0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369

Analysis

max time kernel
130s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cf0b940c39b45217b214ff26e78587f.exe
Size

23.6MB
MD5

7cf0b940c39b45217b214ff26e78587f
SHA1

cf21bb7712bdae111632c7a13940351b491343a9
SHA256

0532411d15ff23b27d4f5306264a32e972c0181dcb5ca0fe8a9b6694a2280369
SHA512

896224451ad2c44b0429fc6ce5785476ba1b1527beb9a870630f964ca349064232b45e3d648836b791098fd4888b769f6065aefef306451a67bd38a8537279da
SSDEEP

393216:uAP1dyZTDeIRs4dpRhFrjclKdBIYcDJADjOSY1OTlWG80rY3jVMQZTAkWmGN7:b1qDeIRLFrIsNIC3OSVW6c3vTAtv

Score

10^/10

evasion trojan vmprotect

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

Defender.exeDefender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "3"	Defender.exe

Drops startup file 6 IoCs

Processes:

7cf0b940c39b45217b214ff26e78587f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe	7cf0b940c39b45217b214ff26e78587f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe	7cf0b940c39b45217b214ff26e78587f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	7cf0b940c39b45217b214ff26e78587f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	7cf0b940c39b45217b214ff26e78587f.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	7cf0b940c39b45217b214ff26e78587f.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	7cf0b940c39b45217b214ff26e78587f.exe

Executes dropped EXE 3 IoCs

Processes:

Bypass.exeDefender.exeDefender.exe

pid process

1052 Bypass.exe
1044 Defender.exe
1568 Defender.exe

pid	process
1052	Bypass.exe
1044	Defender.exe
1568	Defender.exe

Loads dropped DLL 26 IoCs

Processes:

7cf0b940c39b45217b214ff26e78587f.exe7cf0b940c39b45217b214ff26e78587f.exeBypass.exe

pid	process
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
2596	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1020	7cf0b940c39b45217b214ff26e78587f.exe
1052	Bypass.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI26042\Defender.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\_MEI26042\Process.exe	vmprotect

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Defender.exeDefender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Defender.exe

Drops file in System32 directory 2 IoCs

Processes:

Defender.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Defender.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Defender.exe

pid process

1044 Defender.exe
1044 Defender.exe
1044 Defender.exe
1044 Defender.exe
1044 Defender.exe
1044 Defender.exe
1044 Defender.exe

pid	process
1044	Defender.exe
1044	Defender.exe
1044	Defender.exe
1044	Defender.exe
1044	Defender.exe
1044	Defender.exe
1044	Defender.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Bypass.exeDefender.exe

description	pid	process
Token: SeDebugPrivilege	1052	Bypass.exe
Token: SeDebugPrivilege	1044	Defender.exe
Token: SeAssignPrimaryTokenPrivilege	1044	Defender.exe
Token: SeIncreaseQuotaPrivilege	1044	Defender.exe
Token: 0	1044	Defender.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7cf0b940c39b45217b214ff26e78587f.exe7cf0b940c39b45217b214ff26e78587f.exe7cf0b940c39b45217b214ff26e78587f.exe7cf0b940c39b45217b214ff26e78587f.exeBypass.exe

C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe
"C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe
  "C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe
    "C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe" C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe asadmin
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe
      "C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe" C:\Users\Admin\AppData\Local\Temp\7cf0b940c39b45217b214ff26e78587f.exe asadmin
      4⤵
      Drops startup file
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
        6⤵
        Modifies security service
        Executes dropped EXE
        Windows security modification
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
        7⤵
        Modifies security service
        Executes dropped EXE
        Windows security modification
        
        PID:1568

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI12802\VCRUNTIME140.dll

Filesize
74KB

MD5
87dd91c56be82866bf96ef1666f30a99

SHA1
3b78cb150110166ded8ea51fbde8ea506f72aeaf

SHA256
49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f

SHA512
58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\_bz2.pyd

Filesize
78KB

MD5
aaf8987c856cf8bef5e4d44f988faf9b

SHA1
74c6969fc3260da77f415814da11aa73e145b7b8

SHA256
01182e4ad15a5255213dcdd193eba94243732ffdf531a55dfea7e9aab155003f

SHA512
730d5b05bc5acd57c2834024e4ca4b71f556f1d711dc840500687b92f302039e9c9108f4ed1752d788c3b1f987aa0f3ec602f1987119439cf150636d0eb3852d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\_ctypes.pyd

Filesize
115KB

MD5
01c6a2525adad89427d5b03673f5de18

SHA1
6762cfad8dba498526272289322d297b88b8eb03

SHA256
bbf6d32fd8159e7c55ab2e49fddd810985268af5f47a3fcf00b11103ab0ce033

SHA512
6ad151dc8d154357081254bbd3cad876c0139a6fe3b7c8eb482492f7c9dad20f834a6215b7877c8d62608741f87591f0d776d51a90d588526badf9ba950c28c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\_lzma.pyd

