zgrat | fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 01:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe
Size

1.7MB
MD5

1925339cab9e6a65f43c5f04321156e2
SHA1

16fc99e39d5dd91b915da5ffb969f56597d54c06
SHA256

fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e
SHA512

36e3a20e9024183ee87a2885d883da5f8ded3f9d5b78aa3ce3fb6b21a86b8ff3af88229e77a15ee68f3df6c5e140f6e83e9558a00fc0d9dc49bd36c77b997816
SSDEEP

49152:IBJ+5XdfyLwy6z4OTWtr4dOJ6taJlZHnfi0pu:yA7iXg4aWF4wko1Hfi04

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b98-10.dat	family_zgrat_v1
behavioral2/memory/3248-12-0x0000000000E20000-0x0000000000FFE000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b98-10.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral2/memory/3248-12-0x0000000000E20000-0x0000000000FFE000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	driverInto.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 8 IoCs

pid	Process
3248	driverInto.exe
2096	fontdrvhost.exe
1508	fontdrvhost.exe
2736	fontdrvhost.exe
5108	fontdrvhost.exe
2180	fontdrvhost.exe
4928	fontdrvhost.exe
2132	fontdrvhost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\6ccacd8608530f	driverInto.exe
File created	C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe	driverInto.exe
File created	C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9	driverInto.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\Idle.exe	driverInto.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\RuntimeBroker.exe	driverInto.exe
File created	C:\Windows\Resources\9e8d7a4ca61bd9	driverInto.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	driverInto.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings	fontdrvhost.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1248	PING.EXE
5080	PING.EXE
3624	PING.EXE
628	PING.EXE
2676	PING.EXE
3128	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe
3248	driverInto.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	driverInto.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2096	fontdrvhost.exe
Token: SeDebugPrivilege	1508	fontdrvhost.exe
Token: SeDebugPrivilege	2736	fontdrvhost.exe
Token: SeDebugPrivilege	5108	fontdrvhost.exe
Token: SeDebugPrivilege	2180	fontdrvhost.exe
Token: SeDebugPrivilege	4928	fontdrvhost.exe
Token: SeDebugPrivilege	2132	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1692	4888	fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe	83
PID 4888 wrote to memory of 1692	4888	fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe	83
PID 4888 wrote to memory of 1692	4888	fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe	83
PID 1692 wrote to memory of 436	1692	WScript.exe	87
PID 1692 wrote to memory of 436	1692	WScript.exe	87
PID 1692 wrote to memory of 436	1692	WScript.exe	87
PID 436 wrote to memory of 3248	436	cmd.exe	89
PID 436 wrote to memory of 3248	436	cmd.exe	89
PID 3248 wrote to memory of 388	3248	driverInto.exe	90
PID 3248 wrote to memory of 388	3248	driverInto.exe	90
PID 3248 wrote to memory of 3188	3248	driverInto.exe	91
PID 3248 wrote to memory of 3188	3248	driverInto.exe	91
PID 3248 wrote to memory of 1004	3248	driverInto.exe	92
PID 3248 wrote to memory of 1004	3248	driverInto.exe	92
PID 3248 wrote to memory of 2688	3248	driverInto.exe	93
PID 3248 wrote to memory of 2688	3248	driverInto.exe	93
PID 3248 wrote to memory of 2428	3248	driverInto.exe	94
PID 3248 wrote to memory of 2428	3248	driverInto.exe	94
PID 3248 wrote to memory of 2500	3248	driverInto.exe	95
PID 3248 wrote to memory of 2500	3248	driverInto.exe	95
PID 3248 wrote to memory of 1480	3248	driverInto.exe	101
PID 3248 wrote to memory of 1480	3248	driverInto.exe	101
PID 1480 wrote to memory of 4724	1480	cmd.exe	105
PID 1480 wrote to memory of 4724	1480	cmd.exe	105
PID 1480 wrote to memory of 2676	1480	cmd.exe	107
PID 1480 wrote to memory of 2676	1480	cmd.exe	107
