memory.dmp

memory/4916-20-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-21-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-22-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-23-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/4916-26-0x000000001D780000-0x000000001D7A0000-memory.dmp

memory/4916-28-0x0000000001930000-0x0000000001936000-memory.dmp

memory/4916-27-0x0000000001920000-0x0000000001926000-memory.dmp

memory/4916-29-0x0000000021F90000-0x0000000022108000-memory.dmp

memory/4916-40-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/1172-45-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-46-0x0000000022180000-0x00000000221E2000-memory.dmp

memory/1172-47-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/1172-48-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

memory/1172-49-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/1172-50-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/1172-53-0x000000001BB90000-0x000000001BBB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog

MD5 6eaa1926a6ef20c0742b1344bf1d8a14
SHA1 a9ba7268b609d64e0434d9a8f3f78d2371a2ac1d
SHA256 119aacf78c0083c15adc496df961bb78fe33efac6d3f41227d903f6c63b3ee28
SHA512 f4fef01bcded694a182440501f7a0dd47d6441e2558f1df26d019697a2f9372fd0f0e6ba8e1bb2b30b4fe34f53eefbc439e7ead6f1d726fd465543c9fccc9889

memory/1172-77-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/3160-78-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/3160-79-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/4916-80-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

\??\c:\users\admin\appdata\local\temp\rsEngine.config

MD5 56471e1d552cf365892a221059747376
SHA1 89cb5955b2ea777edd6366c5139029946310bafd
SHA256 d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50
SHA512 a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972

memory/4916-91-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Logs\err.dat

MD5 c50464a6337a533dc2edaa31a80662a8
SHA1 967ca7bd671d58ddd791214043a791315fe7c73e
SHA256 cadb9baecf6ad2473b97f67ef4f0ef93cd95a02d924bcc4a1fb17572af3ba5a8
SHA512 668e6f481b38129053028834a3d542848485be33e07ef5f3dac83e0f2321629c7d94a9423dc6e7436779ffd9965e973b3b5f7efa0944980c41b314f3a05321c3

C:\Users\Admin\AppData\Local\Temp\Errors.dat

MD5 af1cbbf38f1a43db153df455ae5923c3
SHA1 b07b4eaad7fa713c206227672c94eb1ad5686aee
SHA256 1176e2572eff93a2574e8264dcf54436b1dc3c6afb1f7cfc7061834d110f881b
SHA512 0ee847cb7ef6af1b8af002dd058bc7ccea6810f8e7ffd41895db1f1e8fc1910f9adabeb52ad540cf582ff701959dcd6f48c8f99b01b8f5eb4f30df27812e14c5

memory/4916-213-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

memory/3160-214-0x00007FFBEEAC0000-0x00007FFBEF461000-memory.dmp

\??\c:\users\admin\appdata\local\temp\Errors.dat

MD5 5bff40a52cf1b455c98ef866cd14b69d
SHA1 4dccbe4c71573350e59385a857742d0a39afbc49
SHA256 693282321c3d491c51072c9aaa43b672294ae76213986f3456065f23f091b0c1
SHA512 8109c0faa6a6f601c1328c4c416d5be202ec2437012fc1217e1c66eec150f3ab40a65a9e6a9408db9af0d9ba060a6ad9b0f788b84fc6f70231b69226f48c5fb9

\??\c:\users\admin\appdata\local\temp\Logs\err.dat

MD5 b997e4136d83f6b8da47ce20740961ac
SHA1 1b9d97bae4f1603f1c204ae5cd04c02242eb4915
SHA256 d2b0cb1dea27ecc18f0afc9aee4c584fcbe68fef1b4f6e6e1a4bd93397566bc9
SHA512 6a2b512f90b3a15641037955e030aedf81cd70dc1969766c8f27332d0309b59416ca32f7b9f86074f32cb75b87719c467a01ba88108c221bf0a602021a01ecbc

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Network

N/A

Files

memory/2192-0-0x000007FEF5C5E000-0x000007FEF5C5F000-memory.dmp

memory/2192-1-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

memory/2192-2-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

memory/2192-3-0x000000001AF50000-0x000000001B476000-memory.dmp

memory/2192-4-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

memory/2192-5-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe"

Signatures

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest C:\Program Files\ByteFence\ByteFence.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Program Files\ByteFence\ByteFence.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Program Files\ByteFence\ByteFence.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\ByteFence\ByteFence.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\ByteFence\ByteFence.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Program Files\ByteFence\ByteFence.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Program Files\ByteFence\ByteFence.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\ByteFence\ByteFence.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ByteFence\Cache\SRb0eabbd37a97a1abcd90bd56394f5c45585699eb C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR59549d367a7eca13225a2cc432f4ec06632ba0e7 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2a3ec95cb473d5666e9c9f66c33c80e001e39561 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRae38ca93e3870805a334fcc8929709d38a748fa0 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR0f98f1d3d8a047bd9b68a75251ac8db46a0fca57 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR079180ea081869278b27acfbfe75250d69465996 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRb31d16d4fad2767262ed2edb0dde8cb310a837dd C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR939e6ffb298749d8b3bc002a3476c3f899f3d30a C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\x86\KernelTraceControl.dll C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe N/A
File created C:\Program Files\ByteFence\Cache\SRbcf2b2d687a58650214a94001a2fe5c2c92c9d74 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR0e89c929d13d470d7ba8cd9443db8f40822ff393 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR1b8005cf8d5cbc655e9cfb6dae11d16f09f179f2 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR3eb8461ffc219f6cf85f9fe93bae94c9992bf29c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRa8757b0f5c73459ef182c89c6554fd69081b5590 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SReeb87baecb169a3a8653e0ba38f2e756615ba6b1 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR3b3d4b8e4df75365c9924c203732159f5f138263 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRede8453f26e48de6539e35879142d216c446c754 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR133e9bb3c136093e28bd27cc1b8d6d1d2c441495 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\x86\System.Data.SQLite.dll C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe N/A
File created C:\Program Files\ByteFence\Cache\SRc3c193e0baab96c5541942c73fa61861bf45ed0c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRca9ca4e0ad75d05a0cbb10069a3de784218ede21 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR167e549bf81e0c9d27f8481ce4904d8627549e1e C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRd11ce21a6b9e2bec6e53baec95ad20404b4031a3 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR6c8ae73cbd4b2bdf3b0cfd12408aefb56a45894f C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf3235ac1dd7d78b6eecacc11de01c1c514c832cf C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRd65dda3b5ed1bb3b23a8919f4609e9834cde8deb C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR6f6275c3521ed70d78bc059efdc39917e923336c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR064bdfa92ba0036f9a135887dbff4a5a4f73bc70 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRafdbf106e79af8ec45a1f0533af86019e59f9614 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRad3aea8e31b398e8e740be5afeb007e27304ec72 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR90cabc7f791e719063d32090ed5080615c975f73 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR8aa451681ae53d126eebc712ed2c9bee04f6b0f0 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf27d5c6d56c84ba9f4414dd223f7ad69c89540f8 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\x64\System.Data.SQLite.dll C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2ba179dad9f6ad4cbcccc0de3d984098e41a2289 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2e03f11361ca76c5fb2c8c8f196e7455cf86efab C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR90f870f43852b3fd62110692030bd20887777c0e C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2f23968ff651232cd8e74ba7ce308ecd4e91e405 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR88ae12ad459843942e74893a843f7b57203d80e6 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRaaba6f3f82a2630f4e43cfebb970d3542425786a C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR41110d339b29c410d6ebf92cd72794173ef43c8c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRd56614e23a02d7939b165f44c8802b7da7196a40 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR8b8edfbc7b5f34bee340897a343f605d87318297 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRb9fe46827a9d327bbd54bba73b6bd0cb75cda520 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR4e359a0ffd8f97f1e935f5a0ba8fd4880e077d05 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRc620f8ab8c725ba70cf4d785035c795baaf307e1 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR4c92bf0e57ce6b8d790dc022ffceae834ce2374b C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR0261c48f5b5f1caaeade4fe99acc982488375077 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR5db2daab29805715422c1879cc375aafdfa23c66 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRd9b3af28c0dd54260ec2995e1610568dbb23c48e C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR0a6a4f28e743ec3eaf2320ff9c58168ed02ecc4a C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR8bb47cf2af65fdd55ee41f36a09dad9a7538f56e C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf8098fe4b494ef5d635684cc61eb2fc64136a053 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR84cdd4ed7c9005e4fa862ba9cc0cb4d9cd8f2016 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR8981c79fa6f87cb34b3078c62754a7be2786ad55 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR268d921b176bf3e466a527718d21518dc017f322 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRca777eebdb4eef5617fd4ea976f6465b7f718914 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR10466d401f7ec85bd184b7f6355aff4733d68d4c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR066d532ecab5a4fc94f403953b44a6d8a8822612 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR08fc2a8850ddf94af5d83d03e6caf192d392ccea C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRc8f918bac3d721bdf895f3423d72cffdf65f5a03 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR535053509b1cdd9aa17fd50ed298ff2182d4be84 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRee0ecaedf725849dac93d4f32a4fd7ee3a448c3c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR57631fda7ed916781b37480f3cd560a894c59499 C:\Program Files\ByteFence\ByteFence.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections \??\c:\program files\bytefence\ByteFenceService.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" C:\Program Files\ByteFence\ByteFence.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Program Files\ByteFence\ByteFence.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
N/A N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeBackupPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeRestorePrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 4084 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 4084 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 4484 wrote to memory of 3388 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 3388 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 3388 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 4764 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 4764 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 4764 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 364 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 364 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 364 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 3316 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 3316 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 3316 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 624 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 624 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 624 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 4484 wrote to memory of 3400 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Program Files\ByteFence\ByteFence.exe
PID 4484 wrote to memory of 3400 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Program Files\ByteFence\ByteFence.exe
PID 3400 wrote to memory of 2240 N/A C:\Program Files\ByteFence\ByteFence.exe \??\c:\program files\bytefence\ByteFenceService.exe
PID 3400 wrote to memory of 2240 N/A C:\Program Files\ByteFence\ByteFence.exe \??\c:\program files\bytefence\ByteFenceService.exe
PID 3400 wrote to memory of 2464 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\system32\netsh.exe
PID 3400 wrote to memory of 2464 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\system32\netsh.exe
PID 3400 wrote to memory of 3024 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 3400 wrote to memory of 3024 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 3400 wrote to memory of 3024 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 3400 wrote to memory of 2944 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\System32\bitsadmin.exe
PID 3400 wrote to memory of 2944 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\System32\bitsadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe"

C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe

"C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe" /S

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ByteFence.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ByteFenceService.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ByteFenceScan.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rsEngineHelper.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rsLggr.exe

C:\Program Files\ByteFence\ByteFence.exe

"C:\Program Files\ByteFence\ByteFence.exe"

\??\c:\program files\bytefence\ByteFenceService.exe

"c:\program files\bytefence\ByteFenceService.exe" /i

\??\c:\program files\bytefence\ByteFenceService.exe

"c:\program files\bytefence\ByteFenceService.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" winsock show catalog

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" winsock show catalog

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /rawreturn /nowrap /list /allusers /verbose

Network

Country Destination Domain Proto
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.reason.technology udp
US 8.8.8.8:53 proxel.bytefence.com udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 api.reasonsecurity.com udp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.bytefence.com udp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 68.9.67.172.in-addr.arpa udp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 ocsp.trust-provider.com udp
US 172.64.149.23:80 ocsp.trust-provider.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 crl.trust-provider.com udp
US 104.18.38.233:80 crl.trust-provider.com tcp
US 8.8.8.8:53 www.intel.com udp
BE 104.68.78.119:80 www.intel.com tcp
US 8.8.8.8:53 certificates.intel.com udp
GB 104.91.71.134:80 certificates.intel.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 119.78.68.104.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp

Files

C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe

MD5 c4951a516fe1b3a8a579e73877a4b1a4
SHA1 400acb837edec53c746be0ccb2bb9d774fa150e9
SHA256 61dc83d20af7bfa9458a4ee7b08bc05fc33b09aa5f04bf655f9f607125d1934b
SHA512 a6933dab647728a2ccfaabdcb7561ab804efdf9ba6193d920712d04c842400b6c975bb0c0228a03f2a3b7dce3019397615267e2905cda73441abc6ef1978faeb

C:\Users\Admin\AppData\Local\Temp\nsu468F.tmp\nsisdl.dll

MD5 a95c7af96416b2cd084fed4c07c8c291
SHA1 0c62c2fd843ccb59784404ed36369784dc557671
SHA256 a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0
SHA512 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc

C:\Users\Admin\AppData\Local\Temp\nsu468F.tmp\nsExec.dll

MD5 1f49d8af9be9e915d54b2441c4a79adf
SHA1 1ee4f809c693e31f34bc6d8153664a6dc2c3e499
SHA256 b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782
SHA512 c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