Filesize
156KB

MD5
58e39c90bf8ceeb6744bc6f8c895bafa

SHA1
e79f327daa2b02f70517785a8369a2257bc98511

SHA256
d7b50ef280e7218bf839f6020ddd353de89f627c4daccccd12290bf1d57ed7e2

SHA512
ee5ec80768d6d1c36c2b4b7126addb5174a9733bd32e51e94e6a0e1fc6c852bc262f775e44e91d09897eb62708314d9add6e81685fcbf0f803ebbbb40ccb2322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\_socket.pyd

Filesize
68KB

MD5
62cbc5049fb9ae6bc54655daa36896e3

SHA1
51e16526c8d03f00ad2d4dc6e5f6aa136ec95061

SHA256
2d4926b1f7ce0660bb452528f914abdff9a56429d835ca4437b5e50e24830aa0

SHA512
df9d0eb431a32d71437135bd8f95e9f6be0983f4497cead6a39fb265be4f2167a970b7e380569559a09cba426ca09f66351768952b0967799a7e3f7a697a06ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\base_library.zip

Filesize
760KB

MD5
174bb26af0a7c7669d1fb2e54d150971

SHA1
ef1ac2b122265f0bca3f776b6ae2a7becc276c35

SHA256
02f81520a69cf2a1d901755f61c139f67b6e727ddcd91c46f89b74fb882d6cf6

SHA512
ed4f08dbefc4a9b5a4b0051d10fb2efa80add6cf9fab258d8b1f83bcc249a1171146e89716699a3f3ad067a23f04dda28b6f7d9cf1bdcd23b945d97751f8ed19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\python38.dll

Filesize
3.9MB

MD5
c0e8d2836de32a57da655be8cdee3baf

SHA1
745a3a0083b50ed870f0f906df6b73a305b45082

SHA256
e51e560d8d4a3d3e04edb5137da83bf7819cfa18c0439d5afe65848ff9c189ab

SHA512
065b3893942331f72893da391bb9bfcc8c670332c94c52f4a6a09f8960e482c462c7e89620f3950182051624490a2e3b7de65f49a0dfe184537c4a9c476d36a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\pythoncom38.dll

Filesize
415KB

MD5
ba03e764a5cf403c9161a46adf02b86e

SHA1
767871753b139c7da22f0d9648e7bdcaaa7efcb6

SHA256
7baec45074608ea6d03967f69b5aa1c11125002da82a1211907e04c321b827f4

SHA512
72efbf8335cfa4ca561779b49272dda8f9f8793d9a4f2a45b49a7967b56940fb05faac748dd5a90257bc406c36b7cb145145420beb24e296596b4acda5472ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\pywintypes38.dll

Filesize
113KB

MD5
3206cf4cd05b9e993a822c0dac05b1d0

SHA1
f49e809fb19bc1e24f1a7904663375554bd4d5cd

SHA256
9a3b70353bb9346bf1ecd2784164feaf6dbc9cb969298091f549ef8269aef930

SHA512
a6a4aa66e264e2438df573d31da0827650f48f4877ecabf391d284c99019e041f3333a708e2657ffc565b0cb9933d9c7a77b3726b8f4ec0dda5da3c5e8ab68c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\select.pyd

Filesize
24KB

MD5
b76401951c64387136739bcbb319daad

SHA1
9e3aeec14e545e380dbbc8a380890891bcca6b39

SHA256
4e4fc6b3db6be0b3d814e2149ff13c91ddbddce1349b73e90743625fa2bc896e

SHA512
65c1ccf54ed19aa26649bf593f935bf7a243a057f04fded72d3b6df6498ab4f0ed0a6d9c7c968c14add0c576317526529dcbc6b736b74c330b452248db32c65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\win32api.pyd

Filesize
102KB

MD5
2866bf1a085564a0f63b76173943ba64

SHA1
caf810657651b1ec3f667a671e8f9307eeea98b7

SHA256
3021294b610e01abd37289ddbe2bf0507e7de3fcb678e07525ec4e0892747955

SHA512
d1090831ba6d06c09f1dfe2790b435020854e328f9826937244c13cddb1080cab35f3679ab34eb44d88f9becf4ccf933cd2ebe1b5cc853758bfa9bc04b002068

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12802\win32com\shell\shell.pyd

Filesize
392KB

MD5
25b02b51bc927b39fb5bb7c7caeba4d9

SHA1
bc8728093de7b1bfd9ff67ec27d5038a6ff63cf4

SHA256
8d29f88413d6351d9d36e7ce10243164c0c37ff484baa20752de50db39ef1b27

SHA512
84753eefc133b85f9c75bb3041cba8f4b35e7689b154ebc8dcca172e1017f3fb2233cd1e24327482d253fdbff3b45bda0ae616af8d2a5b984ad4a9c63cf64942

