Analysis Overview
SHA256
0f6b00ebfc4324cf4feb87bad29724c3f2c9723c84af4bf4d086352925bf06b7
Threat Level: Known bad
The file дсрат.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
Windows security bypass
Lumma Stealer
DCRat payload
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
Suspicious use of SetThreadContext
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 17:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 17:16
Reported
2024-06-21 17:17
Platform
win10-20240404-en
Max time kernel
50s
Max time network
72s
Command Line
Signatures
DcRat
Lumma Stealer
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\system32\reg.exe | N/A |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
Reads user/profile data of web browsers
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2412 set thread context of 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Tips_4.jpg | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectLargeTile.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5613_32x32x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-100_contrast-white.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\headbang.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.Tests.ps1 | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-200_contrast-black.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\crown.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\mask_corners.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\4642_48x48x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\7205_32x32x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubMedTile.scale-200.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\WideTile.scale-125.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\NisSrv.exe | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\pyramid\Treasure_Chamber_.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Microsoft.People.Relevance.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-140_8wekyb3d8bbwe\Assets\Office\settle.scale-140.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.scale-125.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-400.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\ke_16x11.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_32 | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-white_scale-125.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-80_altform-unplated.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xe_60x42.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\_Resources\index.txt | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\HeroHelp\Scenario2.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\jumbo.jpg | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-125.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Stationery\Soft Blue.htm | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\Images\image_placeholder.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-white_targetsize-64.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\hmmapi.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\msadds.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Awards\Assets\awards_sign_in_tile.jpg | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10146_20x20x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5941_40x40x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.Graphics.Canvas.winmd | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ml_60x42.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-48.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_20x20x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\7834_40x40x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\9434_24x24x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\opt-in-ad-popup.wav | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\lobby_deck_style_fable.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-200.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-24.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-36_altform-fullcolor.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-150.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\MedTile.scale-125.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-64.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated_contrast-white.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\TXP_Flight_Dark.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-white.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\Microsoft.VisualBasic.Resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\de\System.Device.resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fr\System.Data.Services.Client.resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\HyperV-Guest-IcSvcExt-onecore-Package~31bf3856ad364e35~amd64~it-IT~10.0.15063.0.cat | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-125_contrast-black.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarLargeTile.scale-400.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxAccountsStoreLogo.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-white\MedTile.scale-200.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-256.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-200_contrast-white.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.Thread.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-black\SmallTile.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\rescache\_merged\689984732\2229862038.pri | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-125.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\INF\image.inf | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2875_32x32x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\SmallLogo.scale-150.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\ImmersiveControlPanel\Settings\AAA_SettingsGroupFamilyUsers.settingcontent-ms | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\INF\.NET Data Provider for Oracle\_DataOracleClientPerfCounters_shared12_neutral.h | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsSplashScreen.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.ServiceModel.resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it\Microsoft.Activities.Build.resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\INF\mdmpin.inf | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\smirk.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\gg_16x11.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6124_24x24x32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\it-IT\ServiceModelEvents.dll.mui | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\xs_16x11.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\System.Web.Abstractions.resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Lumia.ViewerPlugin\ReliveSurfaces\Video\ReliveVideoControl.xaml | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Cursors\move_im.cur | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\servicing\Packages\HyperV-Networking-Containers-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.15063.0.cat | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Numerics.resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\de\PresentationUI.resources.