File name:

BypassESU-v11.exe

Full analysis: https://app.any.run/tasks/de55c008-e1c0-4110-9335-b9121592a20d
Verdict: Malicious activity
Analysis date: April 15, 2021, 09:15:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F9631E7F44FB896F99F6E72DAE4EED88

SHA1:

71FB0188387B4721EE44E8BDA0DF449759346F38

SHA256:

ADAD58131A9F8130646B342B94BDA894FF66C59C2063A55B27EA175EEE28CA37

SSDEEP:

12288:0RZ+IoG/n9IQxW3OBseNX+t/RbSVkqmSKWgy9Y4S+alMBC11HivuY0oWVDWfXSA+:O2G/nvxW3WKtSmqm1Wgy9Yx+agG1CvzI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • BypassESU-v11.exe (PID: 3404)
      • bbe.exe (PID: 1548)
      • bbe.exe (PID: 3212)
      • Dism.exe (PID: 1148)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 3228)
      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 3652)

    • Runs injected code in another process

      • superUser32.exe (PID: 1428)
      • superUser32.exe (PID: 2456)
      • superUser32.exe (PID: 3904)
      • superUser32.exe (PID: 444)

    • Application was injected by another process

      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3652)

    • Application was dropped or rewritten from another process

      • superUser32.exe (PID: 1428)
      • bbe.exe (PID: 1548)
      • bbe.exe (PID: 1920)
      • bbe.exe (PID: 3212)
      • superUser32.exe (PID: 2456)
      • superUser32.exe (PID: 3904)
      • bbe.exe (PID: 3676)
      • superUser32.exe (PID: 444)
      • dismhost.exe (PID: 2496)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2332)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2196)
      • schtasks.exe (PID: 3000)
      • schtasks.exe (PID: 3564)
      • schtasks.exe (PID: 2940)
      • schtasks.exe (PID: 3644)
      • schtasks.exe (PID: 1196)
      • schtasks.exe (PID: 2716)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 1896)

    • Creates or modifies windows services

      • reg.exe (PID: 3552)
      • reg.exe (PID: 2288)
      • reg.exe (PID: 2720)
      • reg.exe (PID: 2516)

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 876)
      • svchost.exe (PID: 772)
      • Dism.exe (PID: 1148)
      • dismhost.exe (PID: 2496)
      • TrustedInstaller.exe (PID: 2088)
      • TrustedInstaller.exe (PID: 768)

  • SUSPICIOUS

    • Reads internet explorer settings

      • BypassESU-v11.exe (PID: 1940)

    • Drops a file with too old compile date

      • BypassESU-v11.exe (PID: 3404)
      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 1896)
      • Dism.exe (PID: 1148)

    • Application launched itself

      • BypassESU-v11.exe (PID: 1940)
      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 2384)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 3228)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 3652)

    • Executable content was dropped or overwritten

      • BypassESU-v11.exe (PID: 3404)
      • cmd.exe (PID: 1044)
      • bbe.exe (PID: 1548)
      • bbe.exe (PID: 3212)
      • cmd.exe (PID: 1896)
      • bbe.exe (PID: 3676)
      • Dism.exe (PID: 1148)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 1044)
      • TrustedInstaller.exe (PID: 2088)
      • cmd.exe (PID: 2384)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 3228)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 3652)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2384)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 3228)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 1928)
      • cmd.exe (PID: 3652)
      • cmd.exe (PID: 2536)

    • Uses WHOAMI.EXE to obtaining logged on user information

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2692)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 3228)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3652)
      • cmd.exe (PID: 1928)

    • Creates files in the Windows directory

      • TrustedInstaller.exe (PID: 2088)
      • cmd.exe (PID: 1044)
      • svchost.exe (PID: 876)
      • bbe.exe (PID: 1548)
      • cmd.exe (PID: 1896)
      • bbe.exe (PID: 3676)
      • cmd.exe (PID: 3652)
      • TrustedInstaller.exe (PID: 768)

    • Starts CHOICE.EXE (used to create a delay)

      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3652)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1044)
      • cmd.exe (PID: 2384)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 1896)
      • cmd.exe (PID: 3828)
      • cmd.exe (PID: 3652)

    • Executed via Task Scheduler

      • cmd.exe (PID: 2384)
      • cmd.exe (PID: 3828)

    • Drops a file that was compiled in debug mode

      • bbe.exe (PID: 1548)
      • bbe.exe (PID: 3212)
      • bbe.exe (PID: 3676)
      • Dism.exe (PID: 1148)

    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 2860)
      • cmd.exe (PID: 1080)
      • cmd.exe (PID: 2564)
      • cmd.exe (PID: 3020)
      • cmd.exe (PID: 3776)
      • cmd.exe (PID: 3448)

