Bypass Detection·Jun 2, 2026

Secure-Bzpass: Process Lasso DLL Hijack with Alt+F12 Injection

Secure-Bzpass plants a malicious profapi.dll inside the Process Lasso installation directory, exploiting Windows DLL search order to load before the legitimate system copy. Injection is triggered on demand by the Alt+F12 hotkey. When the bypass unloads, the DLL file remains on disk — a persistent and recoverable artifact.

FiveMBypass DetectionDLL HijackProcess Lassoprofapi.dll

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Secure-Bzpass exploits the Windows DLL search order to hijack Process Lasso, a legitimate process priority management utility published by Bitsum Technologies. When Process Lasso starts, Windows searches for required DLLs first in the application's own directory before falling back to C:\Windows\System32. The bypass exploits this behavior by placing a malicious copy of profapi.dll — a genuine Windows Profile API library that normally lives only in System32 — directly inside the Process Lasso installation directory.

On Process Lasso startup, Windows finds the directory-local profapi.dll first and loads it into the Process Lasso process instead of the legitimate system copy. The malicious DLL exports the same function names as the real library (forwarding calls through to the genuine System32 version), ensuring Process Lasso continues to operate normally while the bypass payload executes within its process context.

Injection activation is deferred to a user-triggered hotkey: Alt+F12. This design means the bypass DLL is loaded into Process Lasso on startup but does not inject into any FiveM process until the operator manually presses the hotkey — reducing behavioral anomalies that might be detected by time-of-startup analysis. When the bypass is later "destructed" or Process Lasso is closed, the DLL unloads from memory but the profapi.dll file in the Process Lasso directory persists on disk unchanged — the primary recoverable artifact.

Primary IOCs

1

profapi.dll in Process Lasso directory — wrong location

Navigate to the Process Lasso installation directory. Common paths are C:\Program Files\Process Lasso\ or C:\Program Files (x86)\Process Lasso\. List all files and look for profapi.dll. The legitimate Process Lasso installation does not include this file — it has no reason to ship its own copy of a core Windows Profile API library. profapi.dll should exist only in C:\Windows\System32\ and C:\Windows\SysWOW64\.

Any profapi.dll found in an application's installation directory is a definitive DLL search order hijack artifact. Its presence alone, before any hash comparison, is grounds for escalated investigation.

2

SHA-256 hash comparison with legitimate profapi.dll

Compute the SHA-256 hash of the suspicious profapi.dll found in the Process Lasso directory: certutil -hashfile "C:\Program Files\Process Lasso\profapi.dll" SHA256. The known malicious hash is 6ce7c98b384dbe444a916e7e6580288549eca501315114916c1ee1908b5afff8. A match confirms the Secure-Bzpass DLL. Also compare against the legitimate System32 copy: certutil -hashfile C:\Windows\System32\profapi.dll SHA256. The two hashes should differ — the System32 copy is the genuine Windows DLL; the Process Lasso copy is the hijack payload.

3

File size and creation date anomaly

Run dir "C:\Program Files\Process Lasso\profapi.dll" and compare the reported file size and creation timestamp against the genuine System32 copy. The legitimate profapi.dll in System32 for a given Windows build has a known size (typically 30–50 KB). A hijack DLL carrying a full bypass payload will be substantially larger. Additionally, the creation timestamp of the directory-local copy will reflect when the bypass was installed, not when Windows was installed — it will not align with the ages of other System32 DLLs.

4

Process Lasso process inspection in System Informer

While Process Lasso is running, open System Informer with administrator privileges. Locate the ProcessLasso.exe or ProcLasso.exe process and open its Properties. Navigate to the Modules tab and inspect the list of loaded DLLs. The entry for profapi.dll will show its full load path. If the path reads C:\Program Files\Process Lasso\profapi.dll rather than C:\Windows\System32\profapi.dll, the hijack is confirmed as actively loaded in memory.

Also inspect the Strings content of the loaded module in memory for bypass-related keywords such as menu names, hotkey descriptions (Alt, F12), or cheat feature names. The malicious DLL's internal strings will differ substantially from the Windows Profile API export table.

5

Unload/destruct behavior — DLL persists after crash

When the bypass operator presses the unload or destruct control, the application will crash — the DLL is NOT deleted from disk despite the crash. This persistence is a deliberate design decision ensuring the DLL remains available for future use. Investigators should check the Process Lasso directory immediately after any reported crash to recover the artifact before the user can manually delete it.

