Malware Analysis Report

2024-10-10 13:07

Sample ID 240621-vs7cysybph
Target дсрат.exe
SHA256 0f6b00ebfc4324cf4feb87bad29724c3f2c9723c84af4bf4d086352925bf06b7
Tags
dcrat lumma evasion infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f6b00ebfc4324cf4feb87bad29724c3f2c9723c84af4bf4d086352925bf06b7

Threat Level: Known bad

The file дсрат.exe was found to be: Known bad.

Malicious Activity Summary

dcrat lumma evasion infostealer rat spyware stealer trojan

DcRat

Windows security bypass

Lumma Stealer

DCRat payload

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Suspicious use of SetThreadContext

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 17:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 17:16

Reported

2024-06-21 17:17

Platform

win10-20240404-en

Max time kernel

50s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\дсрат.exe"

Signatures

DcRat

rat infostealer dcrat

Lumma Stealer

stealer lumma

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\system32\reg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2412 set thread context of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Tips_4.jpg C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectLargeTile.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_32x32x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-100_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\headbang.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.Tests.ps1 C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\crown.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\mask_corners.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4642_48x48x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7205_32x32x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-125.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Windows Defender\NisSrv.exe C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Treasure_Chamber_.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\settle.scale-140.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.scale-125.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-400.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ke_16x11.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32 C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xe_60x42.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\index.txt C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario2.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-125.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\Images\image_placeholder.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\hmmapi.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadds.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\awards_sign_in_tile.jpg C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10146_20x20x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_40x40x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.Graphics.Canvas.winmd C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ml_60x42.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_20x20x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7834_40x40x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\opt-in-ad-popup.wav C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_fable.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-24.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-125.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Dark.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\Microsoft.VisualBasic.Resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Device.resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Data.Services.Client.resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\Packages\HyperV-Guest-IcSvcExt-onecore-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-400.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsStoreLogo.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-200_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Thread.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\rescache\_merged\689984732\2229862038.pri C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-125.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\image.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_32x32x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SmallLogo.scale-150.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsGroupFamilyUsers.settingcontent-ms C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.h C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ServiceModel.resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.Activities.Build.resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\mdmpin.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\smirk.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gg_16x11.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6124_24x24x32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\ServiceModelEvents.dll.mui C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\xs_16x11.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Abstractions.resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Video\ReliveVideoControl.xaml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Cursors\move_im.cur C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\Packages\HyperV-Networking-Containers-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Numerics.resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\PresentationUI.resources.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\FreeCell\ResPacks\gameplayfreecell.respack C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.XML.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Fonts\8514fixr.fon C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepTop.scale-180.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\progress.gif C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\WindowsFileProtection.admx C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\en-US\DistributedLinkTracking.adml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\ruleset_en-US_TTS.lua C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\PLA\Rules\ja-JP\Rules.System.Performance.xml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.Build.Tasks.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\globe32.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\EntCommon.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\дсрат.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\дсрат.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\дсрат.exe C:\Windows\System32\WScript.exe
PID 1884 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\дсрат.exe C:\Windows\System32\WScript.exe
PID 1884 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\дсрат.exe C:\Windows\system32\cmd.exe
PID 1884 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\дсрат.exe C:\Windows\system32\cmd.exe
PID 1884 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\дсрат.exe C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe
PID 1884 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\дсрат.exe C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe
PID 4264 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
PID 4264 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
PID 4264 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
PID 4264 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4264 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4264 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4264 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3604 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe C:\ProgramData\SoftwareDistribution\Bypass.exe
PID 3604 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe C:\ProgramData\SoftwareDistribution\Bypass.exe
PID 2412 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2412 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4264 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4264 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\дсрат.exe

"C:\Users\Admin\AppData\Local\Temp\дсрат.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\error.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.bat" "

C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe

"C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe"

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe

Loader.exe

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v С:/Users /t REG_DWORD /d 0

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\WINDOWS\system32\userinit.exe, C:\Users\Admin\AppData\Local\Temp/Loader/Bypass.exe

