Malware Analysis Report

2024-10-23 17:19

Sample ID 240131-stc5dsfae3
Target file
SHA256 9ed34ad9513c9bbe419eb3e0e984fa29e8e97ac5267ef1cd45c5a42d07d36549
Tags
povertystealer zgrat rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ed34ad9513c9bbe419eb3e0e984fa29e8e97ac5267ef1cd45c5a42d07d36549

Threat Level: Known bad

The file file was found to be: Known bad.

Malicious Activity Summary

povertystealer zgrat rat stealer

Detect ZGRat V1

ZGRat

Detect Poverty Stealer Payload

Poverty Stealer

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer Phishing Filter

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 15:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 15:24

Reported

2024-01-31 15:27

Platform

win7-20231215-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file.html

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

ZGRat

rat zgrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 684 set thread context of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a8aa15ae5954da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000250a918a2cd9cf125bca7a4f7ca4cfc2905944be1beb3661d2c1e8956bf6bd08000000000e8000000002000020000000d3863d0ad94902eacc28f5d05f0a4944754174a67a66a93a9f1e6f220d96c28890000000cfd980156f039e96cbcf25af5dec13897ba0e81aec3ec8742f342c053a212eec85d0670bb557eb4f56e7278a140600695c5a34e08cd6aa6b10b92c6a385036371757ae9864a11e6e8c642cacb9043365a77d6fc9b039b7e36084b05f581733adeb1db9836eda66d95916228b961449208aca19889abc26d645a699c8f61436e5da73f960f05337bbc4743fefc68db7fc400000002949c0bf34aff1f7e812c9f4849775251b66a70a22dfa0a69fa9951d4fa6777d4ad01d7ebe0dcc7299f25bcfad8a56c240c36669dcaeff09f165bf8718a75d33 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E5370DB1-C04C-11EE-9AF4-C2500A176F17} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000e5a80ea87bccf78c4215ab50c6b11f3daea1586d9e2e3027f356a84e48e6000b000000000e80000000020000200000007df67ae360a0082ded05e0235b451ac5c1c52935bfbeffee4d43b5bf2fbac84820000000913f34556468fd341b12c6434c17a40a4cdb9e3f1b01a1e4e7c0dfbecf54a81e40000000e62db5b5714a83773bb769116cbf30ecbb3e4f7282bb68b33128be50c7fabf7753c1228ce7b1bd5dc88aeaf35e334f510f4e5099f6abbdeb2c42187345d49c67 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70d401bc5954da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412876568" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2144 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\7-Zip\7zFM.exe
PID 2520 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\7-Zip\7zFM.exe
PID 2520 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\7-Zip\7zFM.exe
PID 2176 wrote to memory of 684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe
PID 2176 wrote to memory of 684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe
PID 2176 wrote to memory of 684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe
PID 2176 wrote to memory of 684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe
PID 2176 wrote to memory of 684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe
PID 2176 wrote to memory of 684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe
PID 2176 wrote to memory of 684 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe
PID 2176 wrote to memory of 1240 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe
PID 2176 wrote to memory of 1240 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe
PID 2176 wrote to memory of 1240 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe
PID 2176 wrote to memory of 1240 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe
PID 2176 wrote to memory of 1240 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe
PID 2176 wrote to memory of 1240 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe
PID 2176 wrote to memory of 1240 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe
PID 684 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\SysWOW64\WerFault.exe
PID 684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\SysWOW64\WerFault.exe
PID 684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\SysWOW64\WerFault.exe
PID 684 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\mmpack.rar"

C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe

"C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe"

C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe

"C:\Users\Admin\AppData\Local\Temp\7zO0882DDB8\mmpack.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 696

