Overview

overview

10

Static

static

3

16f56ca085...27.exe

windows7-x64

10

16f56ca085...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 02:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627.exe

  • Size

    4.7MB

  • MD5

    60157113df45b340ae4289ef5cf808e5

  • SHA1

    8320d8fcbfc6c2cd27e16d06c088ef59a4d3fb4d

  • SHA256

    16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627

  • SHA512

    8e3c89caed9725f6dc62aef733b47ecf401edd0f3a38606d41976bf357b3ee3178c190a0e8e43532b41f4dcc675dbb06ff6af3ab86b1eb40ad99c56fb7ac5aa4

  • SSDEEP

    98304:jnSp97reQxLyCK+PaUyaTjAXqr8KKnoDSHmYH3AOb:G7veX5+PPvJInocmYHV

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 4 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627.exe
    "C:\Users\Admin\AppData\Local\Temp\16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\shellbag_analyzer_cleaner.exe
      "C:\Users\Admin\AppData\Local\Temp\shellbag_analyzer_cleaner.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:312
    • C:\Users\Admin\AppData\Local\Temp\RustChecker.exe
      "C:\Users\Admin\AppData\Local\Temp\RustChecker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\bridgefontcrtdll\wPjFiIVpIfwoCHWJV1wauVn1OwZVrkHqDOLf7y3aCxBLv.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\bridgefontcrtdll\lvXegSw701s9qGIHKiI10aezAmDjP5D9Pc.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\bridgefontcrtdll\BridgehyperRuntime.exe
            "C:\bridgefontcrtdll/BridgehyperRuntime.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gq0pquyg\gq0pquyg.cmdline"
              6⤵
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:1052
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B55.tmp" "c:\Windows\System32\CSC3C06C703AC9F4BE78BD8C3C1399A5474.TMP"
                7⤵
                  PID:2012
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:780
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2284
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2304
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:912
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\System.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1616
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\dwm.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1612
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\wininit.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1564
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2412
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1560
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1108
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1932
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2GPe5cQ011.bat"
                6⤵
                  PID:1592
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:1140
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      7⤵
                        PID:2016
                      • C:\Windows\addins\dwm.exe
                        "C:\Windows\addins\dwm.exe"
                        7⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        PID:2692
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -u -p 2692 -s 556
                          8⤵
                            PID:1520
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:964
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1036
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1744
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1536
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/bridgefontcrtdll/'
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1768
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:332
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1384
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:860
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2772
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\wininit.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2800
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\dwm.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2952
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2784
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\dwm.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2120
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\System.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2104
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1912
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\7fa09f22-9ba8-11ee-8a6f-e96ea47544f1\System.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1652
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2052
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2552
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1092
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2756
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2988
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1936

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\2GPe5cQ011.bat
                    Filesize

                    201B

                    MD5

                    c162961bb68d703de0938528d7cff6ff

                    SHA1

                    04f657e9e22764bc0481380b6bc0e7b606c67118

                    SHA256

                    3877a8f8abe1c915c2eeeccc5744e6b3436b72362158eb7702f2fc26a8ea852d

                    SHA512

                    3a8f98a822c86e9c635645dd0a0c52def8f322c12239f8d4c35938abf702d8bd123e5ca2b2b32243f25c7a7132a65141878e77a3e86dce4b90b4703db69959ac

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RES9B55.tmp
                    Filesize

                    1KB

                    MD5

                    ac919b863678b66dc2f7bbfbc88dad0c

                    SHA1

                    098b247433ddbb39cf7b171a2ff845eb8861487f

                    SHA256

                    2c749c29e834a4200242dc1d5eba93194c8249e26db80e373f7e2f0ae2546256

                    SHA512

                    f0a2f30e876862a22259c80ffded70d305d00635b909cdea41bf55800bfa22181985a1aaa3dd981623e00caa7b56036aff20af92d60aeb9d27d52a1a64bea6df

