File name:

bypass.exe

Full analysis: https://app.any.run/tasks/2f7b090c-00da-4e0a-911d-53087cf6ad9b
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 03, 2024, 13:21:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
themida
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 13 sections
MD5:

4AC0113E4EF37CF7F5294249EC2DD6D4

SHA1:

90E98DF3458682861676ECD363F4719D5DE90828

SHA256:

C3D67593DEA4149CD776C95B72A8F0786D94D398635E921A5DC0EB3661D62146

SSDEEP:

98304:yEfkAlH95ZIcFxVKaejZ2yvVPoy51kjiURch6qCpmcX/CAoiTeNxaSS/o499upOI:nAAg/h7D2ZE+tx3o1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • bypass.exe (PID: 6364)

    • Reads security settings of Internet Explorer

      • bypass.exe (PID: 6364)

    • Checks Windows Trust Settings

      • bypass.exe (PID: 6364)

    • Executable content was dropped or overwritten

      • bypass.exe (PID: 6364)

  • INFO

    • Checks supported languages

      • bypass.exe (PID: 6364)

    • Process checks whether UAC notifications are on

      • bypass.exe (PID: 6364)

    • Creates files in the program directory

      • bypass.exe (PID: 6364)

    • Creates files or folders in the user directory

      • bypass.exe (PID: 6364)

    • Reads the computer name

      • bypass.exe (PID: 6364)

    • Themida protector has been detected

      • bypass.exe (PID: 6364)

    • Reads the software policy settings

      • bypass.exe (PID: 6364)

    • Checks proxy server information

      • bypass.exe (PID: 6364)

    • Reads the machine GUID from the registry

      • bypass.exe (PID: 6364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:09:02 05:25:03+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 20992
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0xd512c0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT bypass.exe bypass.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5172"C:\Users\admin\Desktop\bypass.exe" C:\Users\admin\Desktop\bypass.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\bypass.exe
c:\windows\system32\ntdll.dll
6364"C:\Users\admin\Desktop\bypass.exe" C:\Users\admin\Desktop\bypass.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\bypass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
Total events
3 540
Read events
3 537
Write events
3
Delete events
0

Modification events

(PID) Process:(6364) bypass.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6364) bypass.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6364) bypass.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6364bypass.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\seet1[1].txtexecutable
MD5:75E248D176B63217173DA4F16AFC4AAD
SHA256:EAB03BA726FE8D36C8A047AA43F1F69C2F3F3E460A30946C2563F73AA0D8CD9A
6364bypass.exeC:\Windows\SysWOW64\NR9.dllexecutable
MD5:75E248D176B63217173DA4F16AFC4AAD
SHA256:EAB03BA726FE8D36C8A047AA43F1F69C2F3F3E460A30946C2563F73AA0D8CD9A
6364bypass.exeC:\ProgramData\mntempbinary
MD5:930134AC16FF846EEF132F07AD2E9884
SHA256:60B795699E65CD4290A10016F60F282AADB7D7D7A4E34D1FB18E85CDB2DFE370
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
10
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2464
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2464
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
162.125.72.15:443
https://dl.dropboxusercontent.com/scl/fi/up46i27aceomn4f07tobf/seet1.txt?rlkey=qexihtjkfzn3guyategijbzan&st=tkinkazs&dl=0
unknown
executable
10.6 Mb
whitelisted
GET
302
162.125.72.15:443
https://dl.dropbox.com/scl/fi/up46i27aceomn4f07tobf/seet1.txt?rlkey=qexihtjkfzn3guyategijbzan&st=tkinkazs&dl=0
unknown
text
206 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.170:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2464
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5488
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2464
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6944
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.170
  • 104.126.37.131
  • 104.126.37.184
  • 104.126.37.130
  • 104.126.37.160
  • 104.126.37.163
  • 104.126.37.179
  • 104.126.37.137
  • 104.126.37.139
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
dl.dropbox.com
  • 162.125.72.15
shared
dl.dropboxusercontent.com
  • 162.125.72.15
shared
self.events.data.microsoft.com
  • 52.178.17.3
whitelisted

Threats

PID
Process
Class
Message
6364
bypass.exe
Misc activity
ET INFO DropBox User Content Download Access over SSL M2
6364
bypass.exe
Misc activity
ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
A Network Trojan was detected
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
Misc activity
ET INFO EXE - Served Inline HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bypass.exe