Overview

overview

10

Static

static

10

08751be484...2d.dll

windows11-21h2-x64

10

0a9f79abd4...51.exe

windows11-21h2-x64

3

0di3x.exe

windows11-21h2-x64

10

2019-09-02...10.exe

windows11-21h2-x64

10

2c01b00772...eb.exe

windows11-21h2-x64

10

31.exe

windows11-21h2-x64

10

3DMark 11 ...on.exe

windows11-21h2-x64

3

42f9729255...61.exe

windows11-21h2-x64

10

5da0116af4...18.exe

windows11-21h2-x64

5

69c56d12ed...6b.exe

windows11-21h2-x64

905d572f23...50.exe

windows11-21h2-x64

10

948340be97...54.exe

windows11-21h2-x64

10

95560f1a46...f9.dll

windows11-21h2-x64

5

Archive.zi...3e.exe

windows11-21h2-x64

7

DiskIntern...en.exe

windows11-21h2-x64

3

ForceOp 2....ce.exe

windows11-21h2-x64

7

HYDRA.exe

windows11-21h2-x64

10

KLwC6vii.exe

windows11-21h2-x64

1

Keygen.exe

windows11-21h2-x64

10

Lonelyscre...ox.exe

windows11-21h2-x64

3

LtHv0O2KZDK4M637.exe

windows11-21h2-x64

10

Magic_File...ja.exe

windows11-21h2-x64

3

OnlineInstaller.exe

windows11-21h2-x64

8

Remouse.Mi...cg.exe

windows11-21h2-x64

3

SecuriteIn...dE.exe

windows11-21h2-x64

10

SecuriteIn...ee.dll

windows11-21h2-x64

10

SecurityTa...up.exe

windows11-21h2-x64

4

Treasure.V...ox.exe

windows11-21h2-x64

3

VyprVPN.exe

windows11-21h2-x64

10

WSHSetup[1].exe

windows11-21h2-x64

3

Yard.dll

windows11-21h2-x64

10

b2bd3de3e5...2).exe

windows11-21h2-x64

10

Resubmissions

20/04/2025, 00:10 UTC

250420-agcc8axyax 10

16/04/2025, 11:04 UTC

250416-m58gsaz1ay 10

15/04/2025, 17:34 UTC

250415-v5ylksypw9 10

15/04/2025, 06:16 UTC

250415-g1p7ras1dw 10

14/04/2025, 08:06 UTC

250414-jzpwpstxhx 10

14/04/2025, 07:59 UTC

250414-jvg1assky4 10

14/04/2025, 07:22 UTC

250414-h7g1dss1h1 10

14/04/2025, 07:16 UTC

250414-h3xv2s1nv6 10

Analysis

  • max time kernel
    167s
  • max time network
    170s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15/04/2025, 06:16 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HYDRA.exe

  • Size

    2.6MB

  • MD5

    c52bc39684c52886712971a92f339b23

  • SHA1

    c5cb39850affb7ed322bfb0a4900e17c54f95a11

  • SHA256

    f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

  • SHA512

    2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

  • SSDEEP

    49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S

Score
10/10
smokeloaderbackdoordiscoverypersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Drops startup file 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
    "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Users\Admin\AppData\Roaming\yaya.exe
      C:\Users\Admin\AppData\Roaming\yaya.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
        "C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\glejoea6.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES786D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC786C.tmp"
            5⤵
              PID:3128
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:1688
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe"
              4⤵
                PID:5368
          • C:\Users\Admin\AppData\Roaming\va.exe
            C:\Users\Admin\AppData\Roaming\va.exe
            2⤵
            • Drops startup file
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:5968
          • C:\Users\Admin\AppData\Roaming\ufx.exe
            C:\Users\Admin\AppData\Roaming\ufx.exe
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4572
            • C:\ProgramData\ucp\usc.exe
              "C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2260
              • C:\Windows\SysWOW64\SCHTASKS.exe
                SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
                4⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:5488
          • C:\Users\Admin\AppData\Roaming\sant.exe
            C:\Users\Admin\AppData\Roaming\sant.exe
            2⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3204
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              3⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:348
          • C:\Users\Admin\AppData\Roaming\power.exe
            C:\Users\Admin\AppData\Roaming\power.exe
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4756
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1560
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\vvefbhgu\chhtdaua.exe
          1⤵
            PID:1448

