Overview

overview

10

Static

static

3

16f56ca085...27.exe

windows7-x64

10

16f56ca085...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627.exe

  • Size

    4.7MB

  • MD5

    60157113df45b340ae4289ef5cf808e5

  • SHA1

    8320d8fcbfc6c2cd27e16d06c088ef59a4d3fb4d

  • SHA256

    16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627

  • SHA512

    8e3c89caed9725f6dc62aef733b47ecf401edd0f3a38606d41976bf357b3ee3178c190a0e8e43532b41f4dcc675dbb06ff6af3ab86b1eb40ad99c56fb7ac5aa4

  • SSDEEP

    98304:jnSp97reQxLyCK+PaUyaTjAXqr8KKnoDSHmYH3AOb:G7veX5+PPvJInocmYHV

Score
10/10
zgratpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 3 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627.exe
    "C:\Users\Admin\AppData\Local\Temp\16f56ca085a00b71bffa13e08c4f347dc5197b906944515a32bfd13ae640a627.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Users\Admin\AppData\Local\Temp\shellbag_analyzer_cleaner.exe
      "C:\Users\Admin\AppData\Local\Temp\shellbag_analyzer_cleaner.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2956
    • C:\Users\Admin\AppData\Local\Temp\RustChecker.exe
      "C:\Users\Admin\AppData\Local\Temp\RustChecker.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\bridgefontcrtdll\wPjFiIVpIfwoCHWJV1wauVn1OwZVrkHqDOLf7y3aCxBLv.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\bridgefontcrtdll\lvXegSw701s9qGIHKiI10aezAmDjP5D9Pc.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3868
          • C:\bridgefontcrtdll\BridgehyperRuntime.exe
            "C:\bridgefontcrtdll/BridgehyperRuntime.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Checks computer location settings
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4660
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\naxecqxf\naxecqxf.cmdline"
              6⤵
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:3528
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9DA.tmp" "c:\Windows\System32\CSC8E5AFAEF58DD4DAD9679D33AAF8D1422.TMP"
                7⤵
                  PID:3356
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4052
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1304
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/bridgefontcrtdll/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3936
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3780
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1060
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4920
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\shellbrd\BridgehyperRuntime.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1760
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\bridgefontcrtdll\conhost.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2640
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:760
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4240
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4352
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3028
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4360
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4332
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1520
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2448
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1300
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3584
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GntR4IXwTC.bat"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2272
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  7⤵
                    PID:904
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    7⤵
                    • Runs ping.exe
                    PID:5392
                  • C:\Recovery\WindowsRE\cmd.exe
                    "C:\Recovery\WindowsRE\cmd.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:5864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5040
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3128
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\bridgefontcrtdll\conhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\bridgefontcrtdll\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4980
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\bridgefontcrtdll\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BridgehyperRuntimeB" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\shellbrd\BridgehyperRuntime.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BridgehyperRuntime" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\BridgehyperRuntime.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "BridgehyperRuntimeB" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\shellbrd\BridgehyperRuntime.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4080
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1700
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1424
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        59d97011e091004eaffb9816aa0b9abd

        SHA1

        1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

        SHA256

        18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

        SHA512

        d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        bd5940f08d0be56e65e5f2aaf47c538e

        SHA1

        d7e31b87866e5e383ab5499da64aba50f03e8443

        SHA256

        2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

        SHA512

        c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        3a6bad9528f8e23fb5c77fbd81fa28e8

        SHA1

        f127317c3bc6407f536c0f0600dcbcf1aabfba36

        SHA256

        986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

        SHA512

        846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        61e06aa7c42c7b2a752516bcbb242cc1

        SHA1

        02c54f8b171ef48cad21819c20b360448418a068

        SHA256

        5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

        SHA512

        03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        c2ce5f364d6f19da44a34ce23f13e28b

        SHA1

        a7fc544cc9e62c759c0b0aeaecf324d7196a127e

        SHA256

        443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

        SHA512

        fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        293a5e452e148112857e22e746feff34