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RustChecker.exe
                    Filesize

                    896KB

                    MD5

                    f881e7b751a2ebd1ef6d139a1f5b69cf

                    SHA1

                    8283eacb4f5deb928b1be3a1b133147a591e69ee

                    SHA256

                    491774ecdfd6caa863dafa15929bd635fac75c4c0a623ccd96af7168ba6cbc30

                    SHA512

                    9472423086af5d77e41b7e59189038f069133c75e87e71bf559c79e684a7e0653eb1123fde406f0a39c72f13b77c75ba4080711675230ad3b47babc3a3812ed1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\RustChecker.exe
                    Filesize

                    2.9MB

                    MD5

                    e6cceabc72536416d22a0b52ecc69a44

                    SHA1

                    9028ace295214fd39b3ce6686add958040bd51af

                    SHA256

                    459938b103b9258da410f87b617176e9fca8db2defe8ed09213fb89fd29e1614

                    SHA512

                    eafba8505346ee9f73ea9f936a3e18239ec68f48b946fcf68494b9938bcf6ac8da314db27bd4a8046fa0d3e95120ec4be5506c224370c5968c42f95e9919450c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                    Filesize

                    7KB

                    MD5

                    9c56aa8109f4e427948df8da3d68cf51

                    SHA1

                    ff9216d438719468777944b29d373e75be871d41

                    SHA256

                    c5e745858d4b0ccf9d71cf28c6db8e41f28b7ea46832c08bc8ac0547579a8228

                    SHA512

                    eb4277b4dcd27f2bb376556d55c1854e35ae60b9542615c97c009d8ee49d98448ee3353ad7063a478a3461e7998b5492abbc88e2ffe42d25329e7f7f9c16dca6

                    Download Submit

                  • C:\Windows\addins\dwm.exe
                    Filesize

                    896KB

                    MD5

                    e3e3dbcc826abd3a6923e959b3800541

                    SHA1

                    e8d7e4000a7644266f6a5760c02b471382a8d16f

                    SHA256

                    ba958a53aa63c72587e21eb356d788aeeecc8546ef01d9415cf59f8bb03742bd

                    SHA512

                    def80cb379515f0a808f4e89e5752b905c37aba569fbfc1016dbe2abdd067587e966254447835d48f573419ee8f2c025bfa56bd6390c01802d90b88b2058c186

                    Download Submit

                  • C:\Windows\addins\dwm.exe
                    Filesize

                    768KB

                    MD5

                    4c5eeda9ae95ab286585cdfe7abc3c6a

                    SHA1

                    6a74e80b0e047d2ff0092cef0812b3c6c93c3418

                    SHA256

                    49178ee7c761fdb449d618e2076bfbc69af983611770d17e027749dccb2234c9

                    SHA512

                    26f7510b495cb2e7bf5569c24a6763d0ed6454c3d022b54fe7051fd5f7b2ab7c10e3fdfdcf994e6c5dc555b6533f133bf6d6682efc78d82f04e4599ebedbf040

                    Download Submit

                  • C:\bridgefontcrtdll\lvXegSw701s9qGIHKiI10aezAmDjP5D9Pc.bat
                    Filesize

                    95B

                    MD5

                    1d298897f2f7121e43dece41ed8d2dab

                    SHA1

                    a34c38d5a4b4e8277b91ae27648f818e8f5c1994

                    SHA256

                    f046e83f31082e4f932d7951efaff77f7c1767e37fd91014dce506638c4d851c

                    SHA512

                    2ce008ae14d7b79e9f9559d774e882c8eedc722c0883a226102c9876bf7835d5a4773cda1d2abe8475736260f23f06406fc1dd8e902d144f4b81fdec9ded0eb3

                    Download Submit

                  • C:\bridgefontcrtdll\wPjFiIVpIfwoCHWJV1wauVn1OwZVrkHqDOLf7y3aCxBLv.vbe
                    Filesize