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26042\Bypass.exe

Filesize
621KB

MD5
22709abae1f01d878942f391cabedd91

SHA1
afbdaed36dbfb2697df1f495fa878f87d5eb886d

SHA256
8fcfde3960b39846c6c20f876df883dd18ad68a8e915a9adf52ddc7d0289ffbf

SHA512
08accd27d7bdbd742c8d64a53ad40125cb848566bf6dd56e705647c99196861d4c779a040996f74d8b603f46d4a203f05636d34e02942efda5dd2615ebabdcb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26042\Defender.exe

Filesize
27KB

MD5
be01c2535fc4eb5a1dd5e27c8f022b0b

SHA1
54ce39c993bb15cf4c7954073d35acabacf0aacc

SHA256
fbbc40ab508b9fc77d0b17322caacd97eb9011eb0a93ba5629985fae265a54c8

SHA512
a3b8560656a78f0fd5d1d21585c6458989b3309972554120481c810e9a53ef8466690f32c562c3c33e64e93dde8841b4e6f2590e2a8c6051f8be41770f60bca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26042\Process.exe

Filesize
5.1MB

MD5
e45ec446aff1a32b03c47d5240c94902

SHA1
0f9055f732a8c66406a5becb9ae7b89d42d1a129

SHA256
2b1412f56d4356e96d4563957cb22a2025e19066de0b335314ce045540eaa6d3

SHA512
3ef70f8dfdcbfaad0391812e11e4fc66e02940ff42664f2eea786c231e864acb9854c7b867d1edf92775926a7c4dd464f39d0380cdb902784a8fdeac54f70316

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
233B

MD5
cd4326a6fd01cd3ca77cfd8d0f53821b

SHA1
a1030414d1f8e5d5a6e89d5a309921b8920856f9

SHA256
1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

SHA512
29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

Download Submit
C:\Windows\Temp\ehnhico

Filesize
37KB

MD5
4f4cfdec02b700d2582f27f6943a1f81

SHA1
37027566e228abba3cc596ae860110638231da14

SHA256
18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

SHA512
146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

Download Submit
\Users\Admin\AppData\Local\Temp\Defender.exe

Filesize
802KB

MD5
ac34ba84a5054cd701efad5dd14645c9

SHA1
dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

SHA256
c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

SHA512
df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

Download Submit
memory/1052-146-0x0000000073BD0000-0x00000000742BE000-memory.dmp

Filesize
6.9MB

Download
memory/1052-145-0x0000000001120000-0x00000000011C2000-memory.dmp

Filesize
648KB

Download
memory/1052-147-0x0000000000D00000-0x0000000000D40000-memory.dmp

Filesize
256KB

Download
memory/1052-148-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1052-149-0x0000000004B80000-0x0000000004C50000-memory.dmp

Filesize
832KB

Download
memory/1052-183-0x0000000073BD0000-0x00000000742BE000-memory.dmp

Filesize
6.9MB

Download

description	pid	process	target process
PID 1280 wrote to memory of 2596	1280	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 1280 wrote to memory of 2596	1280	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 1280 wrote to memory of 2596	1280	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 1280 wrote to memory of 2596	1280	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2596 wrote to memory of 2604	2596	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2596 wrote to memory of 2604	2596	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2596 wrote to memory of 2604	2596	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2596 wrote to memory of 2604	2596	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2604 wrote to memory of 1020	2604	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2604 wrote to memory of 1020	2604	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2604 wrote to memory of 1020	2604	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 2604 wrote to memory of 1020	2604	7cf0b940c39b45217b214ff26e78587f.exe	7cf0b940c39b45217b214ff26e78587f.exe
PID 1020 wrote to memory of 1052	1020	7cf0b940c39b45217b214ff26e78587f.exe	Bypass.exe
PID 1020 wrote to memory of 1052	1020	7cf0b940c39b45217b214ff26e78587f.exe	Bypass.exe
PID 1020 wrote to memory of 1052	1020	7cf0b940c39b45217b214ff26e78587f.exe	Bypass.exe
PID 1020 wrote to memory of 1052	1020	7cf0b940c39b45217b214ff26e78587f.exe	Bypass.exe
PID 1052 wrote to memory of 1044	1052	Bypass.exe	Defender.exe
PID 1052 wrote to memory of 1044	1052	Bypass.exe	Defender.exe
PID 1052 wrote to memory of 1044	1052	Bypass.exe	Defender.exe
PID 1052 wrote to memory of 1044	1052	Bypass.exe	Defender.exe