        SHA1

        7a5018bf98a3e38970809531288a7e3efb979532

        SHA256

        05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

        SHA512

        7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        60804e808a88131a5452fed692914a8e

        SHA1

        fdb74669923b31d573787fe024dbd701fa21bb5b

        SHA256

        064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

        SHA512

        d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        5f0ddc7f3691c81ee14d17b419ba220d

        SHA1

        f0ef5fde8bab9d17c0b47137e014c91be888ee53

        SHA256

        a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

        SHA512

        2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\GntR4IXwTC.bat
        Filesize

        157B

        MD5

        f8afd77cf2eea57d952bd6222513cb56

        SHA1

        03ce03c869df4f435288c130239c13cc68a919e9

        SHA256

        7734b61c8a2c0c12bb33d2b0989a64137ed427d6c68560e3502c38cc74edc192

        SHA512

        47fcc4482bf85e18d89452666ff64dde4cdca8be25f99baeba57d47bb835a18a81d017786635aefc76f402e9bd3e2621922e7e178ded05784dca0decd87066d9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESB9DA.tmp
        Filesize

        1KB

        MD5

        876d2e2915a3688d5f7786ae4f9dd00f

        SHA1

        2b76b0c164a90a3eab37f5440863a83104e88ada

        SHA256

        1de22b016b1a29a0197211a932991543d8aff29bab22b2f211ba22c20940c16b

        SHA512

        b54321dc3535d569b767b6941f6980d74c4573c6abfe750c0fda11f3debdf1ec49b15c8b71a8e05f8c59a867b59f6933691460a58eefd21976dc1b889d57de92

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RustChecker.exe
        Filesize

        2.9MB

        MD5

        e6cceabc72536416d22a0b52ecc69a44

        SHA1

        9028ace295214fd39b3ce6686add958040bd51af

        SHA256

        459938b103b9258da410f87b617176e9fca8db2defe8ed09213fb89fd29e1614

        SHA512

        eafba8505346ee9f73ea9f936a3e18239ec68f48b946fcf68494b9938bcf6ac8da314db27bd4a8046fa0d3e95120ec4be5506c224370c5968c42f95e9919450c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ng1ye2jv.mhn.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\shellbag_analyzer_cleaner.exe
        Filesize

        1.6MB

        MD5

        463058236a0d84f8f8982d946eed0e07

        SHA1

        800ab71ed3b3bf4fb67fc9e1628e59d0aab8b124

        SHA256

        c93a0f4c6b5f24ee31cddb92b0ea3337021b5fb91faae8a381d3bd2c9b6add54

        SHA512

        18bd9aea8489c5e873a679da92c83d2739de9532f5751bd23aea9eda226b9a95909f8fd525b0ce47859492997002aee32ecf37bb79e07f24b512287b8fd58a53

        Download Submit

      • C:\bridgefontcrtdll\BridgehyperRuntime.exe
        Filesize

        2.8MB

        MD5

        d2d13edddeb8fefb36b61edf6a0d2c07

        SHA1

        0cc1dfd5e0de92fb501d1b50e9661253ad45a3ec

        SHA256

        939daf4ced81c64fcc4bcfa3e5f3c12b1af3a78fbb2b84af09b00ce482f2f54c

        SHA512

        9484be7e78f614328165477cd649a448c8c1257b101183ca94a54811d8b5869436ef962ffe04b5cd4f044c525b571038ca93cfe2e6830cfb2bdc186af77c4270

        Download Submit

      • C:\bridgefontcrtdll\conhost.exe
        Filesize

        49KB

        MD5

        1b0e0bcd6885400902661bce2e465697

        SHA1

        edb964b96bbb94abee4101da65f4c900a0506d0a

        SHA256

        ab6c3868d9c6fddda0ef03cb0647dd062e5a65bfccb3daabf4c723ec4dd6b972

        SHA512

        66302488869f124ac15180fdf2e72988b8724d6201152dfbae2dee8d4f6828be1bc2dc996c7abd6f4cbe8516fc189b1408519a1677344793250965db7475c4f0