                    228B

                    MD5

                    2a0f6e3e6cb77e323e5bb58bab2eaf03

                    SHA1

                    fa4495376fcda2771c6ad7d25a0ddcf5230da47a

                    SHA256

                    b1cca3e054bcc3ab7bffcecdec08e3759fa1327a3e07e3300a46363b47d12aa5

                    SHA512

                    eaf6514c70146d91607339ac71fbf7e99a474c84d383bb3a8b7d2f183ca12f8da9b9b43d42915a3f2d52adcd0e83801c0ea46030148a20d0f0f42c0e3932c7d6

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\gq0pquyg\gq0pquyg.0.cs
                    Filesize

                    377B

                    MD5

                    dca840f76ecd26bea8fdae104d414a55

                    SHA1

                    68c4ed4bed7125364eae054e99b1e9cf0ee6bc7d

                    SHA256

                    1e26beb15cd4d9c52fc9ce88557d1e95053e8c3845ad83546b9000b5df589a77

                    SHA512

                    c2bf1ed4def798592f363aa82da445f8a45ed894e4b434b0ed11713d93820efa2ce21bf395e61631146d1467cc2beb467ea7a3fa6f0814a892655596a8206d9b

                    Download Submit

                  • \??\c:\Users\Admin\AppData\Local\Temp\gq0pquyg\gq0pquyg.cmdline
                    Filesize

                    235B

                    MD5

                    18f73111b61ae66e808f06b99bb2c3b9

                    SHA1

                    6788147e574fe24b23ab1d203e058668f199ed15

                    SHA256

                    00caeea951464cb329fcb3f2102fcf699e34f1f8f926a951698010d03bf1b837

                    SHA512

                    bea72cf4abe7e4be9ee7a7f74bf3f14e717bf6627273e2a59af8878c9f0d789c41f1dbacf94ac67feff9660b20d61ea238d0e07f89c76943a0750230aaf60c7e

                    Download Submit

                  • \??\c:\Windows\System32\CSC3C06C703AC9F4BE78BD8C3C1399A5474.TMP
                    Filesize

                    1KB

                    MD5

                    be2c0c12ae0811c909259a9ef7faaac6

                    SHA1

                    002bac0233c2db332d9e2b17fdc32dc8e6139350

                    SHA256

                    eee9beb7acf4ae34d0b4bc1c136a9abd1c625d5a2c1eccdb14ceedab91adca3a

                    SHA512

                    db719e3a4f86d6384d31cecc0c1ce4525690d2cdbd315a699dbba6481a55c3b60cdb4f07029f956c4f1f116c1a2b72191036c7c5da8a07d9a12606e69b1eec88

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\RustChecker.exe
                    Filesize

                    576KB

                    MD5

                    e88a7af6cc90c540247700f43d527ba2

                    SHA1

                    04d91ffee3c1b21e4f7bd83aa48323a6f237d154

                    SHA256

                    823406e9f9023b545ed5783e051401570bb86c39537fd8c5a4bc35886a41c37b

                    SHA512

                    f7a7b45c017e02b8be0e485b657854d13b5e8ade8ce64799042e42320e21429c2d1e0e7452e23f83b4d8578897d0fde4a5a710c56750dcb5970d0958f0aa3069

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\shellbag_analyzer_cleaner.exe
                    Filesize

                    1.6MB

                    MD5

                    463058236a0d84f8f8982d946eed0e07

                    SHA1

                    800ab71ed3b3bf4fb67fc9e1628e59d0aab8b124

                    SHA256

                    c93a0f4c6b5f24ee31cddb92b0ea3337021b5fb91faae8a381d3bd2c9b6add54

                    SHA512

                    18bd9aea8489c5e873a679da92c83d2739de9532f5751bd23aea9eda226b9a95909f8fd525b0ce47859492997002aee32ecf37bb79e07f24b512287b8fd58a53