PID 1480 wrote to memory of 2096	1480	cmd.exe	112
PID 1480 wrote to memory of 2096	1480	cmd.exe	112
PID 2096 wrote to memory of 4252	2096	fontdrvhost.exe	114
PID 2096 wrote to memory of 4252	2096	fontdrvhost.exe	114
PID 4252 wrote to memory of 2772	4252	cmd.exe	116
PID 4252 wrote to memory of 2772	4252	cmd.exe	116
PID 4252 wrote to memory of 1260	4252	cmd.exe	117
PID 4252 wrote to memory of 1260	4252	cmd.exe	117
PID 4252 wrote to memory of 1508	4252	cmd.exe	118
PID 4252 wrote to memory of 1508	4252	cmd.exe	118
PID 1508 wrote to memory of 4956	1508	fontdrvhost.exe	119
PID 1508 wrote to memory of 4956	1508	fontdrvhost.exe	119
PID 4956 wrote to memory of 440	4956	cmd.exe	121
PID 4956 wrote to memory of 440	4956	cmd.exe	121
PID 4956 wrote to memory of 3128	4956	cmd.exe	122
PID 4956 wrote to memory of 3128	4956	cmd.exe	122
PID 4956 wrote to memory of 2736	4956	cmd.exe	123
PID 4956 wrote to memory of 2736	4956	cmd.exe	123
PID 2736 wrote to memory of 3220	2736	fontdrvhost.exe	124
PID 2736 wrote to memory of 3220	2736	fontdrvhost.exe	124
PID 3220 wrote to memory of 4068	3220	cmd.exe	126
PID 3220 wrote to memory of 4068	3220	cmd.exe	126
PID 3220 wrote to memory of 2964	3220	cmd.exe	127
PID 3220 wrote to memory of 2964	3220	cmd.exe	127
PID 3220 wrote to memory of 5108	3220	cmd.exe	128
PID 3220 wrote to memory of 5108	3220	cmd.exe	128
PID 5108 wrote to memory of 2748	5108	fontdrvhost.exe	131
PID 5108 wrote to memory of 2748	5108	fontdrvhost.exe	131
PID 2748 wrote to memory of 2780	2748	cmd.exe	133
PID 2748 wrote to memory of 2780	2748	cmd.exe	133
PID 2748 wrote to memory of 1248	2748	cmd.exe	134
PID 2748 wrote to memory of 1248	2748	cmd.exe	134
PID 2748 wrote to memory of 2180	2748	cmd.exe	135
PID 2748 wrote to memory of 2180	2748	cmd.exe	135
PID 2180 wrote to memory of 4376	2180	fontdrvhost.exe	136
PID 2180 wrote to memory of 4376	2180	fontdrvhost.exe	136
PID 4376 wrote to memory of 4316	4376	cmd.exe	138
PID 4376 wrote to memory of 4316	4376	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe
"C:\Users\Admin\AppData\Local\Temp\fb2e3a0d29ae08e964de8bcc1cf986b3a6b928d13e14368cc31535236afd024e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portintosvc\X5ZTZfC.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\portintosvc\driverInto.exe
      "C:\portintosvc/driverInto.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\Idle.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\RuntimeBroker.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\backgroundTaskHost.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portintosvc\driverInto.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZzM8ySCB9D.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4724
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:2676
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M7ZRnUVt3i.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1260
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:3128
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g6UJbp2Exv.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:4068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2964
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vGBsZePsxa.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:1248
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        Runs ping.exe
        
        PID:5080
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D1HctEwNfs.bat"
        17⤵
        
        PID:4668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        Runs ping.exe
        
        PID:3624
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iZ9ZaL1wLl.bat"
        19⤵
        
        PID:2068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        Runs ping.exe
        
        PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
7a7dd1e695790550e38cb160458687c9