          Network

          • flag-us
            DNS
            psix.tk
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            psix.tk
            IN A
            Response
          • flag-us
            DNS
            minercoinbox.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            minercoinbox.com
            IN A
            Response
          • flag-us
            DNS
            www.bing.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            www.bing.com
            IN A
            Response
            www.bing.com
            IN CNAME
            www-www.bing.com.trafficmanager.net
            www-www.bing.com.trafficmanager.net
            IN CNAME
            www.bing.com.edgekey.net
            www.bing.com.edgekey.net
            IN CNAME
            e86303.dscx.akamaiedge.net
            e86303.dscx.akamaiedge.net
            IN A
            88.221.134.3
            e86303.dscx.akamaiedge.net
            IN A
            95.101.143.182
            e86303.dscx.akamaiedge.net
            IN A
            95.101.143.203
            e86303.dscx.akamaiedge.net
            IN A
            95.101.143.210
            e86303.dscx.akamaiedge.net
            IN A
            88.221.134.2
            e86303.dscx.akamaiedge.net
            IN A
            95.101.143.219
            e86303.dscx.akamaiedge.net
            IN A
            95.101.143.183
            e86303.dscx.akamaiedge.net
            IN A
            95.101.143.218
            e86303.dscx.akamaiedge.net
            IN A
            95.101.143.211
          • flag-us
            DNS
            java.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            java.com
            IN A
            Response
            java.com
            IN A
            88.221.135.48
            java.com
            IN A
            95.101.143.183
          • flag-us
            DNS
            3.134.221.88.in-addr.arpa
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            3.134.221.88.in-addr.arpa
            IN PTR
            Response
            3.134.221.88.in-addr.arpa
            IN PTR
            a88-221-134-3deploystaticakamaitechnologiescom
          • flag-us
            DNS
            48.135.221.88.in-addr.arpa
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            48.135.221.88.in-addr.arpa
            IN PTR
            Response
            48.135.221.88.in-addr.arpa
            IN PTR
            a88-221-135-48deploystaticakamaitechnologiescom
          • flag-us
            DNS
            go.microsoft.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            go.microsoft.com
            IN A
            Response
            go.microsoft.com
            IN CNAME
            go.microsoft.com.edgekey.net
            go.microsoft.com.edgekey.net
            IN CNAME
            e11290.dspg.akamaiedge.net
            e11290.dspg.akamaiedge.net
            IN A
            184.26.57.167
          • flag-us
            DNS
            visualstudio.microsoft.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            visualstudio.microsoft.com
            IN A
            Response
            visualstudio.microsoft.com
            IN CNAME
            visualstudio.microsoft.com-c.edgekey.net
            visualstudio.microsoft.com-c.edgekey.net
            IN CNAME
            visualstudio.microsoft.com-c.edgekey.net.globalredir.akadns.net
            visualstudio.microsoft.com-c.edgekey.net.globalredir.akadns.net
            IN CNAME
            e19210.b.akamaiedge.net
            e19210.b.akamaiedge.net
            IN A
            23.49.172.241
          • flag-us
            DNS
            167.57.26.184.in-addr.arpa
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            167.57.26.184.in-addr.arpa
            IN PTR
            Response
            167.57.26.184.in-addr.arpa
            IN PTR
            a184-26-57-167deploystaticakamaitechnologiescom
          • flag-us
            DNS
            241.172.49.23.in-addr.arpa
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            241.172.49.23.in-addr.arpa
            IN PTR
            Response
            241.172.49.23.in-addr.arpa
            IN PTR
            a23-49-172-241deploystaticakamaitechnologiescom
          • flag-us
            DNS
            java.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            java.com
            IN A
            Response
            java.com
            IN A
            88.221.135.48
            java.com
            IN A
            95.101.143.183
          • flag-us
            DNS
            www.mozilla.org
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            www.mozilla.org
            IN A
            Response
            www.mozilla.org
            IN CNAME
            www-mozilla.fastly-edge.com
            www-mozilla.fastly-edge.com
            IN A
            151.101.195.19
            www-mozilla.fastly-edge.com
            IN A
            151.101.67.19
            www-mozilla.fastly-edge.com
            IN A
            151.101.3.19
            www-mozilla.fastly-edge.com
            IN A
            151.101.131.19
          • flag-us
            DNS
            19.195.101.151.in-addr.arpa
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            19.195.101.151.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            java.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            java.com
            IN A
            Response
            java.com
            IN A
            88.221.135.48
            java.com
            IN A
            95.101.143.183
          • flag-us
            DNS
            nexusrules.officeapps.live.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            nexusrules.officeapps.live.com