Network

Country Destination Domain Proto
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.56.101:443 static.cloudflareinsights.com tcp
US 104.16.56.101:443 static.cloudflareinsights.com tcp
US 104.22.75.216:443 btloader.com tcp
US 172.67.199.186:443 the.gatekeeperconsent.com tcp
US 172.67.199.186:443 the.gatekeeperconsent.com tcp
US 104.22.75.216:443 btloader.com tcp
US 8.8.8.8:53 privacy.gatekeeperconsent.com udp
US 8.8.8.8:53 cdn.amplitude.com udp
US 172.67.199.186:443 privacy.gatekeeperconsent.com tcp
US 172.67.199.186:443 privacy.gatekeeperconsent.com tcp
GB 3.162.19.171:443 cdn.amplitude.com tcp
GB 3.162.19.171:443 cdn.amplitude.com tcp
US 8.8.8.8:53 api.amplitude.com udp
US 44.231.202.39:443 api.amplitude.com tcp
US 8.8.8.8:53 download2324.mediafire.com udp
US 199.91.155.65:443 download2324.mediafire.com tcp
US 199.91.155.65:443 download2324.mediafire.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab88D1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar89ED.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 21a9bb4d828c51d3facf2b10475c24f4
SHA1 bda697d0b8d0fe14257ee0cf824fcc72de355f82
SHA256 7a9a3f480de913b5f6c2ce912164b325bcd6daf6b274a6a3379a61ee46d9cc39
SHA512 76c58c0420045b885381252a23668bb686f7a23b6da3bf99ed2929f984180dbfc21007b8f89ac400171a0bd35c3caad88c281dec5174801b9c52f313cf9a8d99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c0dd60c2a8c13e363bdc0394c4f8d1df
SHA1 2117b4db96b1d36d18ed849b63d902a214d1ee82
SHA256 a3829319ef3924a3b06432f54ddf513cedd841c57a62a172efe3ca05357ac2b7
SHA512 bdfc00daef2d5a3daf661795d1e1dada849b47698b41bcfa090be63f576d514df916137c13b6f6287cf9be3bbccea15f83082064c2d07c24183380c3b9ee00eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6186760411d7dd58bbbf93dac0bad4fc
SHA1 4283e9a1e5a4fc29f7abeb988117ce3bcaae670e
SHA256 644949f2a0b99b22a834538ac1dbc87a29f146322a721c5e0b2565fd563da41b
SHA512 798d303ec1a6e898210d60456c52b7d170929397001f54d09d2518bf4cd9c9561f072e260bf82a0a8eab039f0461c26ca90316c21f6254a9539bb94091fa1912

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ef3d79f8505c0650796e10504cdc8dd8
SHA1 8038f1d1cadd0afb5f1e89cd753a45bd98a9b30a
SHA256 e5403a4efd383ad7c89d6bdd11a66b3ab0f12327ca4d1529b7bc339a970a9b48
SHA512 b3ee37a5867e95c10458804dc53b469de4087393fca89443f081a0faaaae01c4c7baa115114972e0af261da586aea985db29fb3df87e1f39ef7f1b7cea4aa0f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb7105da5978a2aa234d530d94106399
SHA1 516e0d56bf128c2f9659498869b63c695fc192bc
SHA256 13087cb21abbef77ac4a1d333d6d930ddb80c0343a80eb44ccf5e7e0b861a4d7
SHA512 0c41ed435059e7e799c48d6ebfc2c65224a90635ebeeb10478b8be539acd91c018913b571ec1873f0fe94dccc26601967a1e7b579617b97ecba58b7cdfa059e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e23ad32724dc0d548e2b711453e68955
SHA1 23d9e1a19b504fd05c0f92e07023299d5c639cc3
SHA256 856143a66d0a53ca39856e0c00aa2804cb4e189305f5c295ed25358a46f9ed72
SHA512 fcc1c308325ad0579c250cda1efdf8fbb4b834f5d2898176c093e1692f73ce66d07b61b0ab4d8084c518252107f107d8ec052719e6a529d6a236b537fef60929