SHA1
ca8425e79d183db9ba405e3a799c9b7592ed4618

SHA256
ced69c14422bf143608e1efb84c2131d5526cbc7203047ddd37337b9bf526fdb

SHA512
f3b621c8423a9cfe9409d16b80ac4225123a7cb9adddacbdd4f69c95375a9dc11aecc147d858eef50a44d7c3d517a2707e3fe6f1d8b7f0c6a35dd1e83daac3a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat

Filesize
165B

MD5
5e96c30eaf5b6cc385999569119aec22

SHA1
8798dab4a750c5b1f2c0e2931406eb35fd8d3af2

SHA256
8a9942ddedeebf5e7a88f699d688284c886cf4d1106a528d64e51029ca07eac9

SHA512
1a8afc65277701e24e9ec6f5e57bf9edbd113d1b9de0a0bfe77708ef50628ee38c4089d86241058043a0e8452ebdb4fa6eb28912f0728d08a1b30d530065d2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat

Filesize
165B

MD5
02c995ce9f4013d6675cb1b29cccf5fb

SHA1
27acc280da60bedef9406e9ce7e76c056d6a6140

SHA256
144f4f177de9578021b127a02a63e6c95f61774935bce60acddb9196731c3a95

SHA512
de7b758ddfba9271c4ce16617e1e0879a7fbe88ab4949ae442018154b9dfc8e22761dad3f9cf505862b2ce2f9511e558517fb6cfb461cd1ff1101e0dfe3bb195

Download Submit
C:\Users\Admin\AppData\Local\Temp\D1HctEwNfs.bat

Filesize
165B

MD5
6c848e5ec75cf265881a6aad7c879948

SHA1
f6a5dba9de6d5127c2f56fcc62d829e0952b0e8a

SHA256
a8794821e508cbb70dae005732016eedb3437a72878c4081bcacd326b333e48a

SHA512
21963719116d082990197a05030bd42317da6d49f02a3832de67234c4ef7be54f782c56be4bb66ab72f7583ce555b2d52a612df2acaf4e60465b18293f6f8035

Download Submit
C:\Users\Admin\AppData\Local\Temp\M7ZRnUVt3i.bat

Filesize
213B

MD5
76668346f8846bbafe93001844792a7a

SHA1
ede1f92a5321fef22f336fee3586929582d10cd0

SHA256
e11f833eb97a433e58899c8c5d3b3dd8aedd7f4d80f3adbf3a4aed0af81dbdad

SHA512
c677f5d0f10792216ae3e6b3dfb6e905778a2db8cd90906c38b30057874cb70309d0bc1c2b25ccb033a4cf6f3fc4187595b603cb6a13f189c351ed0cdb019cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZzM8ySCB9D.bat

Filesize
165B

MD5
0bd366185cf1cecabbd510cf6e27899a

SHA1
f75a7b3136d9a285e4f0c055ea5d54cc82e01f93

SHA256
a707e7ee13070d365c3cd56e13178245612f00d69ec6fabe30ffb7c8c68234d1

SHA512
5ffa0352f940ca3898fa6751d8be42f5e331662250c114eae6d69de58b6fa9d7cf05c75eb9e2f6ed88bc54aabc7b3b9e54418b5cd3922ea3bc7630151ef38b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vkberl5r.aok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g6UJbp2Exv.bat

Filesize
213B

MD5
14f2814a9bcb5dad471c19f78aaa2d13

SHA1
f92d6f6866317564b26365e54de4876d9a36fa82

SHA256
07e0c1c1081a5ef06740e1409b67aa5de7283e8c93b74fb5b7bbb608923453ab

SHA512
26f29e1b81dd1c7210ca206ba55d2fd7fe4a0bb260f63d603b14d4099672efcb5f712176767d27004e8975d9fd0b7908d601ee4530f1981b303346078ffbe834

