Analysis Overview
SHA256
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d
Threat Level: Known bad
The file cce2ac8ae528606702c8d2766d9be0d7.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 10:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 10:37
Reported
2024-04-04 10:39
Platform
win7-20240221-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2488 created 1328 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cce2ac8ae528606702c8d2766d9be0d7.exe
"C:\Users\Admin\AppData\Local\Temp\cce2ac8ae528606702c8d2766d9be0d7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Kim Kim.bat && Kim.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 2052
C:\Windows\SysWOW64\findstr.exe
findstr /V "FrancisIdeasRatsSas" Oven
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2052\Colorado.pif + Ooo + Faqs + Boating + Job + Rugs + Envelope + Philippines 2052\Colorado.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Headquarters + Mv + Kinda + Ref 2052\K
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif
2052\Colorado.pif 2052\K
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ZlGDgraNEOaxhscYACzkP.ZlGDgraNEOaxhscYACzkP | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kim
| MD5 | 630852ea3d1d215fd718032b5ca858db |
| SHA1 | 9245a44b3248bebca81dd5900adc02ea6fa58c5d |
| SHA256 | b39c74a7317907fba760423d509b130c3b1ab6e6285507947c8d5a4dc82202bb |
| SHA512 | 1cf52f0d3c5e499fd7e89f7fcdbce665ee227acdc0482a4ae147f8378fa51dc5be1a8dd71c3c4c1c788e39a74563e4d55df256cf3566c2863e51680122e46d8e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Oven
| MD5 | 727785418f7d2ca3ca9935eff4c6339e |
| SHA1 | 2f9310a83802c4cb1081661ed5874d51b503a7d3 |
| SHA256 | c443fd55318a668b4cc6e8940dd02ac1fef4c59139fb6744d397d0ad4c88f0cd |
| SHA512 | 97dd7cb5ffc1405e540d1f45796ff1885938308030672877cd732ee63ee46847626f0e169a7baf585252321545c4757da67be89345c96b8ca4fcdab0b37c0f3b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif
| MD5 | f62787118cfd7060849bfb732ca4e71c |
| SHA1 | dda2061ff03f0e200d3790fb570243364d6f2788 |
| SHA256 | 5ac498f3e88a82c903c4203dd44d8ea449528dc194f4d66d6b8e594c71c5591c |
| SHA512 | 45dcf25a6a7e0a39a69649e54b687ef633c87dca222f0473462d1a0e6e54be0e749662404dedad86feb6ae9fd6c98f719a6130b8bf616c205e5af3b856b0a27d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ooo
| MD5 | 78c34d2bd450bea859100a1c07349bc7 |
| SHA1 | d64f38b2869a47511d2486418874b0c5d5ac5966 |
| SHA256 | 467eef5cdfb2f97f688b4d5cdb315c90e8e52d1db6ae64e66aab5184223ea554 |
| SHA512 | 06aeff1ceadd573d156fd2dedd9cc1aee7c8b80e2ecc45e9a82cdce43f0cc8aff73b7b12e4b2e3a90c319638e245f226dd72f81d5094cabca4bd7a346a4b5bd4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Faqs
| MD5 | d4d8d1d363822e1df54082abe29bdda1 |
| SHA1 | 5eb8bd1baeeb72786591f79230042abc1b3812c6 |
| SHA256 | 63a76c01adf19631852f58069a573bdec4b6107bee697c5412fa769ef96edfc2 |
| SHA512 | 672f7f19702e19832976230f19b776c0f4cd6638db5b81bd2183e6e292ab74f8c383c44699bc7906d2b5edcf1c6e1379d011f2eaed2e0f16fe9be07447008843 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Job
| MD5 | add0f628c5fd4cabb0026aa3129d2730 |
| SHA1 | f5b701083ecc8cf6171da6d1c881a2b676a5c5e8 |
| SHA256 | f89fb9278fe7adc534759d76677c7d6806f47c0a0f5aa3bf92287e438ae637d2 |