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 039fa0df4ff6204279a8adf3d7f595b7
SHA1 589d5d30667f30d18acac070adbfe2601276135a
SHA256 afc0142d19e7b6226cafbcf3386941695f61ce1eae58ad5caeb0e6bbcd078987
SHA512 5f32c15b467c1de5de4bc63687436bcf6541e22de2dde362612d2255556cb7e73dd317b8150f3941b56f6f329172bfea93e80548aa542d0693695a7e55944b7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c99353246726be42c74e7852adab239a
SHA1 747087295d5e076e8f2332e4c5c442378a8efbca
SHA256 43c8452f92454c530ce90529675f378a5be938e726b7d7ba1351bab0e5a4a626
SHA512 4c7dbfa0bdf2814f0190239011d9b4af3bc489c7830500949aba8791b70d94cfb6967b7900e1c86e6507092a141e1e2e04965ed3d659cbe48a3bdf1afe682665

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c88b1cf07d4cb26a660e37a318f65912
SHA1 27a9c85a06586745423bda4be436ff7203cf5c1f
SHA256 16f1333e0f5bcc26bb4aa7816ccb320e58cb3f81cc5ab110c31ad27c436eb54e
SHA512 21e7b110344a7a43bd2fbe35404bdf31d5bee06257ced2a267aa3ebad630bfc4f4117de7b61c2b83fc58e8ffc74ae0dae786df128cef5af0ddf3c272a97453f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d2d36a52bde5f5b1eeadd4e29210ab6
SHA1 db8b607e2c6f3f3075c5db409d7e6556c43f7225
SHA256 dba8980d85d563c48bced208625b1ef40a93b18fc0801f852fd8ac75e2719639
SHA512 c1fa45c619ccbfb098cb1f9f7b54ee079e5cd0a2299971f078de9ce28960a8e29bc0b04e602044ad5fa6b1eef23f59c00d99563590c22e3e520eb5b21e397f6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 081185d08af27170c26dce44f9f44281
SHA1 b2f500f2ae88d408b045d42c50ea4f01eae4db85
SHA256 198433f863898865a7632a9e788f098e22add2f4ecff6c34e78b1cff8b556d43
SHA512 d62a5e66c4582cd3f18f04db7cdc2c72114a639d5fed21a8aae91502af943e7b712eb55ca3d3f6d777384c873c965d0497daba7ec7988d583e09b6b34a07b8de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5db5d1f09e37fe5dda9250d5923ef331
SHA1 4a0dfebb0081dc4a0b04c6f00c4654a9ccb3dfbe
SHA256 7567c929269952d061b36d2f01fcb60e76acacf3ebe3226646d1667480241665
SHA512 1335b860396bb10f4000d5707df8c24c2001dde07b1953e20a45198a19cabdd0c8a6b5bbbf01b1832fd48a61c4978b5e82119a534186badba4740dc0fcfd30c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 492e4f7731ddc0ab7838795e7dcfcf61
SHA1 41b6aa29eb4a9819ddb731c5f5be95cfeca6266c
SHA256 278c9c30b5df6e5487fe5de348d975011842dfa141acd45a274496bb1c24832c
SHA512 ae37f7ddec2c2b6b109f31c6a1628ab06df2a5c63b3b2908245ccca9598243a5d682b222bf06cdeb957490d5988cee734c24e3178a56f0b79140449d80b27714

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ab91c810e02aded26ed0697b36920dd
SHA1 bdfc6d3f15b0f97d1ac56e3d741ca3b0cd2402c9
SHA256 93efaed4fd77fc0ebe9b41064ef0e5764e5d26d79af64d5b7dda1ee2844c76af
SHA512 1ced803b776b725a9becb194d5560481a282575592c8782dd85ea18176025492de1113c06f2bc83092615eb1343125df55534aa1f826fe1fac01d3fa32c07734