6

DLL load event in Journal Trace

Examine the NTFS journal for file creation events in the Process Lasso directory. Run a Journal Trace scan or use fsutil usn readjournal C: csv and filter for entries matching the Process Lasso directory path and filename profapi.dll. The creation timestamp in the USN journal records when the file was first written to that directory, establishing an installation timeline independent of any metadata the file itself may carry.

DLL Search Order Hijacking in Process Lasso

Windows resolves DLL dependencies for a loaded executable by searching a defined sequence of directories. For most application configurations, the search order begins with the directory containing the application's own executable, then proceeds to the system directory (C:\Windows\System32), the Windows directory, and finally the directories listed in the PATH environment variable. This means any DLL placed in an application's folder will be loaded in preference to the identically-named DLL in System32.

profapi.dll is an export-minimal Windows library implementing a small number of Profile API functions. Process Lasso (or one of its dependencies) imports one or more of these functions, causing Windows to search for and load the DLL at startup. The bypass author writes a DLL that exports all required function names — forwarding each call through to the legitimate System32 copy via load-time forwarding or runtime GetProcAddress — while also executing its own initialization code in DllMain when the DLL is first mapped.

The critical detection artifact from this mechanism is that the hijack DLL must exist on disk in the application directory at the time of Process Lasso startup. Unlike injection techniques that write a payload to a temporary location and then delete it, the DLL must remain on disk persistently to be loaded on every Process Lasso start. Even after the bypass operator "destructs" their session, the file must be physically present for future use — guaranteeing a recoverable on-disk artifact at the known path.

Screenshare Check Methodology

1

List Process Lasso directory contents

Open a Command Prompt (elevated) and run dir "C:\Program Files\Process Lasso\" (adjust for the actual installation path if different). Share the output on screen. Look for profapi.dll in the listing. Its mere presence in this directory is the primary indicator — document the file size and date shown.

2

Hash the directory-local profapi.dll

Run certutil -hashfile "C:\Program Files\Process Lasso\profapi.dll" SHA256 on screen. Compare against the known malicious hash 6ce7c98b...ff8. Submit to VirusTotal live for multi-vendor detection results. Then run the same hash command against C:\Windows\System32\profapi.dll and show both hashes side by side to confirm they differ.

3

System Informer module list check

If Process Lasso is currently running, open System Informer as administrator, find the ProcessLasso process, go to Properties → Modules. Sort by path. Show the load path for profapi.dll on screen. If it reads from the Process Lasso install directory rather than System32, the hijack DLL is actively loaded in memory right now.

4

Journal Trace DLL creation entry

Run Journal Trace or fsutil usn readjournal C: csv > journal.csv. Filter the output for profapi.dll events within the Process Lasso directory path. The USN record will show when the file was created there, independent of any NTFS metadata that could have been altered. Present this timestamp alongside the BAM or Prefetch execution timeline for the bypass installer.

5

Verify no legitimate reason for directory-local profapi.dll

Check the official Process Lasso release notes and file manifest on Bitsum's website to confirm that no released version of Process Lasso ships with a bundled profapi.dll. This establishes that the file has no legitimate provenance in that location regardless of what the user claims about its origin. The only supported source for profapi.dll is a Windows installation.

Detection Notes

DLL search order hijacking is one of the most reliable persistence mechanisms for bypass detection because it requires a file to remain on disk permanently. Unlike injection techniques that can operate entirely in memory, the hijack DLL at C:\Program Files\Process Lasso\profapi.dll cannot be removed by the bypass at runtime without breaking its own loading mechanism. This gives investigators a guaranteed on-disk artifact to recover and hash.

The Alt+F12 hotkey trigger design means that in a screenshare context, the bypass DLL may be loaded in Process Lasso memory even if the FiveM-side injection has not yet been activated. Investigators should always check the System Informer module list while Process Lasso is running — the DLL is already present in memory from startup regardless of whether the hotkey has been pressed.

The specific SHA-256 hash 6ce7c98b384dbe444a916e7e6580288549eca501315114916c1ee1908b5afff8 applies to this build. As with all cheat tooling, developers may recompile to rotate hashes. Location-based detection — any non-System32 profapi.dll in an application directory — is the more durable signal and should be the primary detection criterion in all cases.