C:\ProgramData\SoftwareDistribution\Bypass.exe

"C:\ProgramData\SoftwareDistribution\Bypass.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\Bypass.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 backcreammykiel.shop udp
US 104.21.90.18:443 backcreammykiel.shop tcp
US 8.8.8.8:53 publicitycharetew.shop udp
US 172.67.221.74:443 publicitycharetew.shop tcp
US 8.8.8.8:53 computerexcudesp.shop udp
US 104.21.91.87:443 computerexcudesp.shop tcp
US 8.8.8.8:53 18.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 74.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 leafcalfconflcitw.shop udp
US 172.67.165.84:443 leafcalfconflcitw.shop tcp
US 8.8.8.8:53 injurypiggyoewirog.shop udp
US 104.21.81.210:443 injurypiggyoewirog.shop tcp
US 8.8.8.8:53 bargainnygroandjwk.shop udp
US 172.67.150.202:443 bargainnygroandjwk.shop tcp
US 8.8.8.8:53 87.91.21.104.in-addr.arpa udp
US 8.8.8.8:53 84.165.67.172.in-addr.arpa udp
US 8.8.8.8:53 210.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 disappointcredisotw.shop udp
US 172.67.188.235:443 disappointcredisotw.shop tcp
US 8.8.8.8:53 doughtdrillyksow.shop udp
US 104.21.96.2:443 doughtdrillyksow.shop tcp
US 8.8.8.8:53 202.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 235.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 facilitycoursedw.shop udp
US 172.67.144.241:443 facilitycoursedw.shop tcp
US 8.8.8.8:53 2.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 241.144.67.172.in-addr.arpa udp
US 8.8.8.8:53 ck66916.tw1.ru udp
RU 92.53.96.121:80 ck66916.tw1.ru tcp
RU 92.53.96.121:80 ck66916.tw1.ru tcp
US 8.8.8.8:53 121.96.53.92.in-addr.arpa udp
RU 92.53.96.121:80 ck66916.tw1.ru tcp
US 8.8.8.8:53 ck66916.tw1.ru udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Loader\error.vbs

MD5 3e9e1d51930b0f7dd74cf0a85279abb7
SHA1 344f901c9070611eaa6077bbebfc1b63c28857bf
SHA256 2db9bf60266d735cbb49eec9c394c03071e2a3c7763367baeb60c2d60b0c461f
SHA512 f056abd5030a1e71e11d06608ebaab38585f8d5f8a14f20e9949d296cd3037fee67ae459a1ad9a8d86bbb117e46957fa4091cbaf9b877b45664e4d9284a3acbf

C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe

MD5 e569faac3b8f8d70b0c2ed38ab26019b
SHA1 91adf9b4f18146374a957360f232f61c56595bab
SHA256 9f2267e35d5030990fa4d516e45289163aa236a934f8d45546a543db4bf10e40
SHA512 d0681e04801b6ce7933f0438c87527e41cd73cb3f7039048cf2d60f85b30bb5f5235145428a6f77e57fcc1600539e336fa433b33bd4e45a50c1aa7ae214f2478

C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.bat

MD5 3217ead6df07978acaaa5c47812959b4
SHA1 00b535427aafd0aaa9cbdbd308c42d085af6ff25
SHA256 3d70ee828b984f3d71eb9e6bcd902c5d25f8cbb935c0419b6deb9e7707581b3d
SHA512 e521688b73e7c87699671864da9badf51fed1ea4afacac17f6656ac37b484b91157b10ed5ebb57348c09ce65cdadf183cc1be326c24716ee2f71867d0231b159

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe

MD5 b6c3c00d7cf6d8d13f20dbc590a675ad
SHA1 a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323
SHA256 0021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c
SHA512 e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba

C:\ProgramData\SoftwareDistribution\Bypass.exe

MD5 d5089008582efc34df9cfe5e48550d21
SHA1 4105575343659919dff89cc18d1d8fbc7bd60289
SHA256 c3a15ab0b9e3ebf966ff7fae15c9309c5a739ab755aa706c14c437ed01e3b13c
SHA512 7ab28e1e9150f2585c0e20ddc3260aed9b3d8922eabaf05a7bfd88c1c2fe1c4f586cac368a4bae9fdce9093ded2ef6ead9505d28779bcf448e196e29b5a5050b

memory/3580-31-0x0000000000400000-0x0000000000455000-memory.dmp

memory/5080-33-0x0000000000F80000-0x0000000001136000-memory.dmp

memory/3580-32-0x0000000000400000-0x0000000000455000-memory.dmp

memory/5080-34-0x0000000001950000-0x000000000196C000-memory.dmp

memory/5080-37-0x0000000003290000-0x00000000032E6000-memory.dmp

memory/5080-36-0x00000000019C0000-0x00000000019D6000-memory.dmp

memory/5080-35-0x000000001C400000-0x000000001C450000-memory.dmp

memory/5080-39-0x00000000032E0000-0x00000000032E8000-memory.dmp

memory/5080-38-0x0000000001930000-0x000000000193E000-memory.dmp