                    Download Submit

                  • \bridgefontcrtdll\BridgehyperRuntime.exe
                    Filesize

                    2.8MB

                    MD5

                    d2d13edddeb8fefb36b61edf6a0d2c07

                    SHA1

                    0cc1dfd5e0de92fb501d1b50e9661253ad45a3ec

                    SHA256

                    939daf4ced81c64fcc4bcfa3e5f3c12b1af3a78fbb2b84af09b00ce482f2f54c

                    SHA512

                    9484be7e78f614328165477cd649a448c8c1257b101183ca94a54811d8b5869436ef962ffe04b5cd4f044c525b571038ca93cfe2e6830cfb2bdc186af77c4270

                    Download Submit

                  • memory/312-34-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/312-6-0x0000000000230000-0x0000000000231000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/312-38-0x0000000000230000-0x0000000000231000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/312-9-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/312-10-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/312-12-0x0000000000400000-0x0000000000572000-memory.dmp

                    Filesize

                    1.4MB

                    Download

                  • memory/1384-219-0x000007FEED100000-0x000007FEEDA9D000-memory.dmp

                    Filesize

                    9.6MB

                    Download

                  • memory/1536-203-0x000000001B350000-0x000000001B632000-memory.dmp

                    Filesize

                    2.9MB

                    Download

                  • memory/1536-213-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1536-218-0x00000000029B0000-0x0000000002A30000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1536-214-0x000007FEED100000-0x000007FEEDA9D000-memory.dmp

                    Filesize

                    9.6MB

                    Download

                  • memory/1536-215-0x00000000029B0000-0x0000000002A30000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1536-216-0x00000000029B0000-0x0000000002A30000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1536-217-0x00000000029B0000-0x0000000002A30000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2268-17-0x0000000000400000-0x00000000008B3000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/2604-69-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-93-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-60-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2604-59-0x0000000000A30000-0x0000000000A3E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2604-61-0x00000000775D0000-0x00000000775D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-64-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-65-0x00000000775C0000-0x00000000775C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-66-0x00000000775B0000-0x00000000775B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-63-0x0000000000A40000-0x0000000000A4C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/2604-68-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2604-57-0x00000000775E0000-0x00000000775E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-70-0x00000000775A0000-0x00000000775A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-72-0x0000000000C90000-0x0000000000CA6000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/2604-73-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-76-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/2604-74-0x0000000077590000-0x0000000077591000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-78-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2604-80-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/2604-82-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2604-84-0x0000000000F00000-0x0000000000F18000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/2604-86-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/2604-87-0x0000000077530000-0x0000000077531000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-89-0x000000001A9F0000-0x000000001AA3E000-memory.dmp

                    Filesize

                    312KB

                    Download

                  • memory/2604-90-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-92-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-56-0x0000000000A20000-0x0000000000A2C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/2604-91-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-106-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-108-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-109-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-111-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-110-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-54-0x00000000775F0000-0x00000000775F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-53-0x00000000005A0000-0x00000000005AE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2604-51-0x0000000000590000-0x00000000005A0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2604-49-0x0000000077600000-0x0000000077601000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-121-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-122-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-48-0x0000000077610000-0x0000000077611000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-142-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2604-45-0x0000000077620000-0x0000000077621000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-47-0x0000000000A00000-0x0000000000A18000-memory.dmp

                    Filesize

                    96KB

                    Download

                  • memory/2604-44-0x00000000009E0000-0x00000000009FC000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/2604-42-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-40-0x0000000077630000-0x0000000077631000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-41-0x0000000000580000-0x000000000058E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2604-37-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-36-0x0000000000330000-0x0000000000331000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2604-35-0x000000001B200000-0x000000001B280000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2604-33-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2604-32-0x0000000000FA0000-0x000000000126E000-memory.dmp

                    Filesize

                    2.8MB

                    Download