            IN A
            Response
            nexusrules.officeapps.live.com
            IN CNAME
            prod.nexusrules.live.com.akadns.net
            prod.nexusrules.live.com.akadns.net
            IN A
            52.111.243.31
          • flag-us
            DNS
            java.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            java.com
            IN A
            Response
            java.com
            IN A
            88.221.135.48
            java.com
            IN A
            95.101.143.183
          • flag-us
            DNS
            self.events.data.microsoft.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            self.events.data.microsoft.com
            IN A
            Response
            self.events.data.microsoft.com
            IN CNAME
            self-events-data.trafficmanager.net
            self-events-data.trafficmanager.net
            IN CNAME
            onedscolprdwus16.westus.cloudapp.azure.com
            onedscolprdwus16.westus.cloudapp.azure.com
            IN A
            20.189.173.23
          • flag-us
            DNS
            23.173.189.20.in-addr.arpa
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            23.173.189.20.in-addr.arpa
            IN PTR
            Response
          • flag-us
            DNS
            www.microsoft.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            www.microsoft.com
            IN A
            Response
            www.microsoft.com
            IN CNAME
            www.microsoft.com-c-3.edgekey.net
            www.microsoft.com-c-3.edgekey.net
            IN CNAME
            www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
            www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
            IN CNAME
            e13678.dscb.akamaiedge.net
            e13678.dscb.akamaiedge.net
            IN A
            95.100.245.144
          • flag-us
            DNS
            www.visualstudio.com
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            www.visualstudio.com
            IN A
            Response
            www.visualstudio.com
            IN CNAME
            wildcard.visualstudio.com.edgekey.net
            wildcard.visualstudio.com.edgekey.net
            IN CNAME
            e19210.g.akamaiedge.net
            e19210.g.akamaiedge.net
            IN A
            23.49.172.241
          • flag-us
            DNS
            144.245.100.95.in-addr.arpa
            usc.exe
            Remote address:
            8.8.8.8:53
            Request
            144.245.100.95.in-addr.arpa
            IN PTR
            Response
            144.245.100.95.in-addr.arpa
            IN PTR
            a95-100-245-144deploystaticakamaitechnologiescom
          • flag-gb
            GET
            http://www.bing.com/
            explorer.exe
            Remote address:
            88.221.134.3:80
            Request
            GET / HTTP/1.1
            Cache-Control: no-cache
            Connection: Keep-Alive
            Pragma: no-cache
            User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
            Host: www.bing.com
            Response
            HTTP/1.1 200 OK
            Content-Type: text/html; charset=utf-8
            Cache-Control: private
            X-EventID: 67fdfa4ae7694e5ba4135408c7cfde44
            UserAgentReductionOptOut: A7kgTC5xdZ2WIVGZEfb1hUoNuvjzOZX3VIV/BA6C18kQOOF50Q0D3oWoAm49k3BQImkujKILc7JmPysWk3CSjwUAAACMeyJvcmlnaW4iOiJodHRwczovL3d3dy5iaW5nLmNvbTo0NDMiLCJmZWF0dXJlIjoiU2VuZEZ1bGxVc2VyQWdlbnRBZnRlclJlZHVjdGlvbiIsImV4cGlyeSI6MTY4NDg4NjM5OSwiaXNTdWJkb21haW4iOnRydWUsImlzVGhpcmRQYXJ0eSI6dHJ1ZX0=
            P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
            X-Frame-Options: SAMEORIGIN
            Date: Tue, 15 Apr 2025 06:18:50 GMT
            Transfer-Encoding: chunked
            Connection: keep-alive
            Connection: Transfer-Encoding
            Set-Cookie: MUID=03BBD42A6C286AEA0EDAC1E56DC76B0D; domain=.bing.com; expires=Sun, 10-May-2026 06:18:50 GMT; path=/
            Set-Cookie: MUIDB=03BBD42A6C286AEA0EDAC1E56DC76B0D; expires=Sun, 10-May-2026 06:18:50 GMT; path=/; HttpOnly
            Set-Cookie: _EDGE_S=F=1&SID=09BA05AC346E66270BA61063358167B1; domain=.bing.com; path=/; HttpOnly
            Set-Cookie: _EDGE_V=1; domain=.bing.com; expires=Sun, 10-May-2026 06:18:50 GMT; path=/; HttpOnly
            Set-Cookie: SRCHD=AF=NOFORM; domain=.bing.com; expires=Sun, 10-May-2026 06:18:50 GMT; path=/
            Set-Cookie: SRCHUID=V=2&GUID=C1B029864F974667B169645CDA3F2244&dmnchg=1; domain=.bing.com; expires=Sun, 10-May-2026 06:18:50 GMT; path=/
            Set-Cookie: SRCHUSR=DOB=20250415; domain=.bing.com; expires=Sun, 10-May-2026 06:18:50 GMT; path=/
            Set-Cookie: SRCHHPGUSR=SRCHLANG=en; domain=.bing.com; expires=Sun, 10-May-2026 06:18:50 GMT; path=/
            Set-Cookie: _SS=SID=09BA05AC346E66270BA61063358167B1; domain=.bing.com; path=/
            Set-Cookie: ULC=; domain=.bing.com; expires=Mon, 14-Apr-2025 06:18:50 GMT; path=/
            Set-Cookie: _HPVN=CS=eyJQbiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiUCJ9LCJTYyI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiSCJ9LCJReiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiVCJ9LCJBcCI6dHJ1ZSwiTXV0ZSI6dHJ1ZSwiTGFkIjoiMjAyNS0wNC0xNVQwMDowMDowMFoiLCJJb3RkIjowLCJHd2IiOjAsIlRucyI6MCwiRGZ0IjpudWxsLCJNdnMiOjAsIkZsdCI6MCwiSW1wIjoxLCJUb2JuIjowfQ==; domain=.bing.com; expires=Sun, 10-May-2026 06:18:50 GMT; path=/
            X-CDN-TraceID: 0.2a367a5c.1744697930.2cc93a57
          • 88.221.134.3:80
            http://www.bing.com/
            http
            explorer.exe
            3.4kB
             171.8kB
             69
            130