        Download Submit

      • C:\bridgefontcrtdll\lvXegSw701s9qGIHKiI10aezAmDjP5D9Pc.bat
        Filesize

        95B

        MD5

        1d298897f2f7121e43dece41ed8d2dab

        SHA1

        a34c38d5a4b4e8277b91ae27648f818e8f5c1994

        SHA256

        f046e83f31082e4f932d7951efaff77f7c1767e37fd91014dce506638c4d851c

        SHA512

        2ce008ae14d7b79e9f9559d774e882c8eedc722c0883a226102c9876bf7835d5a4773cda1d2abe8475736260f23f06406fc1dd8e902d144f4b81fdec9ded0eb3

        Download Submit

      • C:\bridgefontcrtdll\wPjFiIVpIfwoCHWJV1wauVn1OwZVrkHqDOLf7y3aCxBLv.vbe
        Filesize

        228B

        MD5

        2a0f6e3e6cb77e323e5bb58bab2eaf03

        SHA1

        fa4495376fcda2771c6ad7d25a0ddcf5230da47a

        SHA256

        b1cca3e054bcc3ab7bffcecdec08e3759fa1327a3e07e3300a46363b47d12aa5

        SHA512

        eaf6514c70146d91607339ac71fbf7e99a474c84d383bb3a8b7d2f183ca12f8da9b9b43d42915a3f2d52adcd0e83801c0ea46030148a20d0f0f42c0e3932c7d6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\naxecqxf\naxecqxf.0.cs
        Filesize

        361B

        MD5

        cb878ad07a4cc60734f4420f8e4fbbe7

        SHA1

        d96907dfdc7692fb76468b55be875b9e4c7762e0

        SHA256

        7e2228728f7a423fffae8e7221df778183f57ffd749f107608f52b2f13eb2915

        SHA512

        97477fd402448a852c1990534260a0b3ff4fd9b5a9d3428a54ef595ac46f098dcb53dbcc308501d1a548a8bb13d4cc84bf7fe1a4b62a63ae4c2eb1664c987e03

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\naxecqxf\naxecqxf.cmdline
        Filesize

        235B

        MD5

        a37c605eb6b12918a01aaa4d62c97995

        SHA1

        42dc672ef1a55d7eb6b85c953679c7f3b216641f

        SHA256

        117089394f11445c75d787fd1d19f6aa3e7ded97780fe8a38ca5d7d29b4bf485

        SHA512

        cc462afb93613189e943d5110711ab9e647f8e3d552a553ecb4402adaca76915a05bf8f2fb7e735d64e73eecd09992511c05c6d0cfc3707f937815099585c34d

        Download Submit

      • \??\c:\Windows\System32\CSC8E5AFAEF58DD4DAD9679D33AAF8D1422.TMP
        Filesize

        1KB

        MD5

        777bcd22d151ee60e5d47e6d64652303

        SHA1

        dd4f4667b0f0af40207775c4bcded9824a0ed2c4

        SHA256

        8074749c2dc1f7b7d4fc8b2ec9a37df5785896651b836179b0a66e4d0ec10170

        SHA512

        71a09fd27e0a740b4a6b5229479ed62b542e201695d6b6402bda84d0efd2e3da96b142b9c2d8e5f78e2282f58ce4f871b6a92384bf7c4e4595107d9120debd43

        Download Submit

      • memory/1760-140-0x0000017D79780000-0x0000017D797A2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1760-138-0x0000017D795D0000-0x0000017D795E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1760-135-0x00007FF977A00000-0x00007FF9784C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1760-137-0x0000017D795D0000-0x0000017D795E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2640-150-0x00007FF977A00000-0x00007FF9784C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2956-52-0x00000000021F0000-0x00000000021F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2956-48-0x0000000000400000-0x0000000000572000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2956-16-0x00000000021F0000-0x00000000021F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2956-17-0x0000000000400000-0x0000000000572000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/2956-19-0x0000000000400000-0x0000000000572000-memory.dmp