C:\Program Files\ByteFence\ByteFence.exe

MD5 ae114355b714bc831f641ffc1fd5d96b
SHA1 52885c21ee681f3b0dbb7d13191fbbb141fdf906
SHA256 517516b4fe19c58397a703bed0884cd439a6ad7ddadfd3de2b9d40d035659448
SHA512 7db682dc63cae4ca91085f34788af53bc2cfd350af476749a4045ff2d751d810d5a8a140b28800ef284aed17cf87c5173f8bc107c73fe75555506fad66358dfe

C:\Program Files\ByteFence\ByteFence.exe.config

MD5 e3d5f62b7b28176a510484e465fa0f18
SHA1 d9d4f8875c6d96f57549abf06eb336650595ab5a
SHA256 827cda24df7876010d5239fe2b8af49472442d899f9c0f6d9ff53b4ff6860946
SHA512 8c27c69e010d263cb5599a2c38a58b3b9ad61983c512ab4f7d3b46b859393468ad09d6423013ae808c3d243a9b8cb479e499d128539a3959bede78ad145b85be

C:\Program Files\ByteFence\rsEngine.dll

MD5 38bfe41fef177604494f49ee8023b887
SHA1 fca37c9a1f3b9eaa68b489b091020cff0f672e6b
SHA256 65555310943571e3d7cdb37c8a5cfa6e332400397d4d1dcbe4033370a5db81f6
SHA512 f0b3dd5b27893ccfce43a033cd89ae190bf9d016711e85cea2d3ecf8478db365d47a7f8b86c08bb0941ebff3522f0b6b093c9e5c9527c2737da7ded2614401c2

memory/3400-73-0x000000001C7E0000-0x000000001CD06000-memory.dmp

memory/3400-74-0x000000001ECD0000-0x000000001F19E000-memory.dmp

memory/3400-75-0x000000001C710000-0x000000001C7AC000-memory.dmp

C:\Program Files\ByteFence\rsUtils.dll

MD5 7e8e3b06787101511fdbadd6ed070ee1
SHA1 71e4c41f92ed47daeeee0aab732ddc8e5acd21de
SHA256 b89c0d12a3caa4a663277ce1f0da91efa497515ebca0d18f60c5e65c9920868f
SHA512 254422dc751dbf5758434a980fefa5e47caa6c28bcaff4bf2e53cc467fc35cd8627787099d8960f2d64351d4706e2a53071dc1daed2b1ce8516e8cee9c5db3dc

memory/3400-77-0x000000001C5F0000-0x000000001C62A000-memory.dmp

memory/3400-81-0x0000000020E50000-0x0000000020F26000-memory.dmp

C:\Program Files\ByteFence\Microsoft.Win32.TaskScheduler.dll

MD5 1802e6df96046cfee62c63c4c8469a3e
SHA1 c5d6444fcd8f46e1832c99614f5e71adff582f6d
SHA256 cc6c472f666239ed270cc3754852f536b8981d6fd22e4ad1ee15a1aa788a3ba9
SHA512 339f5b917c4afbc25175bd173cebefdd8f4671e157ecfb8a9c21b78db9d34fd9757787c231575e8849509cac59162c6c67fb32af6febd6903ec285e21c0fd304

memory/3400-83-0x000000001F830000-0x000000001F882000-memory.dmp

C:\Program Files\ByteFence\ByteFenceGUI.dll

MD5 637e8fcc69c33392335ffeaaca446a1b
SHA1 91a56d770a3731310c412cd0c9cea9439594f593
SHA256 496378bea9a3d62401744cd3941eda5177dc54733cd45735acf0c373372b5c5e
SHA512 ffd8deba9afea17cf93219774e5d576b4bb39c4db710caa9634e5821cbb40e000f446017bf116bbdd475243dc397d4f038bff8f236e1ad9c002604249761fa08

memory/3400-84-0x00000000214F0000-0x0000000021552000-memory.dmp

memory/3400-85-0x000000001DDA0000-0x000000001DDC0000-memory.dmp

memory/3400-86-0x000000001DB50000-0x000000001DB58000-memory.dmp

memory/3400-87-0x000000001C170000-0x000000001C176000-memory.dmp

memory/3400-88-0x0000000021280000-0x00000000213F8000-memory.dmp

\??\c:\program files\bytefence\ByteFenceService.exe

MD5 ac384df8fbe8a76815fab3a2659f4bc4
SHA1 c3cf899ade1ec94e7d8a7a4dc64950de99096b4f
SHA256 0e262b5c4390c353bf98298631877913f6940e9c5042c0979060fca6c964fc17
SHA512 a27ba4f9d167ba81a053067de6e27d1a81646c640e5246f0036c8758f123209206f187fb8b3a073bf3f31717b80cafc3d78add7fc4e33204b87460e14fad4d90

memory/2240-95-0x000000001BBD0000-0x000000001BBE8000-memory.dmp

memory/2240-98-0x000000001C330000-0x000000001C354000-memory.dmp

C:\Program Files\ByteFence\ByteFenceService.InstallLog

MD5 b75675a3fa5eae4d7e2fc5d76897e783
SHA1 2784b755b8d201ada3226d1880733c0bca1b377e
SHA256 417c7f1cbe0ff4278c75ef62ae5f22dba53e79f7952334d3a35bc735b9ff8a43
SHA512 57c099075d1c8cf46fb3dc1072b155bcbac58763b4afca4377a9c870febb42c020af98ae442afc38811e43e8f41818ab10163410737b77c52adaeea4ee8f60db

C:\Program Files\ByteFence\ByteFenceService.InstallLog

MD5 0b2464c9e3d3e45297239acb697f0a2c
SHA1 b105043b8da6b88f6f7dc25ec00cf6ecdbd1b21e
SHA256 180e58c7b156a7fb934c2e974d90b96d24a2a2e08ef0ec3485512f7b681c766c
SHA512 9e7411f50ad97fc3eff8f54779f00420f74e1a13f9e5d52961b4fe31ddd1b6a6e603aa49a2ba0769d94af857957b59ae1ee9e725cca3419af8facca1249882ea

\??\c:\program files\bytefence\rsEngine.config

MD5 427ce4103a0794e3a06d9a2ad0a9d9de
SHA1 aed628de425a84acfe6cd300b27d90d18d802620
SHA256 1ad12e7ac644dd4975412378ce13b89a211c64ab6b19af537f86a4b218cd313c
SHA512 c60c310ea901159c3fbfd8ed7474e9528613363eb9ccb21a1667890316438d2f6ef284f14130732197d4428c56153d39da656681419b53e62d7813efdd03bf17

\??\c:\program files\bytefence\x64\rsLggrServer_x64.dll

MD5 27236a42b9810c5db8490693c158c838
SHA1 3cb8d0f4b818f120afe2447c9b01af674af3a9f2
SHA256 d67999fe774e5e0f1c18cd5a4da7d6518faa00b8e950e41737e225b615a1b4f5
SHA512 97e9c8921caeecbe144ba11be3675365b5bbd92bf45bbe91e9a37c472fe2153f1f250e8e5b8a37d927605a0897d997228d7351476bbc40f9647737c14022411f

C:\Program Files\ByteFence\x64\rsEngineFW_x64.dll

MD5 a82484553da1a7a4ce4f5eda236b7207
SHA1 3e56d504d2283653165d78a238c97469a28e5de2
SHA256 8a1eff4a86e223dbe808bde5d728367b03e7593b514f5cd9c49387e6ac4b57c5
SHA512 03d193de85c8022c746e9f99a0e989cc42445d67fe32a31093e66b4e5e9dd25a4103fbb2e93ffc54401d99d40c3ae519dff7db999d64bc7f3cf0af59d82f3681

C:\Program Files\ByteFence\Signatures.dat

MD5 f0f375247de1b9e526c4017f2fadeffb
SHA1 9517426f632818af694335abe475b9e7852ca4b1
SHA256 91a803a30b82888c437c9f5c1f6579b4ce070625b4e1664e14105156b360ab17
SHA512 e532f9fe55952e26fe315d16a2e676e233f3bae35629f4b977e17ac3ca96c6b280c39f1854d175a81811c5aa5042d86367b31f7844c99239a0f074e2458239b2

C:\Program Files\ByteFence\x64\rsEnginePM_x64.dll

MD5 15cf59afcaff08b12d37f2d7c9f6ed81
SHA1 1d0464d1f13ffe71ff12556c433d95f168a1cfb2
SHA256 a4d7f4259cf04e7299f5ab6fe2ceb95680e35427d613aff26dc27d954b8311c2
SHA512 e35196ae1367a7cae677f1c90dff7a186a03a95a9b7ede67e1c2d5c98db03d1b6e2ae868efae0c8ee12ee8b4067d0fa36139cb514d7d01982f756c0c6db47629

C:\Program Files\ByteFence\Signatures.dat

MD5 fb84325fd7362b5634c4de62b3a2c001
SHA1 ebb54ec78a071ce47a1c86f47903d56d77b34cf7
SHA256 23bdccb16e5900857c621b67c779b2a49179aca564eeaf1e74fd10c4eb1651ef
SHA512 d59933302521c9b3eead330a38577faf1df0378aa926690c6001186d495abe4fc470bf578bc9deabd82e26d7b1f8ed446957494122bd65047456c657dc9bade2

C:\Program Files\ByteFence\WhiteList.dat

MD5 899c70dd0bdda61514bff5c51a4a0a20
SHA1 0fff58ba69a11d1e01c6e2704e553abec1352ce9
SHA256 0f9ac436356203842c619d27b8b805e034cfa420e94495170d089629e52038a9
SHA512 b13691ad0d3768eb6a9e4ea30e9a2ceabdaa1d13730cdda81f18696412ebb4589ee859f422ccf9b01c3399b5dbbcb317e0d6aee91cad10a7985ea8e87148ed9f

C:\Windows\System32\catroot2\dberr.txt

MD5 773cb06bb43f9562c3b6e05e97788ab7
SHA1 b10dd5cd80fec68ca183c4d17e1ff423166388d1
SHA256 5ee6aac36da9ed2a07b02f1709bfdc6d585f7bbe1cbb2fa3a36879d3f26f6ff1
SHA512 9aa526a954ce047bee05c726994149e271ad36da1d805f7c445e34c69d015849730e00206d45e9e75406ed5d5eadf2e5e154efdfc10c07b4b51278d1b16fe94c

C:\Program Files\ByteFence\Cache\SRc6e63c7aae9c4e07e15c1717872c0c73f3d4fb09

MD5 4c14dc3a32baf44289afd12c946c14b7
SHA1 9fb38df47bc27d5e6e53bdec1d0b1b0a5c8a4d48
SHA256 20936855cfdb1d7e16996c3eb5d680e19586667bbb81a0cfa15fa33fa23b97b9
SHA512 3beefea56a73d3aa2c6386f7f3cac9dca2838d31417a39e59d07a683ba28f00be607cee8604e091e5c612c787e2971fc9ff24a9fe7c8fbb5ca6f014f24aec32f

C:\Program Files\ByteFence\Cache\SR29fb9af50458df43ef40bfc8f0f516d0c0a106fd

MD5 369195a15fd800aa89a2d13f8797468f
SHA1 39ea1b9a2f418683c6c536f8840d940d9f0d323e
SHA256 d23173f772aff0e04ed25efe0b8e3c00ddb7e5962935cd9314e25cea66830ae5
SHA512 f34a985fd88f596b901dee494c013ee47b07c856970f08a12f918f28f3fb8edb480bbee65815d38e39790f3b209c0701f9b2ef2ed3e5900194c3e01152ae6683

memory/3400-1279-0x0000000022360000-0x00000000223BE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9EC3B71635F8BA3FC68DE181A104A0EF_10CFC0D4C45D2E76B7EA49C8C22BEDFE

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

\??\c:\program files\bytefence\Logs\err.dat

MD5 28ba9d52be22fdff15f2d632f7a2a3cf
SHA1 fce7ce7d5c0f708a334a9760e0f5ac8acb47e46b
SHA256 227742df1e6fba613863fb3466129ea1ce2d63a90fbc39b760a1064cfc6c9acf
SHA512 e45732848e3625edc1e457bfd1cd5f9c695391f0ae3acc6986ab967d8e5ce77417701163b59e91ff0ab3f38d3cf1cdc98ac96d7fec725a2b5ef2359a54c5a535