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a203e10555efaf3c9c8d68c3a9530f3d
SHA1 97d7df66445b2b9368e1490e793f462e82cc9e78
SHA256 e347f38397a0dd9a1079b1ea56538aec2580585f83c91b3ac1e992841430d7b2
SHA512 668372864771b7ce3e8e7c67cc1d7898fe8234dd3569875ec4bb2a931081a87728de57809026f1dc690bb5905a8fb7cadcdf17fc5e98de54f581ba16e7073ac8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d34fc7d83f88fc8c8e9da80878e5d67e
SHA1 70ad100b818a841245a310d63ea43541d4c10d03
SHA256 b2e14a6dc04e25200f5e434f963a5940361fa6b89b75bf5583206536d6a996be
SHA512 8a3c859aefb35fdae32401d779e8a5a6b860be6fb9aa7091d745fd8829e32e85c54140c184e28f5e4df503f56e878ac1e585495c44c8aa9061cbc5780741815a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7571fcf154e736b8386a259fe02ee2b7
SHA1 288dc265556e5fd02e1dd85ec876b1f22c361370
SHA256 69e018edaa393f9cd2b2ceb64c4adb2eeb335cda77867f0e43aabce209afe938
SHA512 ed422e4efa742b99d27b177ef6770489ce9f52d91e44bd03a3c4e76e765d5508abc7eba912673c0e70b45ca95c6804614f74418846de255671266657d90221e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8ab1c92664f62fd57a9dad734f5c531
SHA1 b62964cb719f0e57691445fca1026160ccc8ca32
SHA256 7d7e04a15ebb21e96cac0d8930f6aac6017c5f1d53efa1ca0be12064e1f4e173
SHA512 106d72ee0afdd6f8f52285b20c228e06078a58d24962a09ecb59c9422c2434b73051bd3d4f2305860637f508a2165cccdc98e415becf8cdd4c312e5cd003133d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89f42165ba49b9e74a4acad8b8c47f9a
SHA1 73c0af5469899d2d5ab1987cca0d9e2f7f38279f
SHA256 1ce1125bd5ed7c467e9745bac970f742468452bc0c42ed0cd152346abd84d54f
SHA512 deb639f992830926210dff875e49e4b0e9d5280d7e99c4411c91963daf1d2d2603cc4f029d389a23a0da27ef3bbf5508f7969a49953e992002b6d482f042c07f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f62c9844173ba689065fd77f892c2054
SHA1 8cea1d30e35c9a02b39756ef7464124194f25219
SHA256 9bc34a3e982d6706d0e3eef7dfdbbba9e9adb76504bc24f94a377bcbc38298d2
SHA512 7ff260d13c609e0855646685186a96e0efecd91058895f25d6c32fd3d0e2548b5ed9414021b7892c4669e9d83baac9ee52d4e114094c80ecc6a7eacc5542cc95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c1366141abb641ba67c70d61c3764ba
SHA1 e724924481db617aece6d5479db611f5f3db37fc
SHA256 0733dff0eff1d592239009cfd9a49a1c83f28496fb1cd9f12801b65e8032ccb4
SHA512 31a377b8e76729bc26f16cfe7f29cc4c64fd587fe201869b8abebd2f8432559c58cf77f54284a6040a4ba0e27474d9dd97569f6301e856819ebf79c7dc0b8ef2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8361b4b871f4588b8c9a3205fb8181ff
SHA1 c9007a102cb807da7cacfa60a2367243516d7111
SHA256 73fa30ff7ef43868f80f36091d9faf9a4205f71c2a660917f922ad059f67e3fa
SHA512 68839bc714c10ceabfab878d5319af3f4a447458b9f03e5d7356b8308e0404a77e3ac3452332658950ff83e860ad643812f6b9b6e8fe780bd1099c1711c4ab29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8167d96bc524a3070ade844b129c01d8
SHA1 9fbcd0fb7c4add415bf3d9ecef5933956becf00a
SHA256 7a292e71b1a2dd3548e51d6c4d94d2ab628791d5c5255b0e7540cea85301882c
SHA512 43c00384b3586318ada7d4e930944fe273f78d9f243bcc9d5a61fe757d7cc3c41a867081ad2e45cfc4bfe428b60d5bda982da8dfa78032f22b16dd21da4ed642