| SHA512 | ee2465a50d2506680d56e526f4ce69aa6f6ea4f4244371cb56bf90d3dfdedb34b25ce0de6e6acd80128544b6188c9ff217f845b6e8fef2843fa52509ff94cac5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Boating
| MD5 | 2d292a074a6d19f926f3c70dd6ce64d1 |
| SHA1 | fb764cd612a439185c7b43205f269a23827f394d |
| SHA256 | ff051daa7d4e6a85b29ac4f8c2ff75c52b97b32ae4cde129be2ca3a140545a42 |
| SHA512 | 4107cc7b57c704dde69a1ad5a4617842dd1c99e5bd4f5940da6c7c9120ac869ba8aafa94a82361690820f2f71dd65f1f1e7e77420f24f5314e39266e5f5e5569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Philippines
| MD5 | feaef2882cbe76a204fd8d54228d3f0e |
| SHA1 | cc9f129cd9b30147a36dc717aa6cce89010c5a70 |
| SHA256 | 26740fec75d648ffe50d10225c4fe6c784d0bbd640ba67f415af27e2a3cceea9 |
| SHA512 | f9ba276e35ae280a0e0e68d8d0bcbb366b61caa03c042e73dd26ae8d62c0f417ce762b5b9a71958f2ddf9e58ff71e734ef982d7fe319d11de56ffe34f93ab193 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Envelope
| MD5 | 1b5abf179cee52cab937711b74cb2be0 |
| SHA1 | e845151b7a14077094cdc91a00946057d9143af0 |
| SHA256 | c330dacbe37ea27af2519875e1dd7e7cc87fcdc51a7cac8a79582fc2d2aba562 |
| SHA512 | fa5c3c17a894cb10694e68edffd80ec5b820eedd8b98b6d960eda573a52b1a4786b3ced76bd5c156bf10a9712751c7fad725aa26bdb91c7dc4c93ec92eb11c38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rugs
| MD5 | ef184ffd17abae29eb2d8592242d0a0c |
| SHA1 | 0310d608c20df37e7e29a241b729cb87df6fd2ff |
| SHA256 | c229230da0d9f0533abe2289bd5c0ad8d28cf43aa53cb9b6974fe7b9ccbcfe2a |
| SHA512 | dcae2f0c1901cd6f1e03b05674b298e4bcb4e56d997c4c04a3eb376a140d1e09c76d90df32c285d34001e42b20e0a085bc09bcb8cfec1245a230c0935638d83e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Headquarters
| MD5 | 6e88335e4768ad05581502124bce6f06 |
| SHA1 | a028a16477b11b615f3cfa9fef833cfb300cc5fc |
| SHA256 | 0bfa99aedeede4fc8d55b4a455c77951b6382be6aedd0ee43d690e67d7446e72 |
| SHA512 | cef73f170a5dae92d3ce60e5b7ecd3e02280eeac93aa000c68c55a0eef3504afa3a20c624b324fcbe90e1489203481d9c785992626da4f3295ccc8dcfde6b23e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mv
| MD5 | 4503cf81b6c45672fd2cb5d91a152fb0 |
| SHA1 | aec2272bf6d871f3c57ead5d936313f434171c3a |
| SHA256 | 718559583f176e8490355e7eab9798b1145f7bed33da34ecb6f2773f884f2943 |
| SHA512 | 7bd60403de4ddd9e487a364414645a8b16a7ccd19fbb984e1590d993b7e4cbac63788e143d78b763f993ade45a8a12d9b1206773afcdc2def7c5b6329fded208 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kinda
| MD5 | 705cf895a0bff9222a81695379901550 |
| SHA1 | 1193389066e77a060a73a78758f22c4dd63dfc89 |
| SHA256 | 04931a8e11e08fb84cb2afcf89ab038c09917d40ca16cc21b84fcd160ffcaf95 |
| SHA512 | 60fd74f74ba112c92dcbdbddfa1a161e51849e55821c7979ee877ca8cbed08b4ac52a35d71c79b197f8a27f50049ba1baf956cabd3a093c6be7f712a6f56ee12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ref
| MD5 | 68b581399c9f6d1532023aeb3cddebcf |
| SHA1 | dbc29a3f2f0d864db17f0804e9a7f4e1ffed763c |
| SHA256 | 5cc78ee895e813fd3cbf08c9c519c890662d9ddaf92e526bb3f1afff08f0725a |
| SHA512 | cba377bc14a2ae4174ef9738eec3ee32380a0d5319af7301df84975d82fe7dcd84a8c3572ed1966512d0712b85a9d32b163b5993d751c131471af2dbe823c4da |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\Colorado.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2052\K
| MD5 | 992086438ec4ff45677110d54caf1f70 |
| SHA1 | e44b653431cb5094db4d4ac04325a7582cd5df90 |
| SHA256 | 607f87584495e2a2c2158ae7f84513fc408ef72bbc159174904e21fdf7fa64b6 |