\??\c:\program files\bytefence\Errors.dat

MD5 8b13b7e35c735410574ffbe21979663b
SHA1 c6509bb2cf82bfe795bce18ff52fb8b35b2ff82a
SHA256 cd9a913bde58aeb69eb85c0ff6566ffd5d2fafc07b13c47769d590928723b4e8
SHA512 8c983595e6025ab49761622efa2ebaa93d44918e64eff0f14fb302bc3ed23a56ca728a3745215edb2ab2be3764d6a9efd1ca3f5273f6b467734254b42a790a76

memory/3400-2157-0x0000000026790000-0x0000000026A9E000-memory.dmp

C:\Program Files\ByteFence\x64\System.Data.SQLite.dll

MD5 e83262d8b431e2fe508bc4a113baff16
SHA1 45f849fa7471b6803c721d7c115a301e7d01ee3d
SHA256 96e8dad51e66b3ee02a5ff00a310fdbfa1d7946d1c92b40fd65acc55de10a738
SHA512 15e8e9f4acf2bc0456ae273d4e52243ebdc3dd6074fc20b2524b54b7aad436cd803c5618fa105464040c96acabf0b40cda15c98a2b78d28d3251cbbc3acf22ae

memory/3400-2162-0x0000000026AA0000-0x0000000026C38000-memory.dmp

memory/3400-2164-0x0000000022460000-0x00000000224A9000-memory.dmp

memory/3400-2165-0x00000000244B0000-0x00000000244EE000-memory.dmp

\??\c:\program files\bytefence\installutil.installlog

MD5 00e3f226484ab07ba503afe751c3571d
SHA1 47e83a6fdf812648a4dedfc61432fb88c93fe720
SHA256 6003bd3edb8914f499a86eb1cd4f5e87585d915d2bf2626ad6f55c8abc53f662
SHA512 0f7d65aad26320297f9ff91b11ff7d36c878bb3d318941067783c9e334bb4bbcfb6dc837598a04440f8409dd6b21d4ee5e83cdfa4cdfec0c4a3e0e472c9c8b68

\??\c:\program files\bytefence\bytefenceservice.installstate

MD5 4f130e22d88664a9fc01d4e1350ef1b5
SHA1 76504e0aeae03d51e2ce52a11d59f5ff18254d86
SHA256 b80d9b6e89383642c68bcb2285af4746101fa6470fccfccee210790fce79e9ab
SHA512 6777bc2866092dc417c37ebf3dfa64598c719e037316b69d816fb53e9c89a474a7b2f71cf937212574107a44c8efe035b838393fc9bef1d8c8ffec110dc9df30

C:\Program Files\ByteFence\Cache\SR010db07461e45b41c886192df6fd425ba8d42d82

MD5 0d882e5226a5f27aba5b72709917947a
SHA1 7a6e245b9ed12537fb86bf3d1d05b28c65af60f6
SHA256 b45be79e87295267cc1d876f0c5b5a4991aa99601e537bad2f9ada53c47ae62b
SHA512 2488d7b95fd51acc42cc6a6307d0bd857e0c2f558e2d5a2ac3d13c7e4a2de8199d3847ef5ba3dc58c93ee2b6531456e4020b74f4228a7977287109a85e90762b

C:\Program Files\ByteFence\Cache\SR03aaa61cfdd8c9830383dee534fc984ef0b815f7

MD5 661cc97ca1f78f8bbb1ef084906774a9
SHA1 abe8c6fb7a87404a19ecc5fffae08f8b6ad0fe4c
SHA256 48edb2d4f00763e6ea435846d52a7b5cfaa0326e34c646ec9dd9234d65a50e3d
SHA512 39c31cb299979b20c84caf0e3f9a1bf5c9ce553c42dc52d118fad016c187b44ea56eaa90d6dd3c68f72b7cc7968f3ad154b4c916274c44666280987b113421ff

C:\Program Files\ByteFence\Cache\SR1c241020754267181dd501949e0d43f35f0a4d10

MD5 485d0c8f502fc8071b6958e315b30026
SHA1 c7d1abdc75a72e485f8857fbc075c391ed2dbb40
SHA256 1bca3f08368c6b083c266a0e8d43caf2c95b42d2c09cf5e450cb80409951c216
SHA512 6d3124bf188f4186e44c659d6a304419e85b380956d68d67e9dc495ccddcc029402d28b9f9254f99dec982406d8b354a0ccc1244cd6bb54aba70291243c5f318

C:\Program Files\ByteFence\Cache\SR26cdb289cf36d0a0649d99b0ae001a3ac5c3c66b

MD5 ebe08eef6af7ae25fc624107e69a7eb2
SHA1 500375aa6ffd03f72b8132e0053e12d38053c52f
SHA256 d81a3b1b4f4f53a7fc4f055a5461f3d47f6d2aa7754b3c9a260e96c5a498f437
SHA512 502a593c8020e66b638d8fd9f2d2e8a76271885eecbad5f395d7c9461c75e720afd0ec008b6807383de7139d62227d8afafb89f88315c9eb1a4e7ff855d550d7

C:\Program Files\ByteFence\Cache\SR4172ec95a16a929de11c7027a878cdd25d86fb8c

MD5 81958e135ce60f3fd4b5ede2e44bfc75
SHA1 ceea98a62711678a20fe92d032e27e6c7443d08d
SHA256 c0185bf9b1c6465ca93ffc030aa98bff02c6aa8ff121587c3a4d78ce3500df5f
SHA512 5ea78fe6e0c680fc3e7f38d8e49c440d15b7ebe13e3bc0d9bf3ea088b60126386c490d964cda7fded52a67c9d6739300be15ddeeaaf4e2c95d268df987e7dee5

C:\Program Files\ByteFence\Cache\SR6859b01d4b86fca42f316afd98d171fd554bbdb5

MD5 50a1427ccbf38909f0bab54942dddc55
SHA1 98c674619b6e91a26c23971e8cb5a3a0baf0780f
SHA256 1340765286ed2cf8c13c540e108c8d1c182e0c416418564a14cd24af10c94303
SHA512 5097c88b315b019f188b6f4cf9af51f64298163a6dac01b4ff566af89b41dd2af965d606e508c7742e1fabf6ed7407b9333b4cb387f0b3708258b7f0c422cdad

C:\Program Files\ByteFence\Cache\SR751d72d8c6fbcb759e93cbfb9048025aaddc243c

MD5 b94d537662c70fd54fe93bb1474d74ba
SHA1 7d28e787b678d61b4b1a94dcda13ba55561d61b9
SHA256 6ddc5f9bacd33f42bb0de18dd18ebe5337179612f3383ebc479060430f06b3b4
SHA512 e42009f3d9c46667515da14ec40418c6399e15c43511925bcc4598098fa13d870b989fa5023d13c4dc9d3de30b5e748c6eb763be856c3ca319e4ccba172932b1

C:\Program Files\ByteFence\Cache\SRe115cbe52e4581d30b7fc44e6ebf860156e88722

MD5 bfad40f3d76802af7350010e0587ecd0
SHA1 c0ea8c94adf0e002261823e7bcacff93ee934634
SHA256 ee764d92844f2a1e6c736dda6e8c36e64fabc7e33ebefa2b0fe013cac5b83bd3
SHA512 8bc4581397adfca20805916806b98b9165879fb9f4baa36c478808d936b90608493d92a5e3fa2f04429463cd2be3143ac9b0886e3747bbab473b773b0ed77b0b

C:\Program Files\ByteFence\Cache\SRc9e5761e95871b119b53fc3e1e9d7279ba4a1151

MD5 77382804a0d42311ee49de21b1622ce7
SHA1 790ae462d2146eee63071339d47e7844533a76c3
SHA256 0728cef889a0410d28aae48c370d0a5d381758de36003ec5f82b8f446bd1f564
SHA512 479552ea8502bf3775e6ff5b4f017cebef7b9c588ba26cef2d48693e79cda73ebea279532eedff4d11a00ec78e16b056c5a474b62ac83bf03fa2b97258dc7023

C:\Program Files\ByteFence\Cache\SR66b6158b28cc2b970e454b6a8cf1824dd99e4029

MD5 4d9868731c4c8e27603621711929bda7
SHA1 dec5372b7c28b6a16425352de6e82bc6a75555a4
SHA256 c292f6ab16f8c6a8da509c08454b11a43f0cd81825714201699157999607f7d4
SHA512 f535cc4c006b79c918ae86e37bfddc325f2a153fcee55bc5ff5f01a815f42f5b81e58a7ee52da1c8c26bf835035abe0b7226ad68c16c516d7e57a46b04adb8ff

C:\Program Files\ByteFence\Cache\SRf3f9c84d62768898765c3b7140bf952346c9bf9d

MD5 4f10a47190779507658a7cf34b2cf7f9
SHA1 a65db875c1c9bdae7cac36c84ed256cf81f8cea3
SHA256 cd02a15f3eeaaae61c69bec6f69991d96b921c20be09b16924b3ac63272f5f50
SHA512 996abac9b32726e68f643454b804feb912bc79a06e6f1bab632f555e7956f672e88ae22aea2ac29cc3fd055e5da42763e763f208b2a4d5250d677d9da69df18c

C:\Program Files\ByteFence\Cache\SR0292a5c4a4d0babb464e87166838be377a59b1ab

MD5 a57a3181db3414f9af77742a31a5828f
SHA1 69751962f87c892b2f8d62fab64d63e43bc20f3f
SHA256 c60ab51ef52fd819a571ea354369a4e7299a2fd2264695bc6848a1f9fb45b5e3
SHA512 7fc10cf6f8e2eedc123fdb6bb720b1a38a0948ac89a2e8c44138ca7c2ada934cb9919f056d562b6cc6106f283b8c83e2725e19f9f0f0b59384030fc6e418cd39

C:\Program Files\ByteFence\Cache\SR2f8b58ac5e555761dc2ef2e515f054b64d514688

MD5 fc3a6ef31a11885d4d5d0e2902da5d23
SHA1 aacbf983ab9598ac3e0d1810ee7b762a8012509f
SHA256 bde39eaf3a7f3e4cbe669c121fcfaf423e1699b4e5a2d2d7208d93a8345bd6e8
SHA512 6234219a744b5d4fe4e686721071efe6e6377c384e8f225d3b1a9e43ceba2ca5e78b6f57676ecc22486c6e2e95c033979f5170f4c042e7957d20f1949ea86ba8

C:\Program Files\ByteFence\Cache\SR98a85358eccb159bd83464024ed950911d9f2fb8

MD5 e8880063fcc5cf1da407cb5c3eb2f503
SHA1 8c5b7a29fb3343e773d15740851f33f4cfb35724
SHA256 2da50fd6dd4b0fa2ce81ef9b337006c3f0a053183b4c62c8635070a754bb41e5
SHA512 187e9b0f84eeb2344f084cf47adf7a2cad0216105dd40ae3421fc5a6f606c91cab3b8aa4845fdc7599aaf40b16928ccd291253f13de494225b4f1d4211305de1

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240508-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

Signatures

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
PID 1956 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
PID 1956 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe
PID 1956 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\system32\netsh.exe
PID 1956 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\system32\netsh.exe
PID 1956 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\system32\netsh.exe
PID 1956 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1956 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\System32\bitsadmin.exe
PID 1956 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\System32\bitsadmin.exe
PID 1956 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe C:\Windows\System32\bitsadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFence.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" winsock show catalog

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" winsock show catalog

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /rawreturn /nowrap /list /allusers /verbose

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.reason.technology udp
US 8.8.8.8:53 api.reason.technology udp
US 8.8.8.8:53 proxel.bytefence.com udp
US 8.8.8.8:53 api.reasonsecurity.com udp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 cdn.bytefence.com udp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 logs.bytefence.com udp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 172.67.9.68:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.9:80 crl.microsoft.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:80 www.microsoft.com tcp

Files

memory/1956-0-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp

memory/1956-1-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-2-0x000000001B540000-0x000000001BA66000-memory.dmp

memory/1956-3-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-4-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-5-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-6-0x000000001B160000-0x000000001B19A000-memory.dmp

memory/1956-7-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-10-0x000000001BA70000-0x000000001BAC2000-memory.dmp

memory/1956-11-0x000000001C7F0000-0x000000001C8C6000-memory.dmp

memory/1956-12-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-13-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

memory/1956-14-0x0000000020430000-0x00000000205A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog

MD5 52d87ff3819227abcf76102dc6cb005b
SHA1 d97fa5e8d58e11e2c8475d8c947a65e289ed27a9
SHA256 eaeb8578f5838d4b335e0af96af0ad69c6b09acb1f633c5e4e3c0f6fb2653838
SHA512 601f0ff34d1fc89beb10255c8796c497ea87dac1c39e355df961d6e1ca52085937042ecea83f5086962febcd89f745c086494a59571f65af1ec212c2e9f5ae40

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog

MD5 69b661f1c5111bab508264cdc91e33ef
SHA1 d2b443a7aa799e0bd48124e6583ed92b591ffc3d
SHA256 2d60399359ec8f2906cac7f836a0f10162c961b89eae1e849073acbbb6d3d84d
SHA512 cf132dc26464264d2c6ec093efc7aa0b64afdbb9ad0e2f1ce0faf8f54447f0588627677de33a67e30a12110aea3d1103be7e4d00fc8dc30cf85b314a73b63c07

\??\c:\users\admin\appdata\local\temp\rsEngine.config

MD5 56471e1d552cf365892a221059747376
SHA1 89cb5955b2ea777edd6366c5139029946310bafd
SHA256 d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50
SHA512 a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972