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7c7b3aca371036a520c83ece83d45de
SHA1 27470ade18efd3fe40378537b23e342bc382b740
SHA256 f3c3255c4c882fb3c15d975aebc58ffed9f3b409be8e3d28bfafc2c912edeb93
SHA512 97eb1fba2b576b3f274bb18cc6d8ab5f563757abe96bb7cb63b524b9808460d469651b9ee8b454316a09ea5f41c982872a8e42f6610a86831458343cbd42ed6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0258a5e82d47513063dff64c811a629
SHA1 c450d2685d2cd50bc97c19a0dca884b5af69a2f2
SHA256 1526c4ddb53452f9507fc46fe960860dc68cbd51f240bdc2bcd844d967cc35e1
SHA512 2911e1462ef9fc55670fc02b52aeb344ba728c3fce61c7d7fa655b8de52f603a7df07f53ca6a5ea9a3cdbfafb00bf49d639ae397acfa1c758f4fea92ef72bcda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e68306239912bb103d77031717c396b
SHA1 abdff7ddb2b5d5acdeb95d7ecddc98f79e9b6125
SHA256 813ba449e73f49f7edb2de9b77fd15dbdf6688cca63e3e2f20553120814263f7
SHA512 d914097c3f9114af6cd1d8c6faa251b603b2a24f30fe88fd7ff6f5f40c63cebbcf9f607a57318fbeaf386faca9c9f4206e98ce4e1639c02375f3cf677e017972

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24c14faa11c61a1451cb4894b5cc046a
SHA1 855a8430af0ec70a77ad69d2ee0423f7975d4bb4
SHA256 956af44e5a61de9fecd6db22a57e7a224159ae761f6cf288bdd1b9c41fddc531
SHA512 ea0a32fc4bf5117e8069684830a280f3fcdc8dc33e4aa66b6e8690c70f7717f499eaab3edfffb78224d35871f6f1e6aeeaeb65131b0c3a531c7138b4cb582b73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce08275c9c730c98cd8c67e572929d55
SHA1 d87cbcecf0c6b8fcf43107ba622b1ba7469632c0
SHA256 a86083c2824e86e3e9aa3513d574477a6a9ff4a05a457ef892999a28b8fe94d1
SHA512 0bd9e65995be9dee8e79c5eeb76bbcc8167510c1369982b773cd1f74f496e2725b41053852195781d710d5296d62f13b75f3fba4455641d62eed787dc8fc8ce3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 2086a22f1ed6ae68019dd5d05f784c19
SHA1 8f2f23fab50b02f90444bf7cd2d52ebd5cd4acec
SHA256 1c484b6165dfb9900cdaf737baa3109779060a88cb8e1876f8a4ec6a2e3466be
SHA512 1040b70a69753ccbc6f51fb03b77e28cfb73e8f77711a2997f0fd478f26c81387258d9423e6be7324d91be3caee8967528a32029816a6a7758aeae2e8de626ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a456b23d16c4eaea26722ad5651f8eeb
SHA1 9078319acd4f489b702a31b59b3384b14881b970
SHA256 465137f3e6db6a052f4ad5d7a6d155b05c1b1209db74ae0c530e4010304e7fbf
SHA512 08675874d78d4898b187f0ed1cbf5a0b4766e3e5c6c765141520c994275e32ba92f4a9e8bfb2e8c90ef3bbe0150acbd0b9b28796437594f2e850ad1d981b8beb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dca406f46f4f533fb0ddf5602a17a97f
SHA1 8a7fe6d2bcc34502ad8cd4e6a0803c288461d6d7
SHA256 37a8913951acdac030669ff3b7ca6661ba9d10bef96fd7ddd432cee0baa2277f
SHA512 6e9ec5088345e7e36530e4ef558bddc44629aac4e98936e54ef5767011949086198e98b28cc336e559219cbe5b1b429c8a137d0114fd36526fb8b728dfa1ea25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e38f96165adbac3ef3c8c204f093c93e
SHA1 b4ef42f6cb4a6c9d9622a455bffdb5e6cdf24387
SHA256 0aa9a874967a86b642f050f2f5986ee53552b8c5fb3c64e22c25cd19e675d1fc
SHA512 2c63db7f6de693dba56d9f9bad0cfc2bed6735ff744ce78b06461037de1edc4b275ed3535272c86eb46a954e9f3be178442ca42845b2e29ddf8cc11eeff6ff39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eabbcf120f30e3b6685d42c0edaf8ff1
SHA1 7e1d70144b20975b6955db67b933430587b12383
SHA256 c3df6a21aff2a23bde3e455b9fae1b857223e2ffe4717f9151f8a6fde4a6cb54
SHA512 0635bfe6c8d87c3aeb2f4a850a9e7c0c7522dad1c51d9f19cb8ff6f71a898bf4bf83da535df022a9d180e9e97597df29e67fecf23616e76498e0040fb513198a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60303af1b3ceabec575d2cc835e00ff8
SHA1 64dc1e44437e57b82e2488888d1d8867b9401c05
SHA256 e709ef50cd3153321bd1d28cf845e2bce8ef1ad7c1f5ac9d4b8db883c2b9b31f
SHA512 3fcc9ab31b996afe802a5ba4f22f9f7e555641e062496a1c3f035e92e5b75906a2a6e7fe0dfdbce6a35096519b401a417e1434f506a1458ce2359c7cfc109bdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3b23a7db698d3d71d5844ca905f2026
SHA1 68feb6fdc34538231b40fbcd4aaeceb5f458d758
SHA256 941889b932c2e61745a23462a8e9515f5bf9218cdb2ecdabb191f2bcaf79f0e5
SHA512 ef31ceec5376338c9285afb37e49bc70658af4ba7fffeab094e2abce8fee1457fbd7c7305addb7d30a90c5449f1e19bf281775a2503d5fae49ca897aeab13768