            HTTP Request

            GET http://www.bing.com/

            HTTP Response

            200
          • 88.221.135.48:443
            java.com
            tls
            explorer.exe
            1.0kB
             5.6kB
             10
            14
          • 23.49.172.241:443
            visualstudio.microsoft.com
            tls
            explorer.exe
            55.7kB
             2.5MB
             1075
            1809
          • 92.53.105.14:80
            explorer.exe
            260 B
             5
          • 88.221.135.48:443
            java.com
            tls
            explorer.exe
            1.1kB
             5.6kB
             12
            13
          • 88.221.135.48:443
            java.com
            tls
            explorer.exe
            1.1kB
             5.6kB
             11
            13
          • 151.101.195.19:443
            www.mozilla.org
            tls
            explorer.exe
            6.7kB
             284.1kB
             116
            221
          • 88.221.135.48:443
            java.com
            tls
            explorer.exe
            1.1kB
             5.7kB
             12
            15
          • 88.221.135.48:443
            java.com
            tls
            explorer.exe
            1.1kB
             5.6kB
             11
            13
          • 88.221.135.48:443
            java.com
            tls
            explorer.exe
            1.1kB
             5.6kB
             11
            14
          • 92.53.105.14:80
            explorer.exe
            260 B
             5
          • 88.221.135.48:443
            java.com
            tls
            explorer.exe
            1.1kB
             5.7kB
             12
            15
          • 92.53.105.14:80
            explorer.exe
            260 B
             5
          • 95.100.245.144:443
            www.microsoft.com
            tls
            explorer.exe
            1.4kB
             8.3kB
             12
            13
          • 23.49.172.241:443
            www.visualstudio.com
            tls
            explorer.exe
            976 B
             5.9kB
             9
            12
          • 8.8.8.8:53
            psix.tk
            dns
            usc.exe
            1.4kB
             3.2kB
             21
            21

            DNS Request

            psix.tk

            DNS Request

            minercoinbox.com

            DNS Request

            www.bing.com

            DNS Response

            88.221.134.3
            95.101.143.182
            95.101.143.203
            95.101.143.210
            88.221.134.2
            95.101.143.219
            95.101.143.183
            95.101.143.218
            95.101.143.211