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZ9ZaL1wLl.bat

Filesize
165B

MD5
cac6f38f60b56347515b4c5dc00aa0c5

SHA1
a8a140ca420ecd2c676cef29fb6a4781da33acd9

SHA256
ffa23177d95a8a3d5a73c1e8038f2f81e25d53d9dc1fcd078b5b45946e63017d

SHA512
afd161172d0e75e3349cd44e9bbcede90e77d891beac1b4c89253c9676eb2b150744c60b7bc2a0d1d633b0ffa19b7aa6e4bbedfb576d2bc6b9fad88f3c27a99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGBsZePsxa.bat

Filesize
165B

MD5
b49abfb86f8f25dc6502a679c266457a

SHA1
9f59dacb1d4d06c514f64d8da842209014c73371

SHA256
2f5349215f883d2c153163ddc09593e183dbae091cc310bd268463925ac05d89

SHA512
f0e6814aff1a2c62b989a5ed796a06dd8631da4415f97c89ebf5ff65595e1da8d5f6fbe4b3584657c39d1c6a1cf0873a425c25b8b0d0f7ba2f8264cbd7b42b5b

Download Submit
C:\portintosvc\6iyrEfS0qZMUeKUvqyCENK8F6bD2a9LOXf0Mm.bat

Filesize
93B

MD5
0be982804b016289cb81417601b9eb58

SHA1
afe7c33411a4287b61a9a44ea5c385a37dd9da3c

SHA256
bac34dff1783ef418218d2ea5eb4a26f90ac684aa170f0ce4ed53a4fcc670e86

SHA512
bbc734d9608859dda9719d2416b1a25c777caa94bc91214a5130c032ebb82fd08e41109b153ce03e71969043bb0de184c28974820575fe94261448436d34cd77

Download Submit
C:\portintosvc\X5ZTZfC.vbe

Filesize
227B

MD5
808f7be1b688dfe0b79177049d1e221c

SHA1
7a5230e286a0e1cf1bbffc00d835d020ccb3962f

SHA256
3c418f6b30335a6dc3b70240951db4156ab448316cc75fa07ef593e16d9c2da0

SHA512
a6d8e8c559f53dede4609b96c99e124605e7c5c20bfd715785d6e9399dab6ba0ffaf360f0922e3641521a17d18fc2e33e99ee90e0e28976b831bdffe112385d2

Download Submit
C:\portintosvc\driverInto.exe

Filesize
1.8MB

MD5
31594886c067c61c60a04365c0e2a58c

SHA1
c2e398b5570da49b08050ccd48381f96e8368f28

SHA256
7309289e7d27aaecdfa582bdbd748db3ec445b317022b4b842c1cfb91c0b5d84

SHA512
56ae556094784b60a2b15ee21af06e5e34fc60f921bef406c2ad5254bae36f6736cf4cf7e589b144e5bb36edb9863d51f1c65447b7ce35a5f519a67cbaacec33

Download Submit
memory/2688-47-0x00000191BB500000-0x00000191BB522000-memory.dmp

Filesize
136KB

Download
memory/3248-41-0x00007FFD97800000-0x00007FFD982C1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-24-0x000000001BC20000-0x000000001BC2C000-memory.dmp

Filesize
48KB

Download
memory/3248-22-0x000000001BC10000-0x000000001BC18000-memory.dmp

Filesize
32KB

Download
memory/3248-20-0x000000001BC50000-0x000000001BC68000-memory.dmp

Filesize
96KB

Download
memory/3248-18-0x000000001BFE0000-0x000000001C030000-memory.dmp

Filesize
320KB

Download
memory/3248-17-0x000000001BC30000-0x000000001BC4C000-memory.dmp

Filesize
112KB

Download
memory/3248-15-0x000000001BC00000-0x000000001BC0E000-memory.dmp

Filesize
56KB

Download
memory/3248-13-0x00007FFD97800000-0x00007FFD982C1000-memory.dmp

Filesize
10.8MB

Download
memory/3248-12-0x0000000000E20000-0x0000000000FFE000-memory.dmp

Filesize
1.9MB

Download