C:\Users\Admin\AppData\Local\Temp\Signatures.dat

MD5 fb84325fd7362b5634c4de62b3a2c001
SHA1 ebb54ec78a071ce47a1c86f47903d56d77b34cf7
SHA256 23bdccb16e5900857c621b67c779b2a49179aca564eeaf1e74fd10c4eb1651ef
SHA512 d59933302521c9b3eead330a38577faf1df0378aa926690c6001186d495abe4fc470bf578bc9deabd82e26d7b1f8ed446957494122bd65047456c657dc9bade2

memory/1956-60-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-59-0x000007FEF58CE000-0x000007FEF58CF000-memory.dmp

C:\Windows\System32\catroot2\dberr.txt

MD5 184d76db9ec82923fcf8fd1c0ad7ea30
SHA1 70fadc92eab22c565eee49ca6f7ca0b178468e64
SHA256 26ae27bcfe1604e5cf4810b1d74199994192387dde8a2cc259650c9457f51b61
SHA512 722ed98ee072374f8dff798969cc221fd4b049357bbedfdb3b0ef1ccfdaf469232ef604a56d559bd98a4c5951fb7c632dbbbc083a86ea2fe9c0d375bc1efda4e

memory/1956-147-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-148-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

C:\Windows\System32\catroot2\dberr.txt

MD5 afdcebb1365df2e3346b8b294ebd2b17
SHA1 b08e8a482c91f62ca8e0928954a8a4f8c9f2d07d
SHA256 a353b5e26aafff0f95d144a8299a7fdb0161e0b2ad6cae989da1ca5c59df3807
SHA512 273a20ec9abd6b9f79871705f7a955eb90be60155a78f561eeff3cac6aad8ab9ee144b55727a07024a0053cd8290af453a07e677d74dd1e3d898853701be2597

memory/1956-381-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-516-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

memory/1956-657-0x000007FEF5610000-0x000007FEF5FAD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7ACD.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8012.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b5f1b8b8e3ae01a9782e940784085a5
SHA1 513dfc5664c3c0e4d8474d130e2f35a6d1d25c85
SHA256 fd0059d237d8959671382a4eed4cfd4438a0479d052330bd4eed1cb3ea4cfe29
SHA512 789d2d11efc8a31dd7d1695f6567fa8955a8ff253ace88d658f2429bbcad2336a4f8675245d8fcdc7480b4c6e651ab9b3e80ce65a85120058d77e9f77e9ef73c

memory/1956-1019-0x000007FEF6480000-0x000007FEF6512000-memory.dmp

memory/1956-1020-0x000000001CE30000-0x000000001CEB9000-memory.dmp

memory/1956-1023-0x000000001B420000-0x000000001B42F000-memory.dmp

memory/1956-1022-0x000000001BD40000-0x000000001BD5E000-memory.dmp

memory/1956-1021-0x000000001CE30000-0x000000001CE8E000-memory.dmp

memory/1956-1024-0x000000001BD40000-0x000000001BD54000-memory.dmp

memory/1956-1026-0x000000001BDE0000-0x000000001BE1A000-memory.dmp

memory/1956-1025-0x000000001B420000-0x000000001B42F000-memory.dmp

memory/1956-1031-0x000000001B420000-0x000000001B428000-memory.dmp

memory/1956-1030-0x000000001BD40000-0x000000001BD5A000-memory.dmp

memory/1956-1029-0x000000001BDE0000-0x000000001BE03000-memory.dmp

memory/1956-1028-0x000000001B420000-0x000000001B429000-memory.dmp

memory/1956-1027-0x000000001F570000-0x000000001F639000-memory.dmp

memory/1956-1032-0x000000001BD40000-0x000000001BD52000-memory.dmp

memory/1956-1034-0x000000001B420000-0x000000001B42C000-memory.dmp

memory/1956-1035-0x000000001BD40000-0x000000001BD55000-memory.dmp

memory/1956-1033-0x000000001BF20000-0x000000001BF65000-memory.dmp

memory/1956-1036-0x000000001BDE0000-0x000000001BE06000-memory.dmp

memory/1956-1046-0x000000001BD40000-0x000000001BD54000-memory.dmp

memory/1956-1045-0x000000001B420000-0x000000001B42E000-memory.dmp

memory/1956-1044-0x000000001B420000-0x000000001B42F000-memory.dmp

memory/1956-1043-0x000000001BD40000-0x000000001BD5E000-memory.dmp

memory/1956-1042-0x000000001CE30000-0x000000001CE8E000-memory.dmp

memory/1956-1041-0x000000001B420000-0x000000001B429000-memory.dmp

memory/1956-1040-0x000000001B420000-0x000000001B429000-memory.dmp

memory/1956-1048-0x000000001BDE0000-0x000000001BE1A000-memory.dmp

memory/1956-1047-0x000000001B420000-0x000000001B42F000-memory.dmp

memory/1956-1039-0x000000001B420000-0x000000001B429000-memory.dmp

memory/1956-1038-0x000000001B420000-0x000000001B430000-memory.dmp

memory/1956-1037-0x000000001CE30000-0x000000001CEB9000-memory.dmp

memory/1956-1054-0x000000001BDE0000-0x000000001BE04000-memory.dmp

memory/1956-1053-0x000000001BD40000-0x000000001BD55000-memory.dmp

memory/1956-1052-0x000000001BDE0000-0x000000001BE03000-memory.dmp

memory/1956-1051-0x000000001B420000-0x000000001B429000-memory.dmp

memory/1956-1050-0x000000001BD40000-0x000000001BD5A000-memory.dmp

memory/1956-1049-0x000000001F570000-0x000000001F639000-memory.dmp

memory/1956-1057-0x000000001CE30000-0x000000001CE8C000-memory.dmp

memory/1956-1056-0x000000001BD40000-0x000000001BD52000-memory.dmp

memory/1956-1055-0x000000001B420000-0x000000001B428000-memory.dmp

memory/1956-1059-0x000000001B420000-0x000000001B42B000-memory.dmp

memory/1956-1058-0x000000001B420000-0x000000001B42D000-memory.dmp

memory/1956-1065-0x000000001B420000-0x000000001B42C000-memory.dmp

memory/1956-1064-0x000000001BF20000-0x000000001BF65000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_59C6B5742244136A08A70F9396A5A57A

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

memory/1956-1109-0x000000001BD40000-0x000000001BD55000-memory.dmp

memory/1956-1148-0x000000001BD10000-0x000000001BD4E000-memory.dmp

memory/1956-1147-0x000000001BD10000-0x000000001BD4E000-memory.dmp

memory/1956-1146-0x000000001BDE0000-0x000000001BE06000-memory.dmp

memory/1956-1156-0x000000001AC90000-0x000000001AC9A000-memory.dmp

memory/1956-1155-0x000000001AC90000-0x000000001AC9A000-memory.dmp

memory/1956-1154-0x000000001CE30000-0x000000001CE87000-memory.dmp

memory/1956-1152-0x000000001B420000-0x000000001B429000-memory.dmp

memory/1956-1151-0x000000001B420000-0x000000001B430000-memory.dmp

memory/1956-1161-0x000000001CE30000-0x000000001CEAB000-memory.dmp

memory/1956-1159-0x000000001B420000-0x000000001B42E000-memory.dmp

memory/1956-1164-0x000000001CE30000-0x000000001CE86000-memory.dmp

memory/1956-1163-0x000000001CE30000-0x000000001CE86000-memory.dmp

memory/1956-1162-0x000000001B420000-0x000000001B42F000-memory.dmp

memory/1956-1167-0x000000001BDE0000-0x000000001BE04000-memory.dmp

memory/1956-1168-0x000000001CE30000-0x000000001CE8C000-memory.dmp

memory/1956-1170-0x000000001BD10000-0x000000001BD3F000-memory.dmp

memory/1956-1171-0x000000001CE30000-0x000000001CEB9000-memory.dmp

memory/1956-1169-0x000000001BD10000-0x000000001BD3F000-memory.dmp

memory/1956-1176-0x000000001BAD0000-0x000000001BAE2000-memory.dmp

memory/1956-1175-0x000000001BAD0000-0x000000001BAE2000-memory.dmp

memory/1956-1177-0x000000001AC90000-0x000000001AC97000-memory.dmp

memory/1956-1185-0x000000001AC90000-0x000000001AC9A000-memory.dmp

memory/1956-1184-0x000000001BAD0000-0x000000001BAE7000-memory.dmp

memory/1956-1183-0x000000001BAD0000-0x000000001BAE7000-memory.dmp

memory/1956-1182-0x000000001CE30000-0x000000001CE87000-memory.dmp

memory/1956-1181-0x000000001BD10000-0x000000001BD4E000-memory.dmp

memory/1956-1180-0x000000001BD10000-0x000000001BD4E000-memory.dmp

memory/1956-1189-0x000000001CE30000-0x000000001CEAB000-memory.dmp

memory/1956-1188-0x000000001AC90000-0x000000001AC9A000-memory.dmp

memory/1956-1191-0x000000001BAD0000-0x000000001BAE5000-memory.dmp

memory/1956-1190-0x000000001BAD0000-0x000000001BAE5000-memory.dmp

memory/1956-1194-0x000000001BAD0000-0x000000001BAEE000-memory.dmp

\??\c:\users\admin\appdata\local\temp\bytefenceservice.installstate

MD5 4f130e22d88664a9fc01d4e1350ef1b5
SHA1 76504e0aeae03d51e2ce52a11d59f5ff18254d86
SHA256 b80d9b6e89383642c68bcb2285af4746101fa6470fccfccee210790fce79e9ab
SHA512 6777bc2866092dc417c37ebf3dfa64598c719e037316b69d816fb53e9c89a474a7b2f71cf937212574107a44c8efe035b838393fc9bef1d8c8ffec110dc9df30

\??\c:\users\admin\appdata\local\temp\installutil.installlog

MD5 4bb9c11a69ca4bd01f4c1fcd74fc3133
SHA1 7902de60e6f8d0f9d5da9116fe3882c3191b65c8
SHA256 dd5d3c883641e6e6f1a522b723772040e0160e968988463845dc6383ca8d38c7
SHA512 fe86117c0af64f490f9334158ed7734b5b766d6481686fa32ed8c749aaaf059a486437e3284b18d1ce0b4b6968e7c347f8e8e2bb0e9b9bd7589db2fdf1b8617a

C:\Users\Admin\AppData\Local\Temp\Cache\SR9f5a4796b58d8b104a1c0f5a63daf0032b947966

MD5 cbd13481cccb7d9b8154890c570f2b1b
SHA1 38a44766951b4cb2311db41295b3cd03eac5ad14
SHA256 cf3d9ee3321ddd0d09a911f4166fc8f7bc93790f077926d304cfb83cfc24f5f2
SHA512 3f69778eb75c666e166eb5eb41d055ff3398293b74f41913c06480e52705bc0f6059baf37d542c62077e0ac9eb68570114fb44a22abe86e369510e68bb2c2673

C:\Users\Admin\AppData\Local\Temp\Cache\SR9e7aeae1e6c2ec2003d35b7f1338027b7e39a5b7

MD5 ad65676257079c7719fc5a87c9e871aa
SHA1 b4b862ea7c717cfd01a45d736765abefcf07eafd
SHA256 ea2ebb9dd2e906d84b4c3439d3d99c23a7bce1372c6e343a9b443a8e95d8a1b3
SHA512 dfeb9004a99ffd65dae2c1c808404b93ad69c87983ceb9ed2aae53e84dfdd85102b2e38e26e00967ed6ad410cd85110475c3141c8c6890c1f68ff1734957fd80

C:\Users\Admin\AppData\Local\Temp\Cache\SRba9eea5fd300dc931c974fa9ef871c290ab0962f

MD5 1e03d20d5689c4c3c59529cae652a2d6
SHA1 309e7a36eab4c8dcb81daa2eece86f4c92126d4f
SHA256 f2063fc8cbc12c2ef7538ded36cdd31eae76c8b0c4f9f9ab2b1c0b87144ddf8b
SHA512 39178f432cdcb3ef7d38ab4706cd97e9eef37c53c28fd79e486d8f468e185d9f6fa49088f239b347b5402b1d1aa8335660f527cbc77bb1c086555d529d0b962a

C:\Users\Admin\AppData\Local\Temp\Cache\SR7636c6cfcda9a3c3ee8d5299ae532cf713299313

MD5 bd50651ab8bf62dfd1f3c90eef5839cc
SHA1 0bae210a2bf218caa16b17efc6268da66f219eae
SHA256 80329e0fd18297082a3380089d6cbcf04b4da7d8a6b39a8d1b16f1c471898795
SHA512 fb0fe2c34b2aeee7a466be63677a9d5a9264b9fd1ef02641745228431483071cd0cbbb91ea745e789ff0fca037d7790f85454136539c007fd3b7f8dcc5c91df7

