Malware Analysis Report

2024-10-10 13:07

Sample ID 240621-yp9kpa1amh
Target Loader.exe
SHA256 854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
Tags
execution dcrat infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9

Threat Level: Known bad

The file Loader.exe was found to be: Known bad.

Malicious Activity Summary

execution dcrat infostealer persistence rat spyware stealer

Modifies WinLogon for persistence

DcRat

DCRat payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 19:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 19:58

Reported

2024-06-21 20:00

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Loader.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\system32\choice.exe

choice /c y /n /t 10 /d y

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat

MD5 4c44aab923a5c7719850e5138ecb64c0
SHA1 9634bb1db8ed400b033225a849c88c7908d61b3d
SHA256 63047a792bde6efb6aab1a6dbb178f55b6ae86317d75cb4470e51dd0ef76be2e
SHA512 98fd476c2b48be92a6101ff71514818eca6c7849ad17097b86babbbae9ecc9ff60a0a88c143a6ccbb67f002798531ab3717ad3fd7246de53c49b8daaeebad8f0

C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat

MD5 67789813c0d52fa2d7bfbffd5d572e6e
SHA1 52389d023f55bda8aba2efdbe82ee48c17f19639
SHA256 ab044df54893f5f2e54233fc6ea4ef6dd8a9a0731a893734f287e62eeae0c3cf
SHA512 467f875a6bf70a39fcb4918952706d41f92c0166c4c2ad2a9c6b2207c7ac076a155dbc9b7682e65f9f9498c3636bd2b04e2aad5b2b89a185ea22bb6146980527

memory/2368-14-0x00007FFB40573000-0x00007FFB40575000-memory.dmp

memory/2368-21-0x0000029435E30000-0x0000029435E52000-memory.dmp

memory/2368-15-0x00007FFB40570000-0x00007FFB41031000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgaiagz5.v2f.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2368-26-0x00007FFB40570000-0x00007FFB41031000-memory.dmp

memory/2368-29-0x00007FFB40570000-0x00007FFB41031000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 19:58