            DNS Request

            java.com

            DNS Response

            88.221.135.48
            95.101.143.183

            DNS Request

            3.134.221.88.in-addr.arpa

            DNS Request

            48.135.221.88.in-addr.arpa

            DNS Request

            go.microsoft.com

            DNS Response

            184.26.57.167

            DNS Request

            visualstudio.microsoft.com

            DNS Response

            23.49.172.241

            DNS Request

            167.57.26.184.in-addr.arpa

            DNS Request

            241.172.49.23.in-addr.arpa

            DNS Request

            java.com

            DNS Response

            88.221.135.48
            95.101.143.183

            DNS Request

            www.mozilla.org

            DNS Response

            151.101.195.19
            151.101.67.19
            151.101.3.19
            151.101.131.19

            DNS Request

            19.195.101.151.in-addr.arpa

            DNS Request

            java.com

            DNS Response

            88.221.135.48
            95.101.143.183

            DNS Request

            nexusrules.officeapps.live.com

            DNS Response

            52.111.243.31

            DNS Request

            java.com

            DNS Response

            88.221.135.48
            95.101.143.183

            DNS Request

            self.events.data.microsoft.com

            DNS Response

            20.189.173.23

            DNS Request

            23.173.189.20.in-addr.arpa

            DNS Request

            www.microsoft.com

            DNS Response

            95.100.245.144

            DNS Request

            www.visualstudio.com

            DNS Response

            23.49.172.241

            DNS Request

            144.245.100.95.in-addr.arpa

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\ucp\usc.exe
            Filesize

            4.0MB

            MD5

            b100b373d645bf59b0487dbbda6c426d

            SHA1

            44a4ad2913f5f35408b8c16459dcce3f101bdcc7

            SHA256

            84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

            SHA512

            69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES786D.tmp
            Filesize

            1KB

            MD5

            ab21daf8333936840146b09d09a86730

            SHA1

            247699d2c914a76325d1980bde8a48c4acb99d76

            SHA256

            c99331a4cfd2ac1caff685907f1b79ba5959ed3ebbc58484cd7e7872d44c7594

            SHA512

            8dea229d50c71c1dcb659fdb4aab9d875f52db9dfcb481701ddbc18b95e17efa2196df39e670368d32c98bac2587edeecee046032403190f9d8aec44e2909ff5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y55cnann.f2x.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\glejoea6.dll
            Filesize

            5KB

            MD5

            804f3fbcfb79848690452876eaaeb21b

            SHA1

            2e0816ffb8689cc753387f8f540b0948cfd46db1

            SHA256

            508541bc943ddfade964737ac9071272a350c0aab2e642ec0238029357c860a1

            SHA512

            b8b606ddeced6db0cdeba234bb8b8251eba06296d203ef9e2e78b4a9595d7f85203afcc23494d272f55d2caf2fbb27dbb857a98c5abfc313b7cb4c16d02ae9ac

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\glejoea6.pdb
            Filesize

            7KB

            MD5

            b34e9773e9729b137933c67f54e72525

            SHA1

            b64ce1bcf10c4e3c881790bbf099fc59e5d0888f

            SHA256

            29c53997dfbba4957560d7bc8128d12ee41ef680eaaf6831530e37edba72d7b0

            SHA512

            5ac85cfe3a7f1f534384985d1744dbae39ffa9d568e46042dfa939adab688fc0a969f93676096fe633493fcc9ebafc294a14f856940e793fda6a2dc20965da97

            Download Submit

          • C:\Users\Admin\AppData\Roaming\power.exe
            Filesize

            507KB

            MD5

            743f47ae7d09fce22d0a7c724461f7e3

            SHA1

            8e98dd1efb70749af72c57344aab409fb927394e

            SHA256

            1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

            SHA512

            567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

            Download Submit

          • C:\Users\Admin\AppData\Roaming\sant.exe
            Filesize

            12KB

            MD5

            5effca91c3f1e9c87d364460097f8048

            SHA1

            28387c043ab6857aaa51865346046cf5dc4c7b49

            SHA256

            3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

            SHA512

            b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\ufx.exe
            Filesize