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\FreeCell\ResPacks\gameplayfreecell.respack | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-60_altform-unplated_contrast-white.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.XML.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Fonts\8514fixr.fon | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\PlaneCutKeepTop.scale-180.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\progress.gif | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\WindowsFileProtection.admx | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\PolicyDefinitions\en-US\DistributedLinkTracking.adml | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-200.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\en-US_female_TTS\ruleset_en-US_TTS.lua | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\PLA\Rules\ja-JP\Rules.System.Performance.xml | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-unplated.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Microsoft.Build.Tasks.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SampleHeader\globe32.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-72.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-100.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\EntCommon.dll | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\Assets\Images\Tiles\Square44x44Logo.scale-200.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| File opened for modification | C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-40.png | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\дсрат.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
| N/A | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SoftwareDistribution\Bypass.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\дсрат.exe | N/A |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\дсрат.exe
"C:\Users\Admin\AppData\Local\Temp\дсрат.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\error.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.bat" "
C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe
"C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe"
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
Loader.exe
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v С:/Users /t REG_DWORD /d 0
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d C:\WINDOWS\system32\userinit.exe, C:\Users\Admin\AppData\Local\Temp/Loader/Bypass.exe
C:\ProgramData\SoftwareDistribution\Bypass.exe
"C:\ProgramData\SoftwareDistribution\Bypass.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\Bypass.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aed855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | backcreammykiel.shop | udp |
| US | 104.21.90.18:443 | backcreammykiel.shop | tcp |
| US | 8.8.8.8:53 | publicitycharetew.shop | udp |
| US | 172.67.221.74:443 | publicitycharetew.shop | tcp |
| US | 8.8.8.8:53 | computerexcudesp.shop | udp |
| US | 104.21.91.87:443 | computerexcudesp.shop | tcp |
| US | 8.8.8.8:53 | 18.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.221.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | leafcalfconflcitw.shop | udp |
| US | 172.67.165.84:443 | leafcalfconflcitw.shop | tcp |
| US | 8.8.8.8:53 | injurypiggyoewirog.shop | udp |
| US | 104.21.81.210:443 | injurypiggyoewirog.shop | tcp |
| US | 8.8.8.8:53 | bargainnygroandjwk.shop | udp |
| US | 172.67.150.202:443 | bargainnygroandjwk.shop | tcp |
| US | 8.8.8.8:53 | 87.91.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.165.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | disappointcredisotw.shop | udp |
| US | 172.67.188.235:443 | disappointcredisotw.shop | tcp |
| US | 8.8.8.8:53 | doughtdrillyksow.shop | udp |
| US | 104.21.96.2:443 | doughtdrillyksow.shop | tcp |
| US | 8.8.8.8:53 | 202.150.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.188.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facilitycoursedw.shop | udp |
| US | 172.67.144.241:443 | facilitycoursedw.shop | tcp |
| US | 8.8.8.8:53 | 2.96.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ck66916.tw1.ru | udp |
| RU | 92.53.96.121:80 | ck66916.tw1.ru | tcp |
| RU | 92.53.96.121:80 | ck66916.tw1.ru | tcp |
| US | 8.8.8.8:53 | 121.96.53.92.in-addr.arpa | udp |
| RU | 92.53.96.121:80 | ck66916.tw1.ru | tcp |
| US | 8.8.8.8:53 | ck66916.tw1.ru | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Loader\error.vbs
| MD5 | 3e9e1d51930b0f7dd74cf0a85279abb7 |
| SHA1 | 344f901c9070611eaa6077bbebfc1b63c28857bf |
| SHA256 | 2db9bf60266d735cbb49eec9c394c03071e2a3c7763367baeb60c2d60b0c461f |
| SHA512 | f056abd5030a1e71e11d06608ebaab38585f8d5f8a14f20e9949d296cd3037fee67ae459a1ad9a8d86bbb117e46957fa4091cbaf9b877b45664e4d9284a3acbf |
C:\Users\Admin\AppData\Local\Temp\Loader\Bypass.exe
| MD5 | e569faac3b8f8d70b0c2ed38ab26019b |
| SHA1 | 91adf9b4f18146374a957360f232f61c56595bab |
| SHA256 | 9f2267e35d5030990fa4d516e45289163aa236a934f8d45546a543db4bf10e40 |
| SHA512 | d0681e04801b6ce7933f0438c87527e41cd73cb3f7039048cf2d60f85b30bb5f5235145428a6f77e57fcc1600539e336fa433b33bd4e45a50c1aa7ae214f2478 |
C:\Users\Admin\AppData\Local\Temp\Loader\KHRnsPaHq6wt4rRYII1q2.bat
| MD5 | 3217ead6df07978acaaa5c47812959b4 |
| SHA1 | 00b535427aafd0aaa9cbdbd308c42d085af6ff25 |
| SHA256 | 3d70ee828b984f3d71eb9e6bcd902c5d25f8cbb935c0419b6deb9e7707581b3d |
| SHA512 | e521688b73e7c87699671864da9badf51fed1ea4afacac17f6656ac37b484b91157b10ed5ebb57348c09ce65cdadf183cc1be326c24716ee2f71867d0231b159 |
C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
| MD5 | b6c3c00d7cf6d8d13f20dbc590a675ad |
| SHA1 | a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323 |
| SHA256 | 0021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c |
| SHA512 | e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba |
C:\ProgramData\SoftwareDistribution\Bypass.exe
| MD5 | d5089008582efc34df9cfe5e48550d21 |
| SHA1 | 4105575343659919dff89cc18d1d8fbc7bd60289 |
| SHA256 | c3a15ab0b9e3ebf966ff7fae15c9309c5a739ab755aa706c14c437ed01e3b13c |
| SHA512 | 7ab28e1e9150f2585c0e20ddc3260aed9b3d8922eabaf05a7bfd88c1c2fe1c4f586cac368a4bae9fdce9093ded2ef6ead9505d28779bcf448e196e29b5a5050b |
memory/3580-31-0x0000000000400000-0x0000000000455000-memory.dmp
memory/5080-33-0x0000000000F80000-0x0000000001136000-memory.dmp
memory/3580-32-0x0000000000400000-0x0000000000455000-memory.dmp
memory/5080-34-0x0000000001950000-0x000000000196C000-memory.dmp
memory/5080-37-0x0000000003290000-0x00000000032E6000-memory.dmp
memory/5080-36-0x00000000019C0000-0x00000000019D6000-memory.dmp
memory/5080-35-0x000000001C400000-0x000000001C450000-memory.dmp
memory/5080-39-0x00000000032E0000-0x00000000032E8000-memory.dmp
memory/5080-38-0x0000000001930000-0x000000000193E000-memory.dmp