\??\c:\users\admin\appdata\local\temp\Logs\err.dat

MD5 ba758cfbf254ac7a427a745ac5fe2563
SHA1 559653d153ea7c7edb60f17eeb851722dc2dbdf9
SHA256 80c29fd80672f504f66ebef40ac5a21f0f191e05c8c1c35775465069e989efbb
SHA512 ff07b71ad89b593e785bbfad1fd73f0a3841b46a7e4ec00a8b798be081d4ff8150d41afd7413ca8dcec3f7894e99ff0827890acca9cd7a972f2ba09749f71b0d

\??\c:\users\admin\appdata\local\temp\Errors.dat

MD5 8fd2fd44c0369334ee06218b2c4c0c26
SHA1 4471dfee9667d8083bcd747a0fa8ab719199379b
SHA256 34605fd5d265c44a0ea9a2b913026937a2cd9cca371e804f397525a9231eb114
SHA512 73d60c89ef8830dfd82818d5ea74dc8e8b455ff981a0356f1638027dd1ef7bff7eab3c9fc7978a6798f9c4e811d2ac5da5dd52c067ff734359161ebbaa10cefe

C:\Users\Admin\AppData\Local\Temp\Cache\SR835e982347db919a681ba12f3891f62152e50f0d

MD5 df1004d3af3b5815c9651654aed90ec6
SHA1 03494c9b874c9a772e4bf8dcc5e2f839ff7e7e16
SHA256 b9fa02b5e1cd1386fb118e11f56c4d05dfa7655df7381683133d9c112698de31
SHA512 8f49d9f9d29591fa1afcc65e791953238d0d838e44dbbf59866215f61e311a70f86be47c9455930de28293c83d2c49d2311caff7d0ff853d5dac1a18ba57c292

C:\Users\Admin\AppData\Local\Temp\Cache\SR7eb0139d2175739b3ccb0d1110067820be6abd29

MD5 1f324c52814df3ad112617757195ad9b
SHA1 cc01d5a92978f09bd255dded21fe76feb5a06250
SHA256 0b814722a1c71e5eaa1e7d3ea2239f47840e3619073dfc1cd330aa429ea2ec25
SHA512 ee6c14e7601bcb0eddf17f59aade7a1ecd14ffcf87878fda652c336f8694f33781a28923bb0a99e13def0c5f01602579f2a31ed90854b4b35985568804f4dc08

C:\Users\Admin\AppData\Local\Temp\Cache\SR768ec16982ac19d4ada5b740bcae740a46c294e1

MD5 5250f508594160b6d90fcf45f879cb0e
SHA1 b8408395b7b7fbbd14ef10ceb3daf60965ee1c03
SHA256 796802ad1e6b4e625ece632d6c3d5d100bc17291221ba9f6c170ab3cf4ce841e
SHA512 1edb0cb9f61b665f475611f384226d29d08943c95ad922fd6191d3bdba777f224084bbc0d0bfb48dd3b9c584b486791a477b2a4d0b723558f9f9e24c372b6594

C:\Users\Admin\AppData\Local\Temp\Cache\SR1b82498270f06a06e6ae63a3d3204a630f21f23a

MD5 e9fdf2f43a0acf6d2113b1bfff07cb4e
SHA1 eabc036ce7588fee6712ae10cfbe10493b0386f3
SHA256 1f5d06d51fbdf7698c4fad7e24270b0a2043f1724e26cf83f4cd7b44a0dcf418
SHA512 a58b0a77ad11e6b0e33f4f6cff6df12d839f5b8cf09b9c94f8cea797b8f4644d6dfc893b31d835fee79ce0f2a72b5ee2a668f73fc4bb47792060dad62631f298

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73ab424c2cbbad194a535a83d1cf5c48
SHA1 7eae8f717f81cac0ee890cf0b6d15e6ce36eff46
SHA256 1cbc3ba88a5c4e5643dd6db11801f03f47338b9e0b9bb990ddf714d58eb2a1e5
SHA512 4681747ed755973d25e6d7cef8dcb74ca6579efe94bd6d499ffc23e09a88d0cc00d8944f5dc188d2ef8d0381024c7cc06e2259af6143fe80f6a7b52639ca078b

C:\Users\Admin\AppData\Local\Temp\Cache\SRb31133cdf6d2817a618dd8ddcc400a26ff3e3a57

MD5 abe10134f9f99b7670f8ef67220be7e3
SHA1 36be12e252cb7d87a1392dc6bd9cea0dc344d0c1
SHA256 3dbedac050d62a3099a289ba7978900f8eac8811bf820a05c5a8b9b67ad03664
SHA512 ab0f53be46a99b55cb0b3686f73c86d420d3f2c50527fe5ae7aa5cec82bb1bccb9a8b41e62eb9bb26aabca7e22bf9ad5dfa3c3d286ee1a01fed0cdb3f1c35645

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240508-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 280 -s 220

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 220

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\amd64\KernelTraceControl.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\amd64\KernelTraceControl.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

129s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rsEngineHelper.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\rsEngineHelper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rsEngineHelper.exe

"C:\Users\Admin\AppData\Local\Temp\rsEngineHelper.exe"

Network

N/A

Files

memory/1876-0-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp

memory/1876-2-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1876-1-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1876-3-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1876-4-0x000000001B070000-0x000000001B596000-memory.dmp

memory/1876-5-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1876-6-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1876-7-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 912 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 912 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 1228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 1228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 1228 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240508-en

Max time kernel

118s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

67s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe"

Signatures

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest C:\Program Files\ByteFence\ByteFence.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Program Files\ByteFence\ByteFence.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Program Files\ByteFence\ByteFence.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\ByteFence\ByteFence.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\ByteFence\ByteFence.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Program Files\ByteFence\ByteFence.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Program Files\ByteFence\ByteFence.exe N/A

Checks installed software on the system

discovery

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Program Files\ByteFence\ByteFence.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\ByteFence\Cache\SRf291ea8416c1b38d4bcb3b6f0ae40fa19c1e2045 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR71650b21e3642d35aff665d29313c0e576214947 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR63e99b0fb7207e5b6ae794d007793dcd5aa41170 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRea1f3b03f46db029a955190692cecbc571e1d46c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRc7cc44a34eb4151e55c5404bf0f97b5ee49df86a C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR88d664f6a9648ebe06b30aff799ad5e0f23f1722 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR65d44461b6e6d5e441e961c192faa83c5c3a54c3 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR9140538b467c370e96133c01f6aaa6cb6d569896 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2ac7387fef462c834cc067f0296366ffbb5c4daa C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2dd2bebaa81a8c7331a22e338be267167b6d80c7 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR78ba8d596c0ac4c38acb498416957891570a2a1d C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRc816b897a56e7d95a2aa0ca8ab38ed9d597d9a06 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRa490c8f4c501652cb732b63620bebe261f457117 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRd374a045611e81ade3509ed7d6d6155e08b5d104 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRd9255474e8093a68b1348b830d0b26e0299612c7 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR49273211486b7cf863519881ac7ef966995b626c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRc5a8866590ea0cc3f1c1085bac7e137c089dc379 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR6de6381112f1916f26ab263c1a34d88bba4ad28b C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR1c036b15d66b58d3cb87bf65db78538b8fce7a34 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf510de6c4b4a28a4bfafde036da0dab45a69e3a6 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR0827ddf85ccd2455aea261cd2ff5a9cfacb31b3b C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR0dd460f0a2c1c724bc8ec5767dc1e56fc493e1c6 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR63aa1a310bab654f4c6a5b4eeae5d06d8837e3f8 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR958a7ba90043f8e3b94da849a2da8bb139fc39c9 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR9208f94662cfe80a92d7b271838add91b8616618 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRde9e4b3f4144bcf1a87c4c387f59efbf432c5a8b C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR606e9e47fff3a1a6cc74ca6182ef97235b4f7bbb C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR835e982347db919a681ba12f3891f62152e50f0d C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR01eb358c13a516018cc65ea0117284098e61f594 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf1fb058529e4d4137437c969120fa261f1680d21 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR718d8e21d8d8e36bb8b3f391ccac776a1a48ea5e C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR6ddd1581f4b155404a8b554df8f013b15009d5de C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRe97ee1efaae7c9903f0845c4be1d49b4b8c7ac43 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR84da342d9d6f96527e4e685451216e423aa64be9 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2ece29e4ae3fdb713c18152f5c7556a1aa8a7c83 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR4e835fdadd0c67fde44e385f69a1014d6ad11f4f C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRd0a7b3233bc878ea03bd803068afa66363178d93 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf63165ad82e683b150d7a626da70cacbb7e7cd01 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR30cff16f17833aa042d8b6cc32d86c4a39c77c67 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR9dcdca64f3f8c2e6fef7a9951b5c2e3c7f10643a C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR31b410e029bba87d2068c65a80b88882f9f8ea25 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR012b333916f2f83707db93476588b84c52d50335 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRcadb428fa7669365dcf6b7c692d2d75f4d188c08 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR2b12984b7680fbe7a9266c664548a4fb67a10841 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRb6ba05757689aad0298e69617181671aa1c69f37 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRc740ce1ae87c3c71076286b637474f830ba0dbc3 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRa84cb4755b2a9e80edfcfe2cbe15e00a8f1fb8b2 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR768ec16982ac19d4ada5b740bcae740a46c294e1 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRed5ec55dbc6b3bda505f0a4c699c257c90c02020 C:\Program Files\ByteFence\ByteFence.exe N/A
File created \??\c:\program files\bytefence\rsEngine.config \??\c:\program files\bytefence\ByteFenceService.exe N/A
File created C:\Program Files\ByteFence\Cache\SR98521b4dfcb56c5f955772e9d20ecb672ad61b94 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR80b603f7ca32a96cd5ec1495569829efb44d3c65 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR545575d30ba620329109d9bfcad8c037d758556c C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRbd3c8cabc03116b88f22ee64ca8059caa5b492ec C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR169edb65e0e362410fcef0e86dd1f951a1eb3ea0 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRbb5c57bea3dab595720ecd0b0f7f68fc8087c53e C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRb8f907e6c26216e1b8534d37361c5f63d23e640b C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR9ba9889f46feb82c698158d8a09223ef5357de86 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR090353ab84e2af51ecdcd481bdf627a656a0a1c5 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR7bcc04348145501294745d58a2f9f702a76e794f C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf14d2014bf6c08d37560af3a67bce19d5b43a3ef C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRf8e32204f157ffb25415505b1c787f8be520a020 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SR55f1afb45e3e725eb17bc8d5a114070f9e1416a1 C:\Program Files\ByteFence\ByteFence.exe N/A
File created C:\Program Files\ByteFence\Cache\SRa8b1e9e92eada2cba819df5d416453e003502e63 C:\Program Files\ByteFence\ByteFence.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Program Files\\ByteFence\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Program Files\\ByteFence\\ByteFence.exe\",0" C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command C:\Program Files\ByteFence\ByteFence.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files\ByteFence\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files\ByteFence\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\ByteFence\ByteFence.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
N/A N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
N/A N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
N/A N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\ByteFence\ByteFence.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeBackupPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeRestorePrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\program files\bytefence\ByteFenceService.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A
N/A N/A C:\Program Files\ByteFence\ByteFence.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 1096 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 1096 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 1096 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 1096 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 1096 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 1096 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe
PID 2104 wrote to memory of 2112 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2112 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2112 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2112 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2592 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2592 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2592 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2592 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2200 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2200 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2200 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2200 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2508 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2508 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2508 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 2508 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 500 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 500 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 500 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 500 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Windows\SysWOW64\taskkill.exe
PID 2104 wrote to memory of 1696 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Program Files\ByteFence\ByteFence.exe
PID 2104 wrote to memory of 1696 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Program Files\ByteFence\ByteFence.exe
PID 2104 wrote to memory of 1696 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Program Files\ByteFence\ByteFence.exe
PID 2104 wrote to memory of 1696 N/A C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe C:\Program Files\ByteFence\ByteFence.exe
PID 1696 wrote to memory of 2268 N/A C:\Program Files\ByteFence\ByteFence.exe \??\c:\program files\bytefence\ByteFenceService.exe
PID 1696 wrote to memory of 2268 N/A C:\Program Files\ByteFence\ByteFence.exe \??\c:\program files\bytefence\ByteFenceService.exe
PID 1696 wrote to memory of 2268 N/A C:\Program Files\ByteFence\ByteFence.exe \??\c:\program files\bytefence\ByteFenceService.exe
PID 1696 wrote to memory of 2348 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\system32\netsh.exe
PID 1696 wrote to memory of 2348 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\system32\netsh.exe
PID 1696 wrote to memory of 2348 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\system32\netsh.exe
PID 1696 wrote to memory of 2600 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1696 wrote to memory of 2600 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1696 wrote to memory of 2600 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1696 wrote to memory of 2600 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\SysWOW64\netsh.exe
PID 1696 wrote to memory of 2912 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\System32\bitsadmin.exe
PID 1696 wrote to memory of 2912 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\System32\bitsadmin.exe
PID 1696 wrote to memory of 2912 N/A C:\Program Files\ByteFence\ByteFence.exe C:\Windows\System32\bitsadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\89c55b3ce90e0aa737ef7f77326ac316_JaffaCakes118.exe"