| SHA512 | 9100206a55c2ec1ec58186e2b6e053092125ea73d98d2c60536be52aa9307c8c9b5f0af2852aacc8c10b7ad3fef02b2484f7bbf105ce508972d2ee037d7e0b19 |
memory/2488-34-0x0000000077DA0000-0x0000000077E76000-memory.dmp
memory/2488-35-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2488-36-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-37-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-38-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-40-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-41-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-42-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-43-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-45-0x0000000003BF0000-0x0000000003C5D000-memory.dmp
memory/2488-47-0x0000000004D50000-0x0000000005150000-memory.dmp
memory/2488-46-0x0000000004D50000-0x0000000005150000-memory.dmp
memory/2488-44-0x0000000004D50000-0x0000000005150000-memory.dmp
memory/2488-48-0x0000000077BB0000-0x0000000077D59000-memory.dmp
memory/2488-49-0x0000000004D50000-0x0000000005150000-memory.dmp
memory/2488-51-0x0000000076D30000-0x0000000076D77000-memory.dmp
memory/2688-52-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/2488-54-0x0000000004D50000-0x0000000005150000-memory.dmp
memory/2688-56-0x0000000001CC0000-0x00000000020C0000-memory.dmp
memory/2688-55-0x0000000001CC0000-0x00000000020C0000-memory.dmp
memory/2688-57-0x0000000077BB0000-0x0000000077D59000-memory.dmp
memory/2688-59-0x0000000001CC0000-0x00000000020C0000-memory.dmp
memory/2688-61-0x0000000077BB0000-0x0000000077D59000-memory.dmp
memory/2688-60-0x0000000076D30000-0x0000000076D77000-memory.dmp
memory/2688-62-0x0000000001CC0000-0x00000000020C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 10:37
Reported
2024-04-04 10:39
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2596 created 2480 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cce2ac8ae528606702c8d2766d9be0d7.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\cce2ac8ae528606702c8d2766d9be0d7.exe
"C:\Users\Admin\AppData\Local\Temp\cce2ac8ae528606702c8d2766d9be0d7.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Kim Kim.bat && Kim.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 2412
C:\Windows\SysWOW64\findstr.exe
findstr /V "FrancisIdeasRatsSas" Oven
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2412\Colorado.pif + Ooo + Faqs + Boating + Job + Rugs + Envelope + Philippines 2412\Colorado.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Headquarters + Mv + Kinda + Ref 2412\K
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif
2412\Colorado.pif 2412\K
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2596 -ip 2596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 936
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ZlGDgraNEOaxhscYACzkP.ZlGDgraNEOaxhscYACzkP | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.34.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kim
| MD5 | 630852ea3d1d215fd718032b5ca858db |
| SHA1 | 9245a44b3248bebca81dd5900adc02ea6fa58c5d |
| SHA256 | b39c74a7317907fba760423d509b130c3b1ab6e6285507947c8d5a4dc82202bb |
| SHA512 | 1cf52f0d3c5e499fd7e89f7fcdbce665ee227acdc0482a4ae147f8378fa51dc5be1a8dd71c3c4c1c788e39a74563e4d55df256cf3566c2863e51680122e46d8e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Oven
| MD5 | 727785418f7d2ca3ca9935eff4c6339e |