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f06f53a6dc19bd8f2980c6eb1987454
SHA1 34127b8ba6f7b2f434c1290cf0b694b891639e55
SHA256 0cbb670a670ab503e5ff06299b16ab00406e09962700d1d0b2311fdc601ff10c
SHA512 7bb49efb409f2e4daf739ce787af3ca604444c1a33e1f4756b73e752b08fc4b979e217f8b9048f4d44c3f979f0eda30cc9dab4d8d3aa88615a19c88eb807297a

C:\Users\Admin\Downloads\mmpack.rar.sl83jsa.partial

MD5 cb4602ae42904ae38e2556cefa3bf1be
SHA1 1aa15da95bb71b0841522b8f9184c5d793bd639f
SHA256 6d4a73a4f866a9fa18ab5617b1afe01aa5a0e83a42bd55c99c0d3cbc35e595ea
SHA512 6a7c072d0704cd9fb9bb68e8daf8ca5e810efa55d8b58d09b89673ce60714095bbce3a0b678c7736b0f36ea1ca40b736a37b57ac57b9464667887a8298f5200d

C:\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe

MD5 099ab8e1f1ba9fede9a7d7d6035dd7f0
SHA1 6b01e90e7fed201919e85bbe40805260a6063d03
SHA256 59168c9fabad208b18029e373a0e846743b13b41cf9c80d02712891503567827
SHA512 f004429cb4032c5403ef843dbab96f797faeb2a84d87640ffb811630f639acdbe93c4376fed39538a99e0d8a07b41f922d15ac45443f7ec88099a63b6cc1b67a

memory/684-1536-0x0000000000F50000-0x00000000012A0000-memory.dmp

memory/684-1537-0x00000000711C0000-0x00000000718AE000-memory.dmp

memory/1240-1551-0x0000000001370000-0x00000000016C0000-memory.dmp

memory/1240-1552-0x00000000711C0000-0x00000000718AE000-memory.dmp

memory/684-1550-0x00000000711C0000-0x00000000718AE000-memory.dmp

memory/1804-1553-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1804-1554-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/684-1555-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/684-1556-0x0000000005550000-0x0000000005700000-memory.dmp