Reported

2024-06-21 20:00

Platform

win11-20240611-en

Max time kernel

51s

Max time network

68s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, C:\\Users\\skeet\\AppData\\Local\\Temp\\Loader\\572stuOQ0pZG2Xj.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\system32\\explorer.exe, C:\\ProgramData\\SoftwareDistribution\\572stuOQ0pZG2Xj.exe" C:\Windows\system32\reg.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2068 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Microsoft.Apps.Stubs.winmd C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardStatus.styles.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare70x70Logo.scale-180.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsSmallTile.scale-100_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-20_altform-unplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Snooze.scale-80.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-48_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Windows Media Player\WMPNSSUI.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsWideTile.scale-100_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-24_altform-unplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\styled.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\customizations\mergeCustomizations.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\customizations\CustomizerContext.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-80.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-256_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\colors\index.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-125.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-72_altform-unplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_neutral_~_cw5n1h2txyewy\AppxBlockMap.xml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-32_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-256_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\FeedbackHub.BackgroundTasks.winmd C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\dom\findElementRecursive.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaprst.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-150.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\ComboBox\index.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-32_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\contrast-black\CameraSmallTile.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireBadgeLogo.scale-200.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-16_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppValueProp.svg C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\EdgeLogo.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\NotepadLargeTile.scale-100.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-64_altform-lightunplated_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-32_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.Settings.Editor\Interaction.xaml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\dom\getWindow.js C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Getstarted_10.2.41172.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\TipsStoreLogo.scale-200_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-60_altform-lightunplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-lightunplated_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-72.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxMediumTile.scale-400.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-64.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-unplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-200_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.scale-125_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintWideTile.scale-150.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-96.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesSplashScreen.scale-100_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-250.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-48.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\GameBar.exe C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96_altform-unplated.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintWideTile.scale-150.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Boot\EFI\pl-PL\memtest.efi.mui C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-mdac-package-..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_tr-tr_d9930ba32c30bd80.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Transactions.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_nb-no_b8c6ec823a751911.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-msmpeg2adec_31bf3856ad364e35_10.0.22000.120_none_8d3f84003c853cc8.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-NanoServer-Containers-Bridge-Package~31bf3856ad364e35~amd64~it-IT~10.0.22000.184.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.targetsize-32_altform-unplated_contrast-black.png C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Edition-UtilityVM-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.184.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Console-Driver-Boot-Package~31bf3856ad364e35~amd64~~10.0.22000.71.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Client-Manager-Package~31bf3856ad364e35~amd64~ko-KR~10.0.22000.37.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_es-es_58778a1edebc6c0d.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_10.0.22000.348_none_53ff6ed560767984.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..fications.resources_31bf3856ad364e35_10.0.22000.184_pt-pt_b9273372fa420a14.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-wmi-package-o..oreadmin-deployment_31bf3856ad364e35_10.0.22000.493_none_586aa101c36cd1a3.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-DisposableClientVM-Package~31bf3856ad364e35~amd64~ru-RU~10.0.22000.37.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\mdmcom1.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-OptionalFeature-DisposableClientVM-Package~31bf3856ad364e35~amd64~ca-ES~10.0.22000.37.cat C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..stack-msg.resources_31bf3856ad364e35_10.0.22000.469_pt-pt_60068df684bc9aa6.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dminflows.resources_31bf3856ad364e35_10.0.22000.184_eu-es_fce5d738345f0d24.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\mdmtexas.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Provisioning\Packages\Power.EnergyEstimationEngine.StandbyActivation.ppkg C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..s-storage.resources_31bf3856ad364e35_10.0.22000.132_eu-es_f7ed7840c3bdd894.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..oyment-languagepack_31bf3856ad364e35_10.0.22000.376_eu-es_c47ecb97d1c23e20.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\diagnostics\system\Audio\CL_RunDiagnosticScript.ps1 C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\TLBREF.DLL C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_nb-no_d50998f9be333ea3.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\bth.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\c_swdevice.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Controls.Ribbon.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\PolicyDefinitions\en-US\SkyDrive.adml C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-Server-SDN-Package~31bf3856ad364e35~amd64~~10.0.22000.376.cat C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\DiagTrack\analyticsevents.dat C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_hr-hr_a0cfd1d699225d95.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-propsys.resources_31bf3856ad364e35_7.0.22000.184_ar-sa_5e9497139d956fb3.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-search-adm.resources_31bf3856ad364e35_7.0.22000.120_it-it_86a93694608dfb55.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.DataSetExtensions.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\UsbccidDriver.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Utilities.v4.0.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\netwtw10.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-networkicon.resources_31bf3856ad364e35_10.0.22000.184_nb-no_a0b5b21722e5a57e.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_winpe-hta-package-o..oyment-languagepack_31bf3856ad364e35_10.0.22000.348_ar-sa_1a1ee2a15c4c70bd.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-CoreSystem-Core-merged-Package~31bf3856ad364e35~amd64~lv-LV~10.0.22000.434.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icudt40.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Containers-DisposableClientVM-Package~31bf3856ad364e35~amd64~da-DK~10.0.22000.37.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-OneCore-Connectivity-UsbHost-Package~31bf3856ad364e35~amd64~~10.0.22000.469.mum C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-web-app-host.resources_31bf3856ad364e35_10.0.22000.348_bg-bg_a5455e1717d95a61.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..oyment-languagepack_31bf3856ad364e35_10.0.22000.184_nl-nl_66ee149122c88935.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~zh-CN~10.0.22000.184.cat C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\IEExecRemote.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_pt-br_28dd89a0c5afefc4.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Routing.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.dll C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Cursors\aero_ew_l.cur C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~en-GB~10.0.22000.37.cat C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-u..oyment-languagepack_31bf3856ad364e35_10.0.22000.258_ro-ro_8802edaefe23a867.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_networking-mpssvc-svc.resources_31bf3856ad364e35_10.0.22000.184_hu-hu_6c8459dbeb2b8f8d.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..skmanager.resources_31bf3856ad364e35_10.0.22000.120_pt-pt_ed1ca243ad72285f.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-wcmapi_31bf3856ad364e35_10.0.22000.37_none_219f19881e2329dc.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\INF\cht4nulx64.inf C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-mlang.resources_31bf3856ad364e35_10.0.22000.348_uk-ua_aba3690dc6205acd.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ndlers-nt.resources_31bf3856ad364e35_10.0.22000.160_sk-sk_e55d39a828a64c42.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Boot\EFI\bootmgfw.efi C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\Fonts\smaf1255.fon C:\ProgramData\SoftwareDistribution\Bypass.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..skmanager.resources_31bf3856ad364e35_10.0.22000.120_fr-fr_8d216f363447c2eb.manifest C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SoftwareDistribution\Bypass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 3192 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\Loader.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1180 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 1180 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1180 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 1936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2884 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2884 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2884 wrote to memory of 4972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2884 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2884 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2884 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
PID 2884 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe
PID 2884 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
PID 2884 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
PID 2884 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe
PID 1396 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe C:\ProgramData\SoftwareDistribution\Bypass.exe
PID 1396 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe C:\ProgramData\SoftwareDistribution\Bypass.exe
PID 2068 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2068 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2884 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2884 wrote to memory of 2136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Loader.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\'