    • Removes files from Windows directory

      • svchost.exe (PID: 876)
      • wermgr.exe (PID: 3004)
      • cmd.exe (PID: 2332)
      • TrustedInstaller.exe (PID: 2088)

    • Creates files in the program directory

      • wermgr.exe (PID: 3004)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 2712)
      • cmd.exe (PID: 1936)
      • cmd.exe (PID: 2280)
      • cmd.exe (PID: 2692)
      • explorer.exe (PID: 3664)
      • cmd.exe (PID: 3228)
      • cmd.exe (PID: 1928)

    • Reads settings of System Certificates

      • svchost.exe (PID: 876)
      • consent.exe (PID: 2276)
      • consent.exe (PID: 3212)

    • Dropped object may contain Bitcoin addresses

      • TrustedInstaller.exe (PID: 2088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1ec40
UninitializedDataSize: -
InitializedDataSize: 252928
CodeSize: 201216
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:12:01 19:00:55+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Dec-2020 18:00:55
Detected languages:
  • Chinese - PRC
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 01-Dec-2020 18:00:55
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000310EA
0x00031200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70808
.rdata
0x00033000
0x0000A612
0x0000A800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.22174
.data
0x0003E000
0x00023728
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.70882
.didat
0x00062000
0x00000188
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.29825
.rsrc
0x00063000
0x0000E000
0x0000D600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.81678
.reloc
0x00071000
0x00002268
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.55486

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
Latin 1 / Western European
Chinese - PRC
RT_MANIFEST
2
5.10026
2216
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
5.25868
3752
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
5.02609
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
5.18109
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
5.04307
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
5.24197
182
Latin 1 / Western European
Chinese - PRC
RT_STRING
8
5.27357
214
Latin 1 / Western European
Chinese - PRC
RT_STRING
9
5.21038
188
Latin 1 / Western European
Chinese - PRC
RT_STRING
10
5.11103
116
Latin 1 / Western European
Chinese - PRC
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
269
Monitored processes
168
Malicious processes
22
Suspicious processes
8

Behavior graph

Click at the process to see the details
start drop and start bypassesu-v11.exe no specs bypassesu-v11.exe cmd.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs whoami.exe no specs find.exe no specs net.exe no specs net1.exe no specs superuser32.exe no specs cmd.exe choice.exe sc.exe find.exe net.exe net1.exe no specs find.exe sc.exe schtasks.exe schtasks.exe schtasks.exe cmd.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs bbe.exe reg.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs bbe.exe no specs reg.exe no specs cmd.exe no specs wmic.exe no specs cmd.exe find.exe no specs sc.exe no specs sc.exe no specs find.exe no specs bbe.exe reg.exe no specs cmd.exe no specs wmic.exe no specs svchost.exe wermgr.exe no specs svchost.exe no specs explorer.exe no specs consent.exe no specs cmd.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs whoami.exe no specs find.exe no specs net.exe no specs net1.exe no specs superuser32.exe no specs cmd.exe cmd.exe wmic.exe no specs choice.exe find.exe sc.exe net.exe net1.exe no specs find.exe sc.exe schtasks.exe reg.exe reg.exe consent.exe no specs cmd.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs whoami.exe no specs net.exe no specs net1.exe no specs superuser32.exe no specs cmd.exe reg.exe reg.exe find.exe whoami.exe cmd.exe wmic.exe no specs choice.exe sc.exe find.exe sc.exe find.exe schtasks.exe schtasks.exe schtasks.exe cmd.exe no specs sc.exe no specs find.exe no specs sc.exe no specs find.exe no specs bbe.exe reg.exe no specs cmd.exe no specs wmic.exe no specs consent.exe no specs cmd.exe cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs whoami.exe no specs net.exe no specs net1.exe no specs superuser32.exe no specs cmd.exe cmd.exe wmic.exe no specs choice.exe reg.exe find.exe sc.exe sc.exe find.exe reg.exe reg.exe reg.exe reg.exe reg.exe reg.exe reg.exe reg.exe cmd.exe reg.exe no specs findstr.exe no specs reg.exe reg.exe sc.exe find.exe net.exe net1.exe no specs find.exe sc.exe dism.exe dismhost.exe no specs trustedinstaller.exe no specs trustedinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
376C:\Windows\system32\cmd.exe /c verC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
444wmic OS Get OperatingSystemSKU /value C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
444superUser32.exe /c cmd.exe /c ""C:\BypassESU-v11\LiveOS-Setup.cmd" -su" C:\BypassESU-v11\bin\superUser32.execmd.exe
User:
admin
Company:
Awoo~
Integrity Level:
HIGH
Description:
Run any process with TrustedInstaller privileges
Exit code:
0
Version:
4.0.0.0
Modules
Images
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
620sc query wuauserv C:\Windows\System32\sc.exe
cmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
664net start TrustedInstaller C:\Windows\System32\net.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
768C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\servicing\trustedinstaller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
772C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exeservices.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
876C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
888consent.exe 876 318 01BAF688C:\Windows\system32\consent.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Consent UI for administrative applications
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\consent.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
948wmic OS Get OperatingSystemSKU /value C:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
44 381
Read events
3 712
Write events
17 617
Delete events
23 052

