modiloader | 9b4b49505a77593a84b8e160f43134d76e63a7b0e8ad26619d3a60f6cf51ad0d

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/01/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MF-HF malfunction LOG Report,PDF.cmd
Size

2.7MB
MD5

52c4a6ab8615c5f10087756a5506a81d
SHA1

4edc7261d4b1f624d94099071e5752fbc5864fae
SHA256

b7aa6671b0d47e966e51c97c069edff139d312e7707ffbc22fb2392b3004021a
SHA512

b542b3b361dac98ac1db9517aeac1bfec3dab4f3439729f466a225550e1c0b486bf662989bc15f51d25842fedca09087105bd81a48a13a9632f0167375ce39ef
SSDEEP

24576:ybei0ej3l3KRE+5WyHCN51BPTjF0Sj2dkucbo0063u9wN6UFfbDXRCDy:ybeiJjERE+q51SdvmYUz

Score

10^/10

modiloader discovery persistence trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral4/memory/224-25-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-31-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-40-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-50-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-65-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-89-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-102-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-72-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-70-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-69-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-67-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-88-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-87-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-63-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-85-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-84-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-83-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-82-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-60-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-81-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-58-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-78-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-76-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-56-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-75-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-71-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-53-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-68-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-66-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-64-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-86-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-62-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-80-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-79-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-77-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-46-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-57-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-74-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-55-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-73-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-54-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-52-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-51-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-49-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-61-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-48-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-47-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-59-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-37-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-45-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-44-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-43-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-42-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-39-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-32-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-33-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-38-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-36-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-35-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-34-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2
behavioral4/memory/224-30-0x0000000002A10000-0x0000000003A10000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	awpha.pif

Executes dropped EXE 13 IoCs

pid	Process
4184	alpha.pif
2384	phf.pif
2224	alpha.pif
376	phf.pif
2564	awpha.pif
224	AnyDesk.pif
2772	svchost.pif
3024	alpha.pif
852	Upha.pif
2036	alpha.pif
2892	Upha.pif
3188	alpha.pif
5004	aken.pif

Loads dropped DLL 1 IoCs

pid	Process
2772	svchost.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dudfwlvw = "C:\\Users\\Public\\Dudfwlvw.url"	AnyDesk.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4040	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4040	PING.EXE

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
5004	aken.pif
5004	aken.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif
2772	svchost.pif

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	aken.pif

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 1088	3356	cmd.exe	83
PID 3356 wrote to memory of 1088	3356	cmd.exe	83
PID 3356 wrote to memory of 2656	3356	cmd.exe	84
PID 3356 wrote to memory of 2656	3356	cmd.exe	84
PID 3356 wrote to memory of 3952	3356	cmd.exe	85
PID 3356 wrote to memory of 3952	3356	cmd.exe	85
PID 3356 wrote to memory of 4184	3356	cmd.exe	86
PID 3356 wrote to memory of 4184	3356	cmd.exe	86
PID 4184 wrote to memory of 2384	4184	alpha.pif	87
PID 4184 wrote to memory of 2384	4184	alpha.pif	87
PID 3356 wrote to memory of 2224	3356	cmd.exe	88
PID 3356 wrote to memory of 2224	3356	cmd.exe	88
PID 2224 wrote to memory of 376	2224	alpha.pif	89
PID 2224 wrote to memory of 376	2224	alpha.pif	89
PID 3356 wrote to memory of 2564	3356	cmd.exe	90
PID 3356 wrote to memory of 2564	3356	cmd.exe	90
PID 3356 wrote to memory of 4040	3356	cmd.exe	92
PID 3356 wrote to memory of 4040	3356	cmd.exe	92
PID 2564 wrote to memory of 224	2564	awpha.pif	93
PID 2564 wrote to memory of 224	2564	awpha.pif	93
PID 2564 wrote to memory of 224	2564	awpha.pif	93
PID 224 wrote to memory of 2896	224	AnyDesk.pif	99
PID 224 wrote to memory of 2896	224	AnyDesk.pif	99
PID 224 wrote to memory of 2896	224	AnyDesk.pif	99
PID 224 wrote to memory of 4468	224	AnyDesk.pif	102
PID 224 wrote to memory of 4468	224	AnyDesk.pif	102
PID 224 wrote to memory of 4468	224	AnyDesk.pif	102
PID 4468 wrote to memory of 2772	4468	cmd.exe	104
PID 4468 wrote to memory of 2772	4468	cmd.exe	104
PID 2772 wrote to memory of 3216	2772	svchost.pif	105
PID 2772 wrote to memory of 3216	2772	svchost.pif	105
PID 3216 wrote to memory of 1992	3216	cmd.exe	107
PID 3216 wrote to memory of 1992	3216	cmd.exe	107
PID 3216 wrote to memory of 1980	3216	cmd.exe	108
PID 3216 wrote to memory of 1980	3216	cmd.exe	108
PID 3216 wrote to memory of 2300	3216	cmd.exe	109
PID 3216 wrote to memory of 2300	3216	cmd.exe	109
PID 3216 wrote to memory of 3024	3216	cmd.exe	111
PID 3216 wrote to memory of 3024	3216	cmd.exe	111
PID 3024 wrote to memory of 852	3024	alpha.pif	112
PID 3024 wrote to memory of 852	3024	alpha.pif	112
PID 3216 wrote to memory of 2036	3216	cmd.exe	113
PID 3216 wrote to memory of 2036	3216	cmd.exe	113
PID 2036 wrote to memory of 2892	2036	alpha.pif	114
PID 2036 wrote to memory of 2892	2036	alpha.pif	114
PID 3216 wrote to memory of 3188	3216	cmd.exe	115
PID 3216 wrote to memory of 3188	3216	cmd.exe	115
PID 3188 wrote to memory of 5004	3188	alpha.pif	116
PID 3188 wrote to memory of 5004	3188	alpha.pif	116
PID 224 wrote to memory of 1936	224	AnyDesk.pif	119
PID 224 wrote to memory of 1936	224	AnyDesk.pif	119
PID 224 wrote to memory of 1936	224	AnyDesk.pif	119
PID 224 wrote to memory of 1936	224	AnyDesk.pif	119