| SHA1 | 2f9310a83802c4cb1081661ed5874d51b503a7d3 |
| SHA256 | c443fd55318a668b4cc6e8940dd02ac1fef4c59139fb6744d397d0ad4c88f0cd |
| SHA512 | 97dd7cb5ffc1405e540d1f45796ff1885938308030672877cd732ee63ee46847626f0e169a7baf585252321545c4757da67be89345c96b8ca4fcdab0b37c0f3b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ooo
| MD5 | 78c34d2bd450bea859100a1c07349bc7 |
| SHA1 | d64f38b2869a47511d2486418874b0c5d5ac5966 |
| SHA256 | 467eef5cdfb2f97f688b4d5cdb315c90e8e52d1db6ae64e66aab5184223ea554 |
| SHA512 | 06aeff1ceadd573d156fd2dedd9cc1aee7c8b80e2ecc45e9a82cdce43f0cc8aff73b7b12e4b2e3a90c319638e245f226dd72f81d5094cabca4bd7a346a4b5bd4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif
| MD5 | dcf70c7429e48659c087459aaa46ffe6 |
| SHA1 | f78534bfe6eef90188d4a57f46d093ecd8de4a70 |
| SHA256 | 303c1b97b75d37bc8482c4f6b5a478b8944721c1227e98632b7eaab3d912872b |
| SHA512 | 705f657d6c21858d66f179d1bcfc39c86b829d7e3052deb3619b56c7d14f8286c0d53f9713ec624fa919b82279dcea5cb9a6af1dfe4e32723b7e1cc0feff0ffa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Faqs
| MD5 | d4d8d1d363822e1df54082abe29bdda1 |
| SHA1 | 5eb8bd1baeeb72786591f79230042abc1b3812c6 |
| SHA256 | 63a76c01adf19631852f58069a573bdec4b6107bee697c5412fa769ef96edfc2 |
| SHA512 | 672f7f19702e19832976230f19b776c0f4cd6638db5b81bd2183e6e292ab74f8c383c44699bc7906d2b5edcf1c6e1379d011f2eaed2e0f16fe9be07447008843 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Boating
| MD5 | 2d292a074a6d19f926f3c70dd6ce64d1 |
| SHA1 | fb764cd612a439185c7b43205f269a23827f394d |
| SHA256 | ff051daa7d4e6a85b29ac4f8c2ff75c52b97b32ae4cde129be2ca3a140545a42 |
| SHA512 | 4107cc7b57c704dde69a1ad5a4617842dd1c99e5bd4f5940da6c7c9120ac869ba8aafa94a82361690820f2f71dd65f1f1e7e77420f24f5314e39266e5f5e5569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Job
| MD5 | add0f628c5fd4cabb0026aa3129d2730 |
| SHA1 | f5b701083ecc8cf6171da6d1c881a2b676a5c5e8 |
| SHA256 | f89fb9278fe7adc534759d76677c7d6806f47c0a0f5aa3bf92287e438ae637d2 |
| SHA512 | ee2465a50d2506680d56e526f4ce69aa6f6ea4f4244371cb56bf90d3dfdedb34b25ce0de6e6acd80128544b6188c9ff217f845b6e8fef2843fa52509ff94cac5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Envelope
| MD5 | 1b5abf179cee52cab937711b74cb2be0 |
| SHA1 | e845151b7a14077094cdc91a00946057d9143af0 |
| SHA256 | c330dacbe37ea27af2519875e1dd7e7cc87fcdc51a7cac8a79582fc2d2aba562 |
| SHA512 | fa5c3c17a894cb10694e68edffd80ec5b820eedd8b98b6d960eda573a52b1a4786b3ced76bd5c156bf10a9712751c7fad725aa26bdb91c7dc4c93ec92eb11c38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rugs
| MD5 | ef184ffd17abae29eb2d8592242d0a0c |
| SHA1 | 0310d608c20df37e7e29a241b729cb87df6fd2ff |
| SHA256 | c229230da0d9f0533abe2289bd5c0ad8d28cf43aa53cb9b6974fe7b9ccbcfe2a |
| SHA512 | dcae2f0c1901cd6f1e03b05674b298e4bcb4e56d997c4c04a3eb376a140d1e09c76d90df32c285d34001e42b20e0a085bc09bcb8cfec1245a230c0935638d83e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Philippines
| MD5 | feaef2882cbe76a204fd8d54228d3f0e |
| SHA1 | cc9f129cd9b30147a36dc717aa6cce89010c5a70 |
| SHA256 | 26740fec75d648ffe50d10225c4fe6c784d0bbd640ba67f415af27e2a3cceea9 |
| SHA512 | f9ba276e35ae280a0e0e68d8d0bcbb366b61caa03c042e73dd26ae8d62c0f417ce762b5b9a71958f2ddf9e58ff71e734ef982d7fe319d11de56ffe34f93ab193 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Headquarters