Modification events

(PID) Process:(1940) BypassESU-v11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1940) BypassESU-v11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1940) BypassESU-v11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1940) BypassESU-v11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1940) BypassESU-v11.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(876) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1302019708-1500728564-335382590-1000
Operation:writeName:RefCount
Value:
2
(PID) Process:(876) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1302019708-1500728564-335382590-1000
Operation:writeName:RefCount
Value:
1
(PID) Process:(876) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1302019708-1500728564-335382590-1000
Operation:writeName:RefCount
Value:
3
(PID) Process:(2552) reg.exeKey:HKEY_USERS\.DEFAULT\Console
Operation:writeName:FontSize
Value:
1048576
(PID) Process:(3244) reg.exeKey:HKEY_USERS\.DEFAULT\Console
Operation:writeName:FontWeight
Value:
400
Executable files
48
Suspicious files
6
Text files
31
Unknown types
8

Dropped files

PID
Process
Filename
Type
3404BypassESU-v11.exeC:\BypassESU-v11\bin\bbe32.exeexecutable
MD5:75D1D22C4E3A50FE57857EA1DB8E1025
SHA256:AC68F5909F1D9156077EED7B79E86AB5D9B0CD0E3982E0E64CF6CE572484844C
3404BypassESU-v11.exeC:\BypassESU-v11\bin\PatchWU.regtext
MD5:681B8CFAEA42776751CC231FE4242DED
SHA256:4885CEB1875DB33A083F06EE436CC48D8CB1BCA4D46E58785A7059AE55F0A70D
3404BypassESU-v11.exeC:\BypassESU-v11\bin\amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7603.25000_none_caceb5163345f228.manifestxml
MD5:246592AD66B1996B1F6E829F90051193
SHA256:45D0AE442FD92CE32EE1DDC38EA3B875EAD9A53D6A17155A10FA9D9E16BEDEB2
3404BypassESU-v11.exeC:\BypassESU-v11\bin\bbe64.exeexecutable
MD5:A21987B49C2AFF491E8DBBCBDEE40561
SHA256:59CF14D560C1A8173F76A19226446A3B61D19ED0A196A194FF71AC6AC14CB2C4
3404BypassESU-v11.exeC:\BypassESU-v11\bin\PatchWU.xmlxml
MD5:16E8CE4B6D4AAEFA13753F525DD2863A
SHA256:553E025813C1669F342C4DC2E794EFE6D7CB9E0A3FB4368DE5429EF7B7466B8E
3404BypassESU-v11.exeC:\BypassESU-v11\bin\PatchWU.cmdtext
MD5:6155EFFE606D30DC25EBD2A56F81D359
SHA256:6428D82F592FF020CE087107CB7966ECB018DD2B09DB9076645C07101464E1DE
3404BypassESU-v11.exeC:\BypassESU-v11\bin\libwim-15.dllexecutable
MD5:B6772D691F4C5F4773774E56D793EA1E
SHA256:8BFC31DF098EE56629A3F3053A820BC3D9A5E30B2DD44AD2F4BC1E82668A9FCC
3404BypassESU-v11.exeC:\BypassESU-v11\bin\PatchWU.txttext
MD5:A0ADC3B30D674E2E966E9B296AE02136
SHA256:00042135242BF9443A8CD5084DEAF26EC5B0F94BB639CA5FD14C15E138D8F67B
3404BypassESU-v11.exeC:\BypassESU-v11\bin\x64\msislc.dllexecutable
MD5:
SHA256:
3404BypassESU-v11.exeC:\BypassESU-v11\bin\sle32.dllexecutable
MD5:6413388CBD5A30FF0D8D7969D32438FA
SHA256:AE33F43CFB7246EDCAD243643B6107133BC607DBDA1D23C3661262C413896288
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
11
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
205.185.216.10:80
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2104150917
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.70.224.146:443
www.update.microsoft.com
Microsoft Corporation
US
malicious
192.168.100.154:64549
malicious
192.168.100.154:137
malicious
205.185.216.10:80
download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.42
whitelisted
www.update.microsoft.com
  • 40.70.224.146
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BypassESU-v11.exe