File name:

Bypass.exe

Full analysis: https://app.any.run/tasks/91f04166-22f1-4747-a131-ddf7c63940d2
Verdict: Malicious activity
Analysis date: December 14, 2024, 03:55:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
discord
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 12 sections
MD5:

16CD567B18F96EE4DB95E068AC320F81

SHA1:

21C613A4127B3F91898A0C2EB3149AC1807A952E

SHA256:

9B0F6F1FB2747E035A44E3547A326EC4A82A711694A214107E8943F24985F060

SSDEEP:

98304:GjrfaB3SPURI2cMuN1kksL5+/fKktnlKa68bWsKz4ccEdBttClLhGZSRQ417xQ7I:VxsmkhoqdEYQAX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • cmd.exe (PID: 3552)
      • net.exe (PID: 5872)
      • net.exe (PID: 3564)
      • cmd.exe (PID: 5244)
      • net.exe (PID: 520)
      • cmd.exe (PID: 5920)

  • SUSPICIOUS

    • Reads the BIOS version

      • Bypass.exe (PID: 3288)

    • Reads security settings of Internet Explorer

      • Bypass.exe (PID: 3288)

    • Potential Corporate Privacy Violation

      • Bypass.exe (PID: 3288)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 4764)
      • cmd.exe (PID: 2356)

    • Checks Windows Trust Settings

      • Bypass.exe (PID: 3288)

    • Starts CMD.EXE for commands execution

      • Bypass.exe (PID: 3288)

  • INFO

    • Reads mouse settings

      • Bypass.exe (PID: 3288)

    • Reads the computer name

      • Bypass.exe (PID: 3288)

    • The sample compiled with english language support

      • Bypass.exe (PID: 3288)

    • Checks proxy server information

      • Bypass.exe (PID: 3288)

    • Checks supported languages

      • Bypass.exe (PID: 3288)

    • Reads the machine GUID from the registry

      • Bypass.exe (PID: 3288)

    • Reads the software policy settings

      • Bypass.exe (PID: 3288)

    • The process uses AutoIt

      • Bypass.exe (PID: 3288)

    • Themida protector has been detected

      • Bypass.exe (PID: 3288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.2
ImageVersion: -
OSVersion: 5.2
EntryPoint: 0x746058
UninitializedDataSize: -
InitializedDataSize: 472064
CodeSize: 734208
LinkerVersion: 14.16
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware
TimeStamp: 2023:07:12 12:21:20+00:00
MachineType: AMD AMD64
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
19
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start bypass.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3288"C:\Users\admin\Desktop\Bypass.exe" C:\Users\admin\Desktop\Bypass.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bypass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3552C:\WINDOWS\system32\cmd.exe /c net start TECHC:\Windows\System32\cmd.exeBypass.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5592\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3564net start TECHC:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5000C:\WINDOWS\system32\net1 start TECHC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
5244C:\WINDOWS\system32\cmd.exe /c net stop FACEITC:\Windows\System32\cmd.exeBypass.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5872net stop FACEITC:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4672C:\WINDOWS\system32\net1 stop FACEITC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\samcli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcrypt.dll
4764C:\WINDOWS\system32\cmd.exe /c sc delete FACEITC:\Windows\System32\cmd.exeBypass.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
3 681
Read events
3 678
Write events
3
Delete events
0

Modification events

(PID) Process:(3288) Bypass.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3288) Bypass.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3288) Bypass.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
17
DNS requests
8
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3288
Bypass.exe
GET
142.250.185.174:80
http://google.com/utc/now?format=\Y/\m/\d%20\H:\M:\S
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5004
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5004
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
404
162.159.134.233:443
https://cdn.discordapp.com/attachments/1098959091373707285/1128633004655382638/Mouseinput.dll
unknown
text
36 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5004
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3288
Bypass.exe
142.250.185.174:80
google.com
GOOGLE
US
whitelisted
5004
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5004
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3288
Bypass.exe
162.159.130.233:443
cdn.discordapp.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
cdn.discordapp.com
  • 162.159.130.233
  • 162.159.133.233
  • 162.159.129.233
  • 162.159.134.233
  • 162.159.135.233
shared
self.events.data.microsoft.com
  • 20.189.173.13
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Bypass.exe