| MD5 | 6e88335e4768ad05581502124bce6f06 |
| SHA1 | a028a16477b11b615f3cfa9fef833cfb300cc5fc |
| SHA256 | 0bfa99aedeede4fc8d55b4a455c77951b6382be6aedd0ee43d690e67d7446e72 |
| SHA512 | cef73f170a5dae92d3ce60e5b7ecd3e02280eeac93aa000c68c55a0eef3504afa3a20c624b324fcbe90e1489203481d9c785992626da4f3295ccc8dcfde6b23e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kinda
| MD5 | 705cf895a0bff9222a81695379901550 |
| SHA1 | 1193389066e77a060a73a78758f22c4dd63dfc89 |
| SHA256 | 04931a8e11e08fb84cb2afcf89ab038c09917d40ca16cc21b84fcd160ffcaf95 |
| SHA512 | 60fd74f74ba112c92dcbdbddfa1a161e51849e55821c7979ee877ca8cbed08b4ac52a35d71c79b197f8a27f50049ba1baf956cabd3a093c6be7f712a6f56ee12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ref
| MD5 | 68b581399c9f6d1532023aeb3cddebcf |
| SHA1 | dbc29a3f2f0d864db17f0804e9a7f4e1ffed763c |
| SHA256 | 5cc78ee895e813fd3cbf08c9c519c890662d9ddaf92e526bb3f1afff08f0725a |
| SHA512 | cba377bc14a2ae4174ef9738eec3ee32380a0d5319af7301df84975d82fe7dcd84a8c3572ed1966512d0712b85a9d32b163b5993d751c131471af2dbe823c4da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mv
| MD5 | 4503cf81b6c45672fd2cb5d91a152fb0 |
| SHA1 | aec2272bf6d871f3c57ead5d936313f434171c3a |
| SHA256 | 718559583f176e8490355e7eab9798b1145f7bed33da34ecb6f2773f884f2943 |
| SHA512 | 7bd60403de4ddd9e487a364414645a8b16a7ccd19fbb984e1590d993b7e4cbac63788e143d78b763f993ade45a8a12d9b1206773afcdc2def7c5b6329fded208 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\Colorado.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2412\K
| MD5 | 992086438ec4ff45677110d54caf1f70 |
| SHA1 | e44b653431cb5094db4d4ac04325a7582cd5df90 |
| SHA256 | 607f87584495e2a2c2158ae7f84513fc408ef72bbc159174904e21fdf7fa64b6 |
| SHA512 | 9100206a55c2ec1ec58186e2b6e053092125ea73d98d2c60536be52aa9307c8c9b5f0af2852aacc8c10b7ad3fef02b2484f7bbf105ce508972d2ee037d7e0b19 |
memory/2596-33-0x0000000077831000-0x0000000077951000-memory.dmp
memory/2596-34-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/2596-35-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-36-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-37-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-39-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-40-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-41-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-42-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-43-0x0000000005AB0000-0x0000000005EB0000-memory.dmp
memory/2596-44-0x0000000004890000-0x00000000048FD000-memory.dmp
memory/2596-46-0x0000000005AB0000-0x0000000005EB0000-memory.dmp
memory/2596-45-0x0000000005AB0000-0x0000000005EB0000-memory.dmp
memory/2596-48-0x0000000005AB0000-0x0000000005EB0000-memory.dmp
memory/2596-47-0x00007FFCE69B0000-0x00007FFCE6BA5000-memory.dmp
memory/2596-50-0x0000000077490000-0x00000000776A5000-memory.dmp
memory/5116-51-0x0000000000EC0000-0x0000000000EC9000-memory.dmp
memory/5116-54-0x00000000029E0000-0x0000000002DE0000-memory.dmp
memory/5116-53-0x00000000029E0000-0x0000000002DE0000-memory.dmp
memory/5116-56-0x00007FFCE69B0000-0x00007FFCE6BA5000-memory.dmp
memory/5116-57-0x00000000029E0000-0x0000000002DE0000-memory.dmp
memory/5116-59-0x0000000077490000-0x00000000776A5000-memory.dmp
memory/2596-60-0x0000000005AB0000-0x0000000005EB0000-memory.dmp
memory/5116-61-0x00000000029E0000-0x0000000002DE0000-memory.dmp