        Filesize

        1.4MB

        Download

      • memory/3248-21-0x0000000000400000-0x00000000008B3000-memory.dmp

        Filesize

        4.7MB

        Download

      • memory/4332-134-0x00000192D9B70000-0x00000192D9B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4332-133-0x00000192D9B70000-0x00000192D9B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4332-131-0x00007FF977A00000-0x00007FF9784C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4660-101-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-57-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4660-72-0x00000000029E0000-0x00000000029F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-70-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-74-0x00007FF994120000-0x00007FF994121000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-76-0x000000001B450000-0x000000001B466000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4660-77-0x00007FF994520000-0x00007FF9945DE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4660-79-0x000000001B470000-0x000000001B482000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4660-80-0x00007FF994110000-0x00007FF994111000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-81-0x000000001CCA0000-0x000000001D1C8000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4660-84-0x00000000029F0000-0x00000000029FE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4660-82-0x00007FF994100000-0x00007FF994101000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-85-0x00007FF9940F0000-0x00007FF9940F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-87-0x0000000002A00000-0x0000000002A0C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4660-90-0x000000001B490000-0x000000001B49E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4660-88-0x00007FF9940E0000-0x00007FF9940E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-91-0x00007FF9940D0000-0x00007FF9940D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-93-0x000000001C790000-0x000000001C7A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4660-96-0x00007FF994020000-0x00007FF994021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-95-0x000000001B4A0000-0x000000001B4AC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4660-97-0x00007FF994010000-0x00007FF994011000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-99-0x000000001C800000-0x000000001C84E000-memory.dmp

        Filesize

        312KB

        Download

      • memory/4660-58-0x00007FF994170000-0x00007FF994171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-100-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-102-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-103-0x000000001D5D0000-0x000000001D6D0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4660-105-0x000000001D5D0000-0x000000001D6D0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4660-73-0x00007FF994130000-0x00007FF994131000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-54-0x00007FF994180000-0x00007FF994181000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-55-0x0000000000FA0000-0x0000000000FB0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-120-0x000000001D5D0000-0x000000001D6D0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4660-51-0x00007FF994190000-0x00007FF994191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-69-0x00007FF994140000-0x00007FF994141000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-67-0x00000000029D0000-0x00000000029DC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4660-68-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-65-0x00000000029C0000-0x00000000029CE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4660-50-0x0000000002990000-0x00000000029A8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4660-47-0x000000001B400000-0x000000001B450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4660-46-0x0000000000FC0000-0x0000000000FDC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4660-139-0x000000001DBD0000-0x000000001DC9D000-memory.dmp

        Filesize

        820KB

        Download

      • memory/4660-44-0x00007FF994500000-0x00007FF994501000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-43-0x00007FF994510000-0x00007FF994511000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-41-0x0000000000EF0000-0x0000000000EFE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4660-42-0x00007FF994520000-0x00007FF9945DE000-memory.dmp

        Filesize

        760KB

        Download

      • memory/4660-39-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-38-0x000000001B4B0000-0x000000001B4C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4660-37-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-36-0x00007FF977A00000-0x00007FF9784C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4660-35-0x0000000000460000-0x000000000072E000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/4660-63-0x00007FF994150000-0x00007FF994151000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-62-0x00007FF994160000-0x00007FF994161000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4660-61-0x00007FF977A00000-0x00007FF9784C1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4660-60-0x00000000029B0000-0x00000000029BC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/5864-495-0x000000001C9F0000-0x000000001CABD000-memory.dmp

        Filesize

        820KB

        Download

      • memory/5864-496-0x000000001D820000-0x000000001D935000-memory.dmp

        Filesize

        1.1MB

        Download