C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe

"C:\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe" /S

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ByteFence.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ByteFenceService.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im ByteFenceScan.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rsEngineHelper.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im rsLggr.exe

C:\Program Files\ByteFence\ByteFence.exe

"C:\Program Files\ByteFence\ByteFence.exe"

\??\c:\program files\bytefence\ByteFenceService.exe

"c:\program files\bytefence\ByteFenceService.exe" /i

\??\c:\program files\bytefence\ByteFenceService.exe

"c:\program files\bytefence\ByteFenceService.exe"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" winsock show catalog

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" winsock show catalog

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /rawreturn /nowrap /list /allusers /verbose

Network

Country Destination Domain Proto
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 api.reason.technology udp
US 8.8.8.8:53 api.reason.technology udp
US 8.8.8.8:53 proxel.bytefence.com udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 api.reasonsecurity.com udp
US 104.22.0.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 cdn.bytefence.com udp
US 104.22.0.235:443 api.reasonsecurity.com tcp
US 104.22.0.235:443 api.reasonsecurity.com tcp
US 104.22.0.235:443 api.reasonsecurity.com tcp
US 104.22.0.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.9:80 crl.microsoft.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp
US 8.8.8.8:53 www.microsoft.com udp

Files

\Program Files\ByteFence\bytefence-installer-5.4.1.3.exe

MD5 c4951a516fe1b3a8a579e73877a4b1a4
SHA1 400acb837edec53c746be0ccb2bb9d774fa150e9
SHA256 61dc83d20af7bfa9458a4ee7b08bc05fc33b09aa5f04bf655f9f607125d1934b
SHA512 a6933dab647728a2ccfaabdcb7561ab804efdf9ba6193d920712d04c842400b6c975bb0c0228a03f2a3b7dce3019397615267e2905cda73441abc6ef1978faeb

\Users\Admin\AppData\Local\Temp\nso2953.tmp\nsisdl.dll

MD5 a95c7af96416b2cd084fed4c07c8c291
SHA1 0c62c2fd843ccb59784404ed36369784dc557671
SHA256 a1e09fb1739ef7557d18104b0d6a4c7725e1ec293f5404c80402f57ff9ebb9d0
SHA512 427ef14b116b574c5558cc6bb0ce03ab37f891f2d7ab0f130e3cddd0265e6bd269c598ce93230e56cd41bb9d2649bbbaa2fa2c654d8116c0c6f79a6f3419d1dc

\Users\Admin\AppData\Local\Temp\nso2953.tmp\nsExec.dll

MD5 1f49d8af9be9e915d54b2441c4a79adf
SHA1 1ee4f809c693e31f34bc6d8153664a6dc2c3e499
SHA256 b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782
SHA512 c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

\Program Files\ByteFence\ByteFence.exe

MD5 ae114355b714bc831f641ffc1fd5d96b
SHA1 52885c21ee681f3b0dbb7d13191fbbb141fdf906
SHA256 517516b4fe19c58397a703bed0884cd439a6ad7ddadfd3de2b9d40d035659448
SHA512 7db682dc63cae4ca91085f34788af53bc2cfd350af476749a4045ff2d751d810d5a8a140b28800ef284aed17cf87c5173f8bc107c73fe75555506fad66358dfe

C:\Program Files\ByteFence\ByteFence.exe.config

MD5 e3d5f62b7b28176a510484e465fa0f18
SHA1 d9d4f8875c6d96f57549abf06eb336650595ab5a
SHA256 827cda24df7876010d5239fe2b8af49472442d899f9c0f6d9ff53b4ff6860946
SHA512 8c27c69e010d263cb5599a2c38a58b3b9ad61983c512ab4f7d3b46b859393468ad09d6423013ae808c3d243a9b8cb479e499d128539a3959bede78ad145b85be

C:\Program Files\ByteFence\rsEngine.dll

MD5 38bfe41fef177604494f49ee8023b887
SHA1 fca37c9a1f3b9eaa68b489b091020cff0f672e6b
SHA256 65555310943571e3d7cdb37c8a5cfa6e332400397d4d1dcbe4033370a5db81f6
SHA512 f0b3dd5b27893ccfce43a033cd89ae190bf9d016711e85cea2d3ecf8478db365d47a7f8b86c08bb0941ebff3522f0b6b093c9e5c9527c2737da7ded2614401c2

memory/1696-83-0x000000001B620000-0x000000001BB46000-memory.dmp

C:\Program Files\ByteFence\rsUtils.dll

MD5 7e8e3b06787101511fdbadd6ed070ee1
SHA1 71e4c41f92ed47daeeee0aab732ddc8e5acd21de
SHA256 b89c0d12a3caa4a663277ce1f0da91efa497515ebca0d18f60c5e65c9920868f
SHA512 254422dc751dbf5758434a980fefa5e47caa6c28bcaff4bf2e53cc467fc35cd8627787099d8960f2d64351d4706e2a53071dc1daed2b1ce8516e8cee9c5db3dc

memory/1696-85-0x0000000000CA0000-0x0000000000CDA000-memory.dmp

C:\Program Files\ByteFence\ByteFenceGUI.dll

MD5 637e8fcc69c33392335ffeaaca446a1b
SHA1 91a56d770a3731310c412cd0c9cea9439594f593
SHA256 496378bea9a3d62401744cd3941eda5177dc54733cd45735acf0c373372b5c5e
SHA512 ffd8deba9afea17cf93219774e5d576b4bb39c4db710caa9634e5821cbb40e000f446017bf116bbdd475243dc397d4f038bff8f236e1ad9c002604249761fa08

memory/1696-90-0x000000001BD00000-0x000000001BD52000-memory.dmp

memory/1696-91-0x000000001C7F0000-0x000000001C8C6000-memory.dmp

C:\Program Files\ByteFence\Microsoft.Win32.TaskScheduler.dll

MD5 1802e6df96046cfee62c63c4c8469a3e
SHA1 c5d6444fcd8f46e1832c99614f5e71adff582f6d
SHA256 cc6c472f666239ed270cc3754852f536b8981d6fd22e4ad1ee15a1aa788a3ba9
SHA512 339f5b917c4afbc25175bd173cebefdd8f4671e157ecfb8a9c21b78db9d34fd9757787c231575e8849509cac59162c6c67fb32af6febd6903ec285e21c0fd304

memory/1696-92-0x000000001FB50000-0x000000001FB56000-memory.dmp

memory/1696-93-0x00000000244D0000-0x0000000024648000-memory.dmp

\??\c:\program files\bytefence\ByteFenceService.exe

MD5 ac384df8fbe8a76815fab3a2659f4bc4
SHA1 c3cf899ade1ec94e7d8a7a4dc64950de99096b4f
SHA256 0e262b5c4390c353bf98298631877913f6940e9c5042c0979060fca6c964fc17
SHA512 a27ba4f9d167ba81a053067de6e27d1a81646c640e5246f0036c8758f123209206f187fb8b3a073bf3f31717b80cafc3d78add7fc4e33204b87460e14fad4d90

C:\Program Files\ByteFence\ByteFenceService.InstallLog

MD5 30fdf3f1adcbf879ee4b629f430ab652
SHA1 daa220eda83fb6e429c8742382bb95889fed4689
SHA256 4049cadfdb4843884bd6d4332cfac55ae073c1210158aef57122c0e0269a63bf
SHA512 b0f2e0922552202937f1f389ff5b6fe450fab1a0c4fd2f39252182b27750b7edda5d0ca859176758ba97edb51b71d54e055f2dbd24d4bdc9b042bea466dca328

C:\Program Files\ByteFence\InstallUtil.InstallLog

MD5 00e3f226484ab07ba503afe751c3571d
SHA1 47e83a6fdf812648a4dedfc61432fb88c93fe720
SHA256 6003bd3edb8914f499a86eb1cd4f5e87585d915d2bf2626ad6f55c8abc53f662
SHA512 0f7d65aad26320297f9ff91b11ff7d36c878bb3d318941067783c9e334bb4bbcfb6dc837598a04440f8409dd6b21d4ee5e83cdfa4cdfec0c4a3e0e472c9c8b68

C:\Program Files\ByteFence\ByteFenceService.InstallLog

MD5 0b2464c9e3d3e45297239acb697f0a2c
SHA1 b105043b8da6b88f6f7dc25ec00cf6ecdbd1b21e
SHA256 180e58c7b156a7fb934c2e974d90b96d24a2a2e08ef0ec3485512f7b681c766c
SHA512 9e7411f50ad97fc3eff8f54779f00420f74e1a13f9e5d52961b4fe31ddd1b6a6e603aa49a2ba0769d94af857957b59ae1ee9e725cca3419af8facca1249882ea

\??\c:\program files\bytefence\rsEngine.config

MD5 427ce4103a0794e3a06d9a2ad0a9d9de
SHA1 aed628de425a84acfe6cd300b27d90d18d802620
SHA256 1ad12e7ac644dd4975412378ce13b89a211c64ab6b19af537f86a4b218cd313c
SHA512 c60c310ea901159c3fbfd8ed7474e9528613363eb9ccb21a1667890316438d2f6ef284f14130732197d4428c56153d39da656681419b53e62d7813efdd03bf17

\Program Files\ByteFence\x64\rsLggrServer_x64.dll

MD5 27236a42b9810c5db8490693c158c838
SHA1 3cb8d0f4b818f120afe2447c9b01af674af3a9f2
SHA256 d67999fe774e5e0f1c18cd5a4da7d6518faa00b8e950e41737e225b615a1b4f5
SHA512 97e9c8921caeecbe144ba11be3675365b5bbd92bf45bbe91e9a37c472fe2153f1f250e8e5b8a37d927605a0897d997228d7351476bbc40f9647737c14022411f

\Program Files\ByteFence\x64\rsEngineFW_x64.dll

MD5 a82484553da1a7a4ce4f5eda236b7207
SHA1 3e56d504d2283653165d78a238c97469a28e5de2
SHA256 8a1eff4a86e223dbe808bde5d728367b03e7593b514f5cd9c49387e6ac4b57c5
SHA512 03d193de85c8022c746e9f99a0e989cc42445d67fe32a31093e66b4e5e9dd25a4103fbb2e93ffc54401d99d40c3ae519dff7db999d64bc7f3cf0af59d82f3681

C:\Program Files\ByteFence\Signatures.dat

MD5 fb84325fd7362b5634c4de62b3a2c001
SHA1 ebb54ec78a071ce47a1c86f47903d56d77b34cf7
SHA256 23bdccb16e5900857c621b67c779b2a49179aca564eeaf1e74fd10c4eb1651ef
SHA512 d59933302521c9b3eead330a38577faf1df0378aa926690c6001186d495abe4fc470bf578bc9deabd82e26d7b1f8ed446957494122bd65047456c657dc9bade2

C:\Program Files\ByteFence\x64\rsEnginePM_x64.dll

MD5 15cf59afcaff08b12d37f2d7c9f6ed81
SHA1 1d0464d1f13ffe71ff12556c433d95f168a1cfb2
SHA256 a4d7f4259cf04e7299f5ab6fe2ceb95680e35427d613aff26dc27d954b8311c2
SHA512 e35196ae1367a7cae677f1c90dff7a186a03a95a9b7ede67e1c2d5c98db03d1b6e2ae868efae0c8ee12ee8b4067d0fa36139cb514d7d01982f756c0c6db47629

C:\Windows\System32\catroot2\dberr.txt

MD5 112d0c45eb4257acaead2f43359492d8
SHA1 9ef6009208622802ed50e5da6a4bdc6c1c4207ca
SHA256 0ca3fa8d963b4e3fce5032d14bdae00f01bb34abe7c1a3b97a5aec1757d65dfd
SHA512 d9a21d32e0a9d5f8bcce46601cf04ecba84b7c7d2d3d1d65c8ddeb7c6d7fa71b514b143120d5fa596f8f5bb2ebd7c36944ad6b7fafd6baae14ff95034496d1c6

C:\Program Files\ByteFence\WhiteList.dat

MD5 899c70dd0bdda61514bff5c51a4a0a20
SHA1 0fff58ba69a11d1e01c6e2704e553abec1352ce9
SHA256 0f9ac436356203842c619d27b8b805e034cfa420e94495170d089629e52038a9
SHA512 b13691ad0d3768eb6a9e4ea30e9a2ceabdaa1d13730cdda81f18696412ebb4589ee859f422ccf9b01c3399b5dbbcb317e0d6aee91cad10a7985ea8e87148ed9f

C:\Windows\System32\catroot2\dberr.txt

MD5 aa98885da42934da7c046be55b610209
SHA1 d198b3ee342577e799f4287d44265712aabe44ee
SHA256 b64595e88f98f43dc9e043577a7a94112ac251a676105d5a75f5eddf21c4b642
SHA512 e3f516516b7ac64b36e94d853eca821c22c8252bc9bf65ceaf8ffa1af10599887460a915b8aa8906cb539f4a2685113027318d22116c08095fa3679fc3b9d9a3