C:\Windows\system32\choice.exe

choice /c y /n /t 10 /d y

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\WINDOWS\system32\userinit.exe, C:\Users\skeet\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d "C:\WINDOWS\system32\explorer.exe, C:\ProgramData\SoftwareDistribution\572stuOQ0pZG2Xj.exe" /f

C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe

C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe

C:\ProgramData\SoftwareDistribution\Bypass.exe

"C:\ProgramData\SoftwareDistribution\Bypass.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs"

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a2b855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 backcreammykiel.shop udp
US 172.67.151.5:443 backcreammykiel.shop tcp
US 172.67.221.74:443 publicitycharetew.shop tcp
US 8.8.8.8:53 5.151.67.172.in-addr.arpa udp
US 104.21.91.87:443 computerexcudesp.shop tcp
US 172.67.165.84:443 leafcalfconflcitw.shop tcp
US 172.67.164.156:443 injurypiggyoewirog.shop tcp
US 104.21.0.91:443 bargainnygroandjwk.shop tcp
RU 92.53.96.121:80 ck66916.tw1.ru tcp
US 172.67.188.235:443 disappointcredisotw.shop tcp
US 8.8.8.8:53 91.0.21.104.in-addr.arpa udp
RU 92.53.96.121:80 ck66916.tw1.ru tcp
US 104.21.96.2:443 doughtdrillyksow.shop tcp
US 172.67.144.241:443 facilitycoursedw.shop tcp
US 8.8.8.8:53 241.144.67.172.in-addr.arpa udp
GB 92.123.128.164:443 tcp
US 20.42.65.88:443 browser.pipe.aria.microsoft.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
SE 2.21.96.97:443 ow1.res.office365.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
BE 23.41.178.98:443 r.bing.com tcp
US 52.108.8.254:443 wac-ring.msedge.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat

MD5 4c44aab923a5c7719850e5138ecb64c0
SHA1 9634bb1db8ed400b033225a849c88c7908d61b3d
SHA256 63047a792bde6efb6aab1a6dbb178f55b6ae86317d75cb4470e51dd0ef76be2e
SHA512 98fd476c2b48be92a6101ff71514818eca6c7849ad17097b86babbbae9ecc9ff60a0a88c143a6ccbb67f002798531ab3717ad3fd7246de53c49b8daaeebad8f0