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\system32\extrac32.exe
  extrac32.exe /C /Y "C:\\Windows\\System32\\wlrmdr.exe" "C:\\Users\\Public\\awpha.pif"
  2⤵
  PID:1088
- C:\Windows\system32\extrac32.exe
  extrac32.exe /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\alpha.pif"
  2⤵
  PID:2656
- C:\Windows\system32\extrac32.exe
  extrac32 /C /Y "C:\\Windows\\System32\\certutil.exe" "C:\\Users\\Public\\phf.pif"
  2⤵
  PID:3952
- C:\Users\Public\alpha.pif
  C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Users\Public\phf.pif
    C:\\Users\\Public\\phf.pif -decodehex -F "C:\Users\Admin\AppData\Local\Temp\MF-HF malfunction LOG Report,PDF.cmd" "C:\\Users\\Public\\AnyDesk.avi" 9
    3⤵
    - Executes dropped EXE
    PID:2384
- C:\Users\Public\alpha.pif
  C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Public\phf.pif
    C:\\Users\\Public\\phf.pif -decodehex -F "C:\\Users\\Public\\AnyDesk.avi" "C:\\Users\\Public\\Libraries\\AnyDesk.pif" 12
    3⤵
    - Executes dropped EXE
    PID:376
- C:\Users\Public\awpha.pif
  "C:\Users\Public\awpha.pif" -s 3600 -f 0 -t _ -m _ -a 11 -u C:\Users\Public\Libraries\AnyDesk.pif
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Public\Libraries\AnyDesk.pif
    "C:\Users\Public\Libraries\AnyDesk.pif"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\DudfwlvwF.cmd" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\FX.cmd
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Windows \SysWOW64\svchost.pif
        
        "C:\Windows \SysWOW64\svchost.pif"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\Libraries\NEO.cmd
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.pif
        7⤵
        
        PID:1992
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\sc.exe C:\\Users\\Public\\Upha.pif
        7⤵
        
        PID:1980
        
        C:\Windows\system32\extrac32.exe
        
        extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\aken.pif
        7⤵
        
        PID:2300
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif create TrueSight binPath="C:\Windows \SysWOW64\truesight.sys" type= kernel start= auto
        8⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\Upha.pif start TrueSight
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Users\Public\Upha.pif
        
        C:\\Users\\Public\\Upha.pif start TrueSight
        8⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Public\alpha.pif
        
        C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3188
        
        C:\Users\Public\aken.pif
        
        C:\\Users\\Public\\aken.pif -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
  - - C:\Windows\SysWOW64\colorcpl.exe
      C:\Windows\System32\colorcpl.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1936
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 5
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cqfbmro.mll.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\AnyDesk.avi

Filesize
1.9MB

MD5
1681b40bf17bbaa119bc15de0178a7f0

SHA1
4aa764f20cfbcad18a2fd2d6233e80ad6ad8a341

SHA256
d61ec9e10804abaf84e4c59f3a9369f27fd25ba6e60ed293dfc82581b2553cda

SHA512
6b73ce5d844bfbc9caffc55c3412ed0b87e046c3833b000b14fed7e8b2fa3a6fe951b6d63a5080de65f5d69ad60b8a4d254542ad83233f2bb4ed1471fb6e49f6