C:\Users\Admin\AppData\Local\Temp\Cab9993.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar9EE7.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83e9c0e93032e1db5ad2723eefeb5a45
SHA1 fa66e3167e22533015d0a6bf966f2ea4c45ae4be
SHA256 788c7c3cd3816134f6574792776157df94f9df74902266462401e115733a77c2
SHA512 17657ebb03601341753a9c76d9afaacb44e5832765ae80f655307ffbfbd6e99b448cc289f224ebab14f63ca213f2715433e6af7413d16f0ea79702321a4b3f3c

memory/1696-1110-0x000007FEF5230000-0x000007FEF52C2000-memory.dmp

memory/1696-1111-0x000000001D1C0000-0x000000001D249000-memory.dmp

memory/1696-1114-0x000000001CDF0000-0x000000001CE0E000-memory.dmp

memory/1696-1113-0x000000001C0A0000-0x000000001C0AF000-memory.dmp

memory/1696-1112-0x000000001D1C0000-0x000000001D21E000-memory.dmp

memory/1696-1116-0x000000001C0A0000-0x000000001C0AF000-memory.dmp

memory/1696-1115-0x000000001CDF0000-0x000000001CE04000-memory.dmp

memory/1696-1117-0x000000001CE30000-0x000000001CE6A000-memory.dmp

memory/1696-1118-0x00000000200E0000-0x00000000201A9000-memory.dmp

memory/1696-1119-0x000000001C0A0000-0x000000001C0A9000-memory.dmp

memory/1696-1121-0x000000001CDF0000-0x000000001CE0A000-memory.dmp

memory/1696-1120-0x000000001CDF0000-0x000000001CE13000-memory.dmp

memory/1696-1122-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

memory/1696-1123-0x000000001CDF0000-0x000000001CE02000-memory.dmp

memory/1696-1124-0x000000001D1C0000-0x000000001D249000-memory.dmp

memory/1696-1129-0x000000001C0A0000-0x000000001C0B0000-memory.dmp

memory/1696-1128-0x000000001CDF0000-0x000000001CE16000-memory.dmp

memory/1696-1127-0x000000001CDF0000-0x000000001CE05000-memory.dmp

memory/1696-1126-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

memory/1696-1125-0x000000001CE30000-0x000000001CE75000-memory.dmp

memory/1696-1135-0x000000001C0A0000-0x000000001C0AE000-memory.dmp

memory/1696-1134-0x000000001C0A0000-0x000000001C0A9000-memory.dmp

memory/1696-1133-0x000000001C0A0000-0x000000001C0A9000-memory.dmp

memory/1696-1132-0x000000001C0A0000-0x000000001C0A9000-memory.dmp

memory/1696-1131-0x000000001C0A0000-0x000000001C0AF000-memory.dmp

memory/1696-1130-0x000000001D1C0000-0x000000001D21E000-memory.dmp

memory/1696-1137-0x000000001C0A0000-0x000000001C0AF000-memory.dmp

memory/1696-1136-0x000000001CDF0000-0x000000001CE0E000-memory.dmp

memory/1696-1138-0x000000001CDF0000-0x000000001CE04000-memory.dmp

memory/1696-1142-0x00000000200E0000-0x00000000201A9000-memory.dmp

memory/1696-1141-0x000000001CE30000-0x000000001CE6A000-memory.dmp

memory/1696-1140-0x000000001CDF0000-0x000000001CE14000-memory.dmp

memory/1696-1139-0x000000001CDF0000-0x000000001CE05000-memory.dmp

memory/1696-1144-0x000000001C0A0000-0x000000001C0AD000-memory.dmp

memory/1696-1143-0x000000001D1C0000-0x000000001D21C000-memory.dmp

memory/1696-1146-0x00000000006C0000-0x00000000006CB000-memory.dmp

memory/1696-1145-0x000000001C0A0000-0x000000001C0A9000-memory.dmp

memory/1696-1150-0x000000001CDF0000-0x000000001CE0A000-memory.dmp

memory/1696-1149-0x000000001CDF0000-0x000000001CE13000-memory.dmp

memory/1696-1185-0x000000001C0A0000-0x000000001C0A8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_59C6B5742244136A08A70F9396A5A57A

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

memory/1696-1233-0x000000001CDF0000-0x000000001CE02000-memory.dmp

memory/1696-1261-0x000000001D1C0000-0x000000001D21C000-memory.dmp

memory/1696-1260-0x000000001C090000-0x000000001C0BF000-memory.dmp

memory/1696-1259-0x000000001CDF0000-0x000000001CE14000-memory.dmp

memory/1696-1258-0x000000001CDF0000-0x000000001CE05000-memory.dmp

memory/1696-1257-0x000000001C090000-0x000000001C0BF000-memory.dmp

memory/1696-1256-0x000000001C0A0000-0x000000001C0AF000-memory.dmp

memory/1696-1254-0x000000001D1C0000-0x000000001D216000-memory.dmp

memory/1696-1253-0x000000001C0A0000-0x000000001C0AE000-memory.dmp

memory/1696-1252-0x000000001C0A0000-0x000000001C0A9000-memory.dmp

memory/1696-1251-0x000000001D1C0000-0x000000001D216000-memory.dmp

memory/1696-1250-0x000000001D1C0000-0x000000001D23B000-memory.dmp

memory/1696-1249-0x000000001D1C0000-0x000000001D23B000-memory.dmp

memory/1696-1248-0x00000000006C0000-0x00000000006CA000-memory.dmp

memory/1696-1247-0x00000000006C0000-0x00000000006CA000-memory.dmp

memory/1696-1246-0x000000001C0A0000-0x000000001C0B0000-memory.dmp

memory/1696-1245-0x000000001CDF0000-0x000000001CE16000-memory.dmp

memory/1696-1244-0x000000001CDF0000-0x000000001CE05000-memory.dmp

memory/1696-1243-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

memory/1696-1242-0x000000001CE30000-0x000000001CE75000-memory.dmp

memory/1696-1237-0x000000001D1C0000-0x000000001D217000-memory.dmp

memory/1696-1235-0x000000001C090000-0x000000001C0CE000-memory.dmp

memory/1696-1234-0x000000001C090000-0x000000001C0CE000-memory.dmp

memory/1696-1236-0x000000001D1C0000-0x000000001D217000-memory.dmp

memory/1696-1265-0x000000001D1C0000-0x000000001D249000-memory.dmp

memory/1696-1264-0x000000001D1C0000-0x000000001D249000-memory.dmp

memory/1696-1263-0x000000001C0A0000-0x000000001C0AD000-memory.dmp

memory/1696-1286-0x000000001C090000-0x000000001C0D7000-memory.dmp

memory/1696-1285-0x000000001C090000-0x000000001C0A5000-memory.dmp

memory/1696-1284-0x000000001C090000-0x000000001C0A7000-memory.dmp

memory/1696-1283-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/1696-1282-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/1696-1281-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/1696-1280-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/1696-1279-0x000000001C090000-0x000000001C0A2000-memory.dmp

memory/1696-1278-0x000000001C090000-0x000000001C0A2000-memory.dmp

memory/1696-1289-0x00000000006C0000-0x00000000006CB000-memory.dmp

memory/1696-1288-0x00000000006C0000-0x00000000006CB000-memory.dmp

memory/1696-1287-0x000000001C090000-0x000000001C0D7000-memory.dmp

memory/1696-1292-0x000000001C090000-0x000000001C0A9000-memory.dmp

memory/1696-1293-0x000000001C090000-0x000000001C0A9000-memory.dmp

memory/1696-1296-0x000000001C090000-0x000000001C0AB000-memory.dmp

memory/1696-1297-0x000000001C090000-0x000000001C0AB000-memory.dmp

memory/1696-1302-0x000000001D1C0000-0x000000001D23B000-memory.dmp

memory/1696-1301-0x00000000006C0000-0x00000000006CB000-memory.dmp

memory/1696-1300-0x000000001C090000-0x000000001C0CE000-memory.dmp

memory/1696-1299-0x000000001C090000-0x000000001C0CE000-memory.dmp

memory/1696-1305-0x00000000006C0000-0x00000000006CA000-memory.dmp

memory/1696-1306-0x00000000006C0000-0x00000000006CA000-memory.dmp

memory/1696-1307-0x000000001D1C0000-0x000000001D23B000-memory.dmp

\Program Files\ByteFence\x64\System.Data.SQLite.dll

MD5 e83262d8b431e2fe508bc4a113baff16
SHA1 45f849fa7471b6803c721d7c115a301e7d01ee3d
SHA256 96e8dad51e66b3ee02a5ff00a310fdbfa1d7946d1c92b40fd65acc55de10a738
SHA512 15e8e9f4acf2bc0456ae273d4e52243ebdc3dd6074fc20b2524b54b7aad436cd803c5618fa105464040c96acabf0b40cda15c98a2b78d28d3251cbbc3acf22ae

C:\Program Files\ByteFence\Cache\SR7636c6cfcda9a3c3ee8d5299ae532cf713299313

MD5 1d0652ab223524584775f521d970d751
SHA1 e53c558cee5ea7412ba8573190a9e32417d0daa5
SHA256 448feb63b52e9991e1e303e152132f4b46ec50869fb77cc0e92f16fa2df1657e
SHA512 f15b2e95573c430667bb765fe89c6b4200c09f7ae5cde3605a2db207ea6801e6fbc3954a14560b30b99fb5e744fc9890f84d8144deb24c4c68ac014267242ab1

\??\c:\program files\bytefence\bytefenceservice.installstate

MD5 4f130e22d88664a9fc01d4e1350ef1b5
SHA1 76504e0aeae03d51e2ce52a11d59f5ff18254d86
SHA256 b80d9b6e89383642c68bcb2285af4746101fa6470fccfccee210790fce79e9ab
SHA512 6777bc2866092dc417c37ebf3dfa64598c719e037316b69d816fb53e9c89a474a7b2f71cf937212574107a44c8efe035b838393fc9bef1d8c8ffec110dc9df30

C:\Program Files\ByteFence\Cache\SR0b5d5f4985fb1f10c66b94ca773929e01074e656

MD5 2e93c85fc0200a4e744a7b89ea9750c2
SHA1 323e2894651d113fbc35dffcc96ef6bf0c067d1c
SHA256 c5baec0104281edc0b67c3332e87fbdc646d96adaeec4ee7c200391b385bd9e5
SHA512 7009dcf7bafba26d4b31d6c809230cf58583011cb724d1a2a68e9b3cdd4269e5bba09a51e8e4aeb07d7c06c5ce082a02748111b9edab4a5b306e9eafe653681c

C:\Program Files\ByteFence\Cache\SR3cc2593f67ee97b0be39a741e16b835d76930170

MD5 11e274a1c8276a5df2465a94c42e56b7
SHA1 8a339e06e639fc92634617748585336bbabf3883
SHA256 31601bce798378c6f422915b922fac5d750badb520b943debddab2e081864cf0
SHA512 7846cd20038016185b5e7c246717cb2c23cc6d65c3abddb92ba441be32a35cf656ebb7795828314aaa623daa422532287ef23c2cff9d9e3e0af6dd7d7814045d

C:\Program Files\ByteFence\Cache\SR81359110f9daf626be21feed6a18c8f5c22c235c

MD5 2590b82662c13dcf3f35b230eb1e5580
SHA1 4a3aa85ca1e3ef15038ffd8de17f18d7812360a4
SHA256 6b678bcfac498621f1e60516d340f8d4b8054c8147e0c519c790b2ffdf486ca4
SHA512 ef841ce9ee8a3e31ad6adc580eb6d63c31bf83234017136f21f84446c93ae2c8f4f5bc31fc078c9bde47f33cda6e9e04fd9c96415919e640810da609317ba8b5

C:\Program Files\ByteFence\Cache\SR6daf46c2d3e18320d9a4aa60fc4bf1fb8427abe8

MD5 ec044c57f563412252f25faa2a73753b
SHA1 85e39e3e5f407dad44ed30197c0cea744c19d1b7
SHA256 ca70a4876ccf0ec134a8382f886d7cd62329c8dc4cdeb5d8f4b9ff5be8e6f90a
SHA512 ec9cc46659c9bf552446cb0a5105bb273f8603ae52ee229dbbd4f01649ed3e53d0bf7ffa4197c365f01df0b8f85d8a381ff10f69376ae679c0cbe9e7176a9115

C:\Program Files\ByteFence\Cache\SR5cce991ea888ffae04d593717f7c7a3411ef5aff

MD5 f50210d9416d187b03c07ad2c33bad97
SHA1 72551a5f95b97fbc731bf35e5696e2d306ba36a8
SHA256 c2d56645bd2d89e3f7985d8c2b644194a779f2401f2981a2ce094e7df6959b39
SHA512 79138642a6aab10b3827dac29ee809f7639cbf615395e00fd941de15ebc9c21c08c9a084f7acf151e44e1f4772564564cc6db963dd71fba2c4622d4b8c0c2e56