C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat

MD5 67789813c0d52fa2d7bfbffd5d572e6e
SHA1 52389d023f55bda8aba2efdbe82ee48c17f19639
SHA256 ab044df54893f5f2e54233fc6ea4ef6dd8a9a0731a893734f287e62eeae0c3cf
SHA512 467f875a6bf70a39fcb4918952706d41f92c0166c4c2ad2a9c6b2207c7ac076a155dbc9b7682e65f9f9498c3636bd2b04e2aad5b2b89a185ea22bb6146980527

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhjiu5uw.apk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1936-19-0x000001C9266C0000-0x000001C9266E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Loader\572stuOQ0pZG2Xj.exe

MD5 43af303e1f32ce8c477abbfb07887ea2
SHA1 c69b0f73b6219d05cec8258c445af5f39d3313c9
SHA256 37493d6b5fd0f186bb2e70edfafe91f28b43938293965461a7eefb5cca4c36bf
SHA512 68d0ed901c7aa8bc6de3f8d83fea9c0a362d6582ea54b052941f9a02c25b9bb32b096bd8efe73506985ad7b94eea0757a35cb3924e845d8f69216ce999327774

C:\Users\Admin\AppData\Local\Temp\Loader\Loader.exe

MD5 b6c3c00d7cf6d8d13f20dbc590a675ad
SHA1 a36e5c3c94f7abe3cbdfd3418e3ae03e66aa5323
SHA256 0021b20ecb3a2d562118bae38f00d1bdffc8facda49c8e1d1995966e1cd7957c
SHA512 e6f5165b9678cc6818d0213e84a6fdfb606af69dd6be67ea3db12dbb4a8b3503afcb9dc729a727691bef2374a355ea3ab7d8f8864adcab87d0cfee892c660eba

C:\ProgramData\SoftwareDistribution\Bypass.exe

MD5 93e99fb34ac2cd9d6e867e24dcafb2ab
SHA1 c6ee148abc972494c2912e68534512160372f4a6
SHA256 8cf7a779191a6b146749de10a52303201d4c72621f04d1336d51f400256d662e
SHA512 65ade8226509bdf7b160f04bc6cbb12c790c7a960ddee6776aa0e6094246062f323a80dd2d858a49aafef5cc5db2ade00a8a42d939ff3571029172aa7d34d877

C:\Users\Admin\AppData\Local\Temp\Loader\vO7REz65fRBWcJa.vbs

MD5 f6c38031293030ef28e5806abb9d072d
SHA1 1c5c39f986c9e717d85321536e44541aa3a6f33b
SHA256 76166b3a990a0f6606fa9ad1ed52daa04ce37f813865c539e5d1f68da9ebeba1
SHA512 8bfbac376e92ce870310926bdf42fbcce4ec10829e508c6e2b546d25da77b78ad8f2b7718c5cc1409962da7214d83f379b3ee6cba6b9849a3a525aa4029035b2

memory/2772-45-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2772-46-0x0000000000400000-0x0000000000455000-memory.dmp

memory/2656-47-0x0000000000240000-0x000000000040A000-memory.dmp

memory/2656-48-0x0000000002690000-0x00000000026AC000-memory.dmp

memory/2656-50-0x000000001AF90000-0x000000001AFA0000-memory.dmp

memory/2656-51-0x000000001AFA0000-0x000000001AFB6000-memory.dmp

memory/2656-52-0x000000001B6A0000-0x000000001B6F6000-memory.dmp

memory/2656-49-0x000000001AFE0000-0x000000001B030000-memory.dmp

memory/2656-53-0x000000001AFC0000-0x000000001AFCE000-memory.dmp

memory/2656-94-0x000000001C500000-0x000000001C50D000-memory.dmp

memory/2656-93-0x000000001B940000-0x000000001B949000-memory.dmp

memory/2656-96-0x000000001C530000-0x000000001C53B000-memory.dmp

memory/2656-95-0x000000001C510000-0x000000001C52E000-memory.dmp

memory/2656-92-0x000000001C2B0000-0x000000001C2F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1 fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA256 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA512 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\b651c4cd-cd72-474c-abf3-9ef5fd5d724d.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3