            960KB

            MD5

            22e088012519e1013c39a3828bda7498

            SHA1

            3a8a87cce3f6aff415ee39cf21738663c0610016

            SHA256

            9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

            SHA512

            5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

            Download Submit

          • C:\Users\Admin\AppData\Roaming\va.exe
            Filesize

            88KB

            MD5

            c084e736931c9e6656362b0ba971a628

            SHA1

            ef83b95fc645ad3a161a19ccef3224c72e5472bd

            SHA256

            3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

            SHA512

            cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\yaya.exe
            Filesize

            1.7MB

            MD5

            7d05ab95cfe93d84bc5db006c789a47f

            SHA1

            aa4aa0189140670c618348f1baad877b8eca04a4

            SHA256

            5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

            SHA512

            40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

            Download Submit

          • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
            Filesize

            80KB

            MD5

            51bf85f3bf56e628b52d61614192359d

            SHA1

            c1bc90be6a4beb67fb7b195707798106114ec332

            SHA256

            990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

            SHA512

            131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\CSC786C.tmp
            Filesize

            652B

            MD5

            00cb1c3ee4a848dd77836fd9551a47b8

            SHA1

            cbbbf3c5f9cde8941e3f3721e1d781cea1434386

            SHA256

            eeb5c1757f611ca2704a235c9044d861e9486ff5c3e1bbb5a6f697b2772907ae

            SHA512

            af0c1d7b7e6eb1974b46d0c2d8fbcfddee22b5cbfbc8227a780b7710d8f0990f6f99e2dd7852da6958c3fd9facd19b4f3eddfd838ab3b0c3a6404f0489eb8305

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\glejoea6.0.cs
            Filesize

            4KB

            MD5

            a0d1b6f34f315b4d81d384b8ebcdeaa5

            SHA1

            794c1ff4f2a28e0c631a783846ecfffdd4c7ae09

            SHA256

            0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0

            SHA512

            0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\glejoea6.cmdline
            Filesize

            309B

            MD5

            3eb7fcb42c881e325f8555bd7baf0a36

            SHA1

            5cd1cf85ce0d30eee58b4242f581d8c72d51679c

            SHA256

            f6ec4ff22d73e133e9108c88f8b7b8334bb400767f285a53034fb1b3e1b7f096

            SHA512

            2b61f928ea4f394c4475a4d77baa18e6de26815f9881ebbd9bb9e68ae95ee30ab6fa107e26ac90783d338f3a1f21ed2cf5114e8325bcef7150a8e2a4111c0aa1

            Download Submit

          • memory/348-80-0x00000000008F0000-0x00000000008FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/348-79-0x00000000001C0000-0x00000000005EC000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/348-78-0x00000000001C0000-0x00000000005EC000-memory.dmp

            Filesize

            4.2MB

            Download

          • memory/348-89-0x00000000008F0000-0x00000000008FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/348-87-0x00000000008F0000-0x00000000008FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1560-97-0x0000000000DC0000-0x0000000000DF6000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1560-98-0x0000000004FC0000-0x00000000055EA000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1560-113-0x0000000006000000-0x0000000006046000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1560-112-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1560-111-0x0000000005A70000-0x0000000005A8E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1560-110-0x00000000055F0000-0x0000000005947000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1560-101-0x0000000004F50000-0x0000000004FB6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1560-100-0x0000000004E70000-0x0000000004ED6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1560-99-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2388-54-0x0000000000400000-0x000000000047B000-memory.dmp

            Filesize

            492KB

            Download

          • memory/3204-23-0x0000000000450000-0x000000000045A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3204-93-0x0000000000400000-0x0000000000404000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3204-91-0x0000000000450000-0x000000000045A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3204-21-0x0000000000400000-0x0000000000404000-memory.dmp

            Filesize

            16KB

            Download

          • memory/4160-73-0x00000000009E0000-0x00000000009E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4160-57-0x000000001B690000-0x000000001BB5E000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4160-58-0x000000001B070000-0x000000001B10C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4160-59-0x00000000009C0000-0x00000000009C8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4756-96-0x0000000000400000-0x0000000000485000-memory.dmp

            Filesize

            532KB

            Download

          • memory/4756-77-0x0000000000400000-0x0000000000485000-memory.dmp

            Filesize

            532KB

            Download

          • memory/5968-17-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.