memory/684-1557-0x0000000006970000-0x0000000006B02000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/684-1562-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/684-1563-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/684-1564-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/684-1565-0x00000000002E0000-0x00000000002F0000-memory.dmp

memory/684-1566-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/684-1567-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/684-1568-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/1240-1569-0x00000000711C0000-0x00000000718AE000-memory.dmp

memory/684-1570-0x0000000006B00000-0x0000000006C00000-memory.dmp

memory/684-1571-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/684-1572-0x0000000004FB0000-0x0000000004FF0000-memory.dmp

memory/1804-1573-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2948-1574-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1576-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1578-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1579-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1580-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1581-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2948-1582-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1584-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1586-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1587-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2948-1588-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2948-1589-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe

MD5 caedacc913b8b2ff5268d59c5c2f9d34
SHA1 eba1c8ecabd98cea6c6422c8c22fca26726b5965
SHA256 c69ee553329a552fa4d576b8c96cc1ce2b077d633d91e0c9beb5032998fd8fb5
SHA512 6ce5df0c9da990b5a203be47852048f276653fac61f5023e017513202cb32a0fa68f4114c93f5badd44108fff036fe5eeb1b0ce8174505eddaa2cc453a227a30

\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe

MD5 6bcd2ae990e520dfb180f4e13a8e21ad
SHA1 d3b3de859a1bd908aa360bf8e39519ba08ff7a7c
SHA256 ec2adb11996e479618281715ce7b4c6c21070607b2f6ea4053eafabc135adddd
SHA512 da5b5eaaee521091e311be557ce258bae9e957220fb2628c0ffdecdb33fd90ec224b2cdce2859cb5c1fb46f316349bf615f7209392e363ca963d058b6684aca9

\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe

MD5 68441106779e6ea583ddcca0ff8f451f
SHA1 9701830643c824a72ddcec40140b58a279e5a97f
SHA256 a6fb48227b562d22a9e3d8a65daf6bfec31c9d85ce825c9d91df2664e7b6c769
SHA512 38dab7881a9f0534d9d03b1c5e0ba8d0513495d3e58aacd54031fbb56701b21bcf9c95b4dc1774dabeb9ab38ad19efbce8aa73979978bc02dbfd5158539e73b6

\Users\Admin\AppData\Local\Temp\7zO08838E18\mmpack.exe

MD5 79a2f87e4d298fa47c2d981457e41a43
SHA1 d43c2497e7105f9027ab3dcef729a2eae7cb057a
SHA256 5fc92dccc5006a1a3f0f6672e8519ae3d1954c55b5b4243cf73923b46538af7c
SHA512 1aff8a1df319ee1964beb18fb04251a6a34a7f5f44ca4a43a25647b09f048cb3ba7a351f1642bb3840f9143f81a87fbe6198c5283a17cd18a2fd1a61c05957d9