Download Submit
C:\Users\Public\DudfwlvwF.cmd

Filesize
11KB

MD5
f82aeb3b12f33250e404df6ec873dd1d

SHA1
bcf538f64457e8d19da89229479cafa9c4cce12f

SHA256
23b7417b47c7efb96fb7ce395e325dc831ab2ee03eadda59058d31bdbe9c1ea6

SHA512
6f9d6daeed78f45f0f83310b95f47cc0a96d1db1d7f6c2e2485d7a8ecb04fee9865eec3599fee2d67f3332f68a70059f1a6a40050b93ef44d55632c24d108977

Download Submit
C:\Users\Public\Libraries\AnyDesk.pif

Filesize
988KB

MD5
f3aa67b05386799dfa67ead417d83e13

SHA1
b2d5914c0128a2082be60e4c1d719605eeba85f7

SHA256
f0be390b72006db2c733b8bd8b4e3f4bc75b3f794086817f9fe9ddc0b9c654f7

SHA512
9adda994a78a26ad87ea048995b11e628e04cab29b75587fb87baeb744dcd90ae9bd92252cd603211da65511e81beffe5b4c06122b2f4468aeb1ba3db96032ac

Download Submit
C:\Users\Public\Libraries\FX.cmd

Filesize
8KB

MD5
7821e3de3812e791cf3b223500d73bc9

SHA1
5e211b634ce77e6fee83ce8a5b8c9a37c8b81e1d

SHA256
3daa7f9eee129f61f7a452f7150ee21a1c4141586a37f37842b9c3bb53152a74

SHA512
6eae270065401626df97b73a255578bf27b4f4dea480954843823046ad95e40cf706c1a767c8765ef3ab48ea3a18498375614317ec00a9ef29a4dd21edbc5f26

Download Submit
C:\Users\Public\Libraries\NEO.cmd

Filesize
55KB

MD5
3c755cf5a64b256c08f9bb552167975c

SHA1
8c81ca56b178ffd77b15f59c5332813416d976d7

SHA256
12e0795aa1408bea69bfd0a53bb74558598e71b33fc12ffec0e0ae38d39da490

SHA512
8cf0f1a368089e2e3021ce6aeb4984821429d4bb9de3d273a9d0f571a847bba3fc429b84a877afec6decf40e6b94a69d52e8eeea55e042aa9773d3540dbe6bfa

Download Submit
C:\Users\Public\Upha.pif

Filesize
70KB

MD5
3fb5cf71f7e7eb49790cb0e663434d80

SHA1
b4979a9f970029889713d756c3f123643dde73da

SHA256
41f067c3a11b02fe39947f9eba68ae5c7cb5bd1872a6009a4cd1506554a9aba9

SHA512
2b59a6d0afef765c6ca80b5738202622cfe0dffcec2092d23ad8149156b0b1dca479e2e2c8562639c97e9f335429854cad12461f2fb277207c39d12e3e308ef5

Download Submit
C:\Users\Public\aken.pif

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Public\alpha.pif

Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\awpha.pif

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Public\phf.pif

Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Windows \SysWOW64\netutils.dll

Filesize
116KB

MD5
0f088756537e0d65627ed2ea392dcaae

SHA1
983eb3818223641c13464831a2baad9466c3750f

SHA256
abe2b86bc07d11050451906dc5c6955e16341912a1da191fc05b80c6e2f44ad6

SHA512
d7ec6126467fd2300f2562be48d302513a92cee328470bf0b25b67dcf646ba6c824cd6195ba056b543db9e2a445991fe31ebc2f89d9eff084907d6af1384720d

Download Submit
C:\Windows \SysWOW64\svchost.pif

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
memory/224-66-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-77-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-89-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-102-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-72-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-70-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-69-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-67-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-88-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-87-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-63-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-85-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-84-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-83-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-82-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-60-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-81-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-58-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-78-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-76-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-56-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-75-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-71-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-53-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-68-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-50-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-64-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-86-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-62-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-80-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-79-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-65-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-46-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-57-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-74-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-55-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-73-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-54-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-52-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-51-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-49-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-61-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-48-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-47-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-59-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-37-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-45-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-44-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-43-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-42-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-39-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-32-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-33-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-38-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-36-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-40-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-41-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/224-31-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-25-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-35-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-34-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-30-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/224-24-0x0000000002A10000-0x0000000003A10000-memory.dmp

Filesize
16.0MB

Download
memory/5004-261-0x0000018A51F00000-0x0000018A51F22000-memory.dmp

Filesize
136KB

Download