C:\Program Files\ByteFence\Cache\SRedb7b954ac306d50337cc191783c764c54255675

MD5 2866e0f61b470767af730c5b9c0af622
SHA1 8b0967602a6cdf657f04d423cd95e2bdf886104f
SHA256 acd632f4c734db5f08fdea7ed3824cade39e77b13c224965a3e31cb600fd8eec
SHA512 f356568ec3038033c70217ea1759f67deec1eca95a37208228eef9489a148f7c4360901a38d5e6d8562d79846dd0d4247f0305974569b33fa06f4a360f77e390

C:\Program Files\ByteFence\Cache\SRe81e6138fc3185fba4cc8827f4122403516011e5

MD5 4992e143f2b596c93e620ad3db562039
SHA1 f61f20b310b611e37491163658f7598d612ee2a6
SHA256 8e950300e559646937c67efe54ec49d88a5b7ad04835a2511b3c2a96623acb5b
SHA512 52871cf16910711574e1eb2c68721c3edab071a97277877cb3a713f58add255c32773e3af371f941e2e7adac1c75c3b4aee1981913f2a15f9813b138e20869ed

C:\Program Files\ByteFence\Cache\SRd1cbfbc3eab77fafae000de4b58a8301b0cca719

MD5 5d2d823be2d1940ffbfc3dfc6c8af257
SHA1 45205e7ac413a4cac58151f8ef67dcd766443c82
SHA256 1200d4c554c4f4e3c6dcb7626878ab54dfd0870483a60e2980cb9e165f56c471
SHA512 708ba5712db27bc3be4220bd6657b05c5de8ce252aa1c5e8a6a26e344a09a16007d44dc5ae340a9b3bdd87e3a8143c13d0a4d0c2bb6f5ed5ff049cfe8c4bd2b4

C:\Program Files\ByteFence\Cache\SRbe6a56b561319da5969d2854d1604a2a1413a746

MD5 6f09f587b6b2e2082910b3c38e3fbe3e
SHA1 6c565f0a50669c602644a273d2af37a0e10dfbe4
SHA256 b458e4ab1ef11469288236cb0308ba98a4187747fdef6d355514289658e889c6
SHA512 aee88be449f337c45ac978157e0036f5db19b3055dbbe4053f7d1c37e2a20f42fe47f00c683f9c5aafb0c7cf6f7b4959ef6bed1df2ec8e446c9cf97f9709b681

C:\Program Files\ByteFence\Cache\SR9f5a4796b58d8b104a1c0f5a63daf0032b947966

MD5 c4c7d0c175a7f34da8a47060632ffc62
SHA1 fc008e80cf32168780a67f59db0aa643174be981
SHA256 de0432b922f6685c1eae6a1fc6dc41bfe6481e6f7e478cbb830727c158a7eb8f
SHA512 3ba4f34d07c511de32ab303cd550bf29b0807c4d2261fff8a41901cfa5d645358ef801b7f5a4a009bbc5b6ffbce3651d311724e194d6bcb17e6e1837d08aa93f

C:\Program Files\ByteFence\Cache\SR9e7aeae1e6c2ec2003d35b7f1338027b7e39a5b7

MD5 0672bb77e5bc5cfec532037585f6b866
SHA1 bcd810e746d361b81fae53ff42b254aaf7f44016
SHA256 5edccfde0f31465499db7d27e5ef02b5588020134268a62e751638a989e0c470
SHA512 d189266b7706963f7f4cdfbc2a0d1c7f1aa73bc19ff87693b9fc63e009e161e14a33f531cde4441d8d55094f360b3075e65736b699e9f359e5f2c37494c0ee6f

C:\Program Files\ByteFence\Cache\SR98cc3b8f38311abfdf577be403ff9f74aa55f745

MD5 0e0a9533686763c59f14513dc950450f
SHA1 3e520fddb3bac112444fbc39eab6ba20e0bb60b0
SHA256 716233c45ce6df9abd90288e54f4523e8071b99c0a5cecfcacac5e28e75778eb
SHA512 f1d36d146c4da85bbc20a11a74dcc8234d51558eb8c2bcbce5095770b19c272eea78af6d9d4191ec90b3cb096fe1d62fa6f331e133b1ffb18a96feccc4d36a21

C:\Program Files\ByteFence\Cache\SR8bcb89cbdd3471e576d044c6e3fbea77d4f33020

MD5 700ddb84260dc4bcbb2c12a61ef42d3d
SHA1 1fc05175f05520f52d26d07ebce50f9204fc16ed
SHA256 f1acd834eb27a99d370e29e0a5f7d35f21ee0b6c96284850fb8db0ac6bc07d7f
SHA512 f757e2bab83ba59a400bdb64b65bb66ea18454369ec551a00a3dae044aa54121985b981b8ae3ca56c82dc0d1da758e309e350c2cad430b11cd71740ecd1bb56b

C:\Program Files\ByteFence\Cache\SR88daac0b40508822e58e251b9e83005d6dce7deb

MD5 eb693c9b28dca110cebe0efb0ddf428a
SHA1 7d354e5c2c6e5b3755184c7e677032b4dea03016
SHA256 b86a3494ef955d88d03356ebaaa3125bfb6182d1b1002dd3d96d39368a600650
SHA512 d79a800fe801e1a81f03c27a57f235f43b94d63443684c0ce331f0d0983b72b2870ba4e7a3c60cf6fd720132143490729ba3f2b06d43785900d719658ad95920

C:\Program Files\ByteFence\Cache\SR5b978fa62373a62dfe562729549f651ab42fadd5

MD5 79b228aabd056e9264b4fe474a6c2ddf
SHA1 598c9df5dcca0860244568132c46c54f45fccd21
SHA256 2415b9003c526c9549bc658c7d2748ebf0409096ace20fc750bd26757bf404c9
SHA512 42c95a4e0ccc5658c90977f932c19551d6f78d18b9eaf2e069a469431eb13052dfef3f7a7d64a9771364e6b6c133a897aba31cc417079b905702064841375a2c

C:\Program Files\ByteFence\Cache\SR5f2c1b67988654a1cf9d21fd177db11baa329bfb

MD5 ed9320b53058bbd7785cab8b03163815
SHA1 9b3ab0dd45112ac62ae83460d6b0062baac94568
SHA256 1581282d4589056a119c03f56ee76cc4fdfc8e6ff3bf3a198d69ea967ca3255e
SHA512 76d136d1fc64065899bdb2915616cd8df5c83759ffc5831b55d55869daa86c48ca72a40ce94b8b0b6d0b0a5bc1f386f778da3602ce6efa5ab79de76203832951

C:\Program Files\ByteFence\Cache\SR835e982347db919a681ba12f3891f62152e50f0d

MD5 4c30885b314375cdce7d98e82035d792
SHA1 5497d31a1bad80b9d75025d8180e83ce20b9ecd7
SHA256 a5f9b737bbd2b8a653652e1e6784988a31ad94026976b4286844c91de896e798
SHA512 7452e989a24366ea0ec9b1bff6bc4f28a2855213962cfb49c9bd6270c76d96b7d5c5424b18ce40e6bce81d7d2306e77eb80c345112cee71e258a9772a3555661

C:\Program Files\ByteFence\Cache\SR7eb0139d2175739b3ccb0d1110067820be6abd29

MD5 baf7cf82fdd38c64b63267337ca77213
SHA1 4c717d7cbf7c4c455a169f3c27cf1e47013b7b27
SHA256 33f87d43d72224031bbc6fa4699ca3a01ee991de32b8aa6705b92bf3949a2c33
SHA512 0e47bf647dc76b728bb838abbb9278a9ebe6d5972515ec6e1db7d0c5c961c5d5835cca19a2875ddb6c8a05960b71ab8d54dbf0e6a262ccfc1037f69169b51a45

C:\Program Files\ByteFence\Cache\SRf8ffa7825a628ae2d3be6d1a82281985f8029427

MD5 d0da74a877fe8efc21a3cf156d424489
SHA1 a1c28828a9de39c5bddf30e18dee096d87899354
SHA256 8ab05a5c299c2db4dd182b6af8214b40e3a7586ce8316fc420cec76ac0a29db9
SHA512 fd8bb47bce5dc243cb0575b827e12d9f4f2457878296ba1a3afae297150e7c36f466baabbe04a78dc08920f57054b4b530194b980f25ed6850269caa7cc9299d

C:\Program Files\ByteFence\Cache\SR768ec16982ac19d4ada5b740bcae740a46c294e1

MD5 a45298071f74977335f063d221ba8296
SHA1 1239467c10e98610b46967477e3b1f99e6a98437
SHA256 7e0245a4acdd63546d438744d47f9a488ac283a9a864271e2c4bee0a0c8d604f
SHA512 a69f946f056b3989ff362621b7937bb2594c5e7340f9e0d19a7ce5dbea04ac74709454b8edb6070ba011dba03e21f1ebbc238a1a10ac0273ba7befc94cd8c2fd

C:\Program Files\ByteFence\Cache\SR1b82498270f06a06e6ae63a3d3204a630f21f23a

MD5 80ecd32cb58e407e9d18ca515d4a67c9
SHA1 1f546af600d4fe3578920ee183aedf6a338d6d24
SHA256 cb32388840b9b4669aa6e4ee09c2dbb9d568c6526ab290ddd2e5a708f6de3764
SHA512 4f3e89d9cb39b4ae5c5f4454b3c3c219747b9d8a8051e01248f20018c80c49b9c10c4935521c64cb11cd17da2af88e9679a7c6c774c31409267dacb72e47b643

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5be5977422a4b524a2006c5e5454645c
SHA1 3dc6d1475047a3a56acb1179c188828ff968e84a
SHA256 dcf3a986cc3536f4b7e4fe9e8436a7af5a797231f3945df6547a8e8f863ffa90
SHA512 11efa264251bb6661385285188b48a2585c9c4eed76ca3c9c9e89a461f22606c08646ee6d9aa22d1fc765cc8dfbd2fb151adea3366d0cf6b3f11bdef2fc4f287

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 13d055f9956c3ce94edc67c773d2477c
SHA1 52282ccac9fcd693f5c65c02a27366517fb31e1d
SHA256 e0b9a330c5085829554a8d1cdf9652f0b8d5fc89183ead88f2fa69d097aae174
SHA512 080849b1e23dfc10fe5bcf389a2161968cda9c0b59677015d2d2a122347fc9c42c28df7a8a78304c8c62a61fe495dc263d2562506175bf353515f55a1dba1179

\??\c:\program files\bytefence\Logs\err.dat

MD5 5d7986fe6e3939eb454ddc7bdb15af85
SHA1 f608ccc869407385bfc5b280922816f0d28772a4
SHA256 f87cc7443f2037203c495cf291f3d8c4c8d515302e93caece004fc20947c62fb
SHA512 1d3393c2be36f53983fb8f0ed2c60ba6ceb4cb482de13a3e1577bf4c4b8bfc6354685cccf37acbdb7a5ec15ab13b9e1fdca29b1bd9500fa7fa13d3dd34521136

\??\c:\program files\bytefence\Errors.dat

MD5 c7acfc06950e688b282cf9db0458fc8f
SHA1 b5e5798d500cb4065d1d25b2887e0f932271db61
SHA256 3530869e7bfc906661cb94bd96f0feb6b81281fa4e702ac1687e1cdb94d3fcde
SHA512 d0083400f8a519979d495547c95c9d96344e7922d05c3ae21cef7180c08e079b2b2518ad0737d6cd3b3a234684f2a78395f6bbd6769120516bffe1052d88a498

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3608 wrote to memory of 368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3608 wrote to memory of 368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3608 wrote to memory of 368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1380 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1380 wrote to memory of 2696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2696 -ip 2696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/1268-0-0x00007FFD3E845000-0x00007FFD3E846000-memory.dmp

memory/1268-1-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp

memory/1268-2-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp

memory/1268-3-0x000000001B0A0000-0x000000001B0B8000-memory.dmp

memory/1268-4-0x000000001BCE0000-0x000000001C206000-memory.dmp

memory/1268-5-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp

memory/1268-6-0x000000001B710000-0x000000001B730000-memory.dmp

memory/1268-7-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp

memory/1268-9-0x00007FFD3E590000-0x00007FFD3EF31000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240226-en

Max time kernel

167s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.4.1.3.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 23.44.234.16:80 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse8F8A.tmp\nsDialogs.dll

MD5 eac1c3707970fe7c71b2d760c34763fa
SHA1 f275e659ad7798994361f6ccb1481050aba30ff8
SHA256 062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3
SHA512 3415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09

C:\Users\Admin\AppData\Local\Temp\nse8F8A.tmp\System.dll

MD5 b0c77267f13b2f87c084fd86ef51ccfc
SHA1 f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256 a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512 f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240508-en

Max time kernel

91s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 07:37

Reported

2024-06-01 07:40

Platform

win10v2004-20240226-en

Max time kernel

163s

Max time network

175s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A