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 15:24

Reported

2024-01-31 15:27

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000028af3efa5aa94edc38a229bb9e1490625a9eb0fb45b0afe4205e76ccbf46f81000000000e80000000020000200000001b7b49feb1bf226ec1c057912375c0488dcfae0444589865562302d6dfba4db920000000da112ddd74b3037e2725a7e325e0da3eff75a4b518739004a30f8fd1e6fe591340000000a4cf6f45596ab1f55ffd529d408d62dc61aafa2d372c7039fe458fbb711dac1f9e19191a7317a18ffc82c56e0b783fecdc25fef0da572b1977626b3c9bdb050a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31085657" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806331d45954da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3097123976" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31085657" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3097123976" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31085657" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3099124013" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000015a2f750fe9ee1479ecf0c8cfb11934c00000000020000000000106600000001000020000000f623e3c466ccbaa1b3984f3288d544b24ef14947ae1d7776b23bad7cf986949c000000000e80000000020000200000007af280c50e049c3c192d07e1cfb4eb2120a5d98c85037f70dd0b7d2a40373595200000008d6f9241af712377b7dc062d0d0b8f73248dd2b49809f4daab99b043e1197d4540000000b1cca3942693550f340e382f947f797e1209e403a43cd00ad0357e9af69547287874872e56d058ff595645ca83dd4e664e435c393eac43dcdc33e0fbfe8550a1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E426D681-C04C-11EE-A0B6-6E89F5E0ECB7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413479672" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a82cd45954da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\file.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 the.gatekeeperconsent.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 www.ezojs.com udp
US 104.21.42.32:443 the.gatekeeperconsent.com tcp
US 104.21.42.32:443 the.gatekeeperconsent.com tcp
US 104.22.75.216:443 btloader.com tcp
US 104.22.75.216:443 btloader.com tcp
US 172.64.165.23:445 www.ezojs.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 32.42.21.104.in-addr.arpa udp
US 8.8.8.8:53 104.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 216.75.22.104.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 privacy.gatekeeperconsent.com udp
US 172.67.199.186:443 privacy.gatekeeperconsent.com tcp
US 172.67.199.186:443 privacy.gatekeeperconsent.com tcp
US 8.8.8.8:53 privacy.ezodn.com udp
US 172.64.192.4:445 privacy.ezodn.com tcp
US 172.64.164.23:445 www.ezojs.com tcp
US 8.8.8.8:53 186.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 privacy.ezodn.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 172.64.193.4:445 privacy.ezodn.com tcp
US 172.64.192.4:139 privacy.ezodn.com tcp
US 8.8.8.8:53 www.ezojs.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 131.238.35.23.in-addr.arpa udp
US 8.8.8.8:53 translate.google.com udp
FR 172.217.18.206:445 translate.google.com tcp
US 8.8.8.8:53 translate.google.com udp
FR 172.217.18.206:139 translate.google.com tcp
US 8.8.8.8:53 cdn.amplitude.com udp
US 8.8.8.8:53 static.mediafire.com udp
GB 3.162.19.143:443 cdn.amplitude.com tcp
GB 3.162.19.143:443 cdn.amplitude.com tcp
US 104.16.113.74:445 static.mediafire.com tcp
US 8.8.8.8:53 143.19.162.3.in-addr.arpa udp
US 8.8.8.8:53 238.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 31.19.162.3.in-addr.arpa udp
US 8.8.8.8:53 44.143.84.52.in-addr.arpa udp
US 104.16.114.74:445 static.mediafire.com tcp
US 8.8.8.8:53 static.mediafire.com udp
US 104.16.113.74:139 static.mediafire.com tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.56.101:443 static.cloudflareinsights.com tcp
US 104.16.56.101:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 101.56.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.amplitude.com udp
US 44.236.252.109:443 api.amplitude.com tcp
US 8.8.8.8:53 109.252.236.44.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 bcace81d477f3c718f9b8caa06bbbdcc
SHA1 966f9283be355a4397633243c28a26ace4f8f5db
SHA256 536e164c1bcbbe417f805d4d9722d6e8d934ee957fb54bb0a1faeb65336f6294
SHA512 99e5175ccc544a20ce6a1d944002ceee21022eee15c9815ec61fa51785480ff43071c239c0fc9ccbeb0a036fe1b7cd62a4f45b1d9e30da7889410e26f747b679

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 64b44ca0b591f115273439fc6f81e8c6
SHA1 694dc9457906cc7b874faeee21cd2380b107d8fa
SHA256 b7c886493db4a6532cb041da130d429a35e13ab4eb1dbae740df52a573718e79
SHA512 fb58d7c0cec9f3549fd3fe897515cec8ac6b77f74c9f7221fe1c5c29740dd69f6f254741afda784e534f5c44e94e88b204ce3969137e7b7b6c2b49fe0c54172d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee