Analysis Overview
SHA256
ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d
Threat Level: Known bad
The file ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-05 01:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 01:51
Reported
2024-04-05 01:53
Platform
win7-20240221-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2728 created 1204 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe
"C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Kim Kim.bat && Kim.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 2892
C:\Windows\SysWOW64\findstr.exe
findstr /V "FrancisIdeasRatsSas" Oven
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2892\Colorado.pif + Ooo + Faqs + Boating + Job + Rugs + Envelope + Philippines 2892\Colorado.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Headquarters + Mv + Kinda + Ref 2892\K
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif
2892\Colorado.pif 2892\K
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ZlGDgraNEOaxhscYACzkP.ZlGDgraNEOaxhscYACzkP | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kim
| MD5 | 630852ea3d1d215fd718032b5ca858db |
| SHA1 | 9245a44b3248bebca81dd5900adc02ea6fa58c5d |
| SHA256 | b39c74a7317907fba760423d509b130c3b1ab6e6285507947c8d5a4dc82202bb |
| SHA512 | 1cf52f0d3c5e499fd7e89f7fcdbce665ee227acdc0482a4ae147f8378fa51dc5be1a8dd71c3c4c1c788e39a74563e4d55df256cf3566c2863e51680122e46d8e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Oven
| MD5 | 727785418f7d2ca3ca9935eff4c6339e |
| SHA1 | 2f9310a83802c4cb1081661ed5874d51b503a7d3 |
| SHA256 | c443fd55318a668b4cc6e8940dd02ac1fef4c59139fb6744d397d0ad4c88f0cd |
| SHA512 | 97dd7cb5ffc1405e540d1f45796ff1885938308030672877cd732ee63ee46847626f0e169a7baf585252321545c4757da67be89345c96b8ca4fcdab0b37c0f3b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif
| MD5 | f62787118cfd7060849bfb732ca4e71c |
| SHA1 | dda2061ff03f0e200d3790fb570243364d6f2788 |
| SHA256 | 5ac498f3e88a82c903c4203dd44d8ea449528dc194f4d66d6b8e594c71c5591c |
| SHA512 | 45dcf25a6a7e0a39a69649e54b687ef633c87dca222f0473462d1a0e6e54be0e749662404dedad86feb6ae9fd6c98f719a6130b8bf616c205e5af3b856b0a27d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ooo
| MD5 | 78c34d2bd450bea859100a1c07349bc7 |
| SHA1 | d64f38b2869a47511d2486418874b0c5d5ac5966 |
| SHA256 | 467eef5cdfb2f97f688b4d5cdb315c90e8e52d1db6ae64e66aab5184223ea554 |
| SHA512 | 06aeff1ceadd573d156fd2dedd9cc1aee7c8b80e2ecc45e9a82cdce43f0cc8aff73b7b12e4b2e3a90c319638e245f226dd72f81d5094cabca4bd7a346a4b5bd4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Faqs
| MD5 | d4d8d1d363822e1df54082abe29bdda1 |
| SHA1 | 5eb8bd1baeeb72786591f79230042abc1b3812c6 |
| SHA256 | 63a76c01adf19631852f58069a573bdec4b6107bee697c5412fa769ef96edfc2 |
| SHA512 | 672f7f19702e19832976230f19b776c0f4cd6638db5b81bd2183e6e292ab74f8c383c44699bc7906d2b5edcf1c6e1379d011f2eaed2e0f16fe9be07447008843 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Boating
| MD5 | 2d292a074a6d19f926f3c70dd6ce64d1 |
| SHA1 | fb764cd612a439185c7b43205f269a23827f394d |
| SHA256 | ff051daa7d4e6a85b29ac4f8c2ff75c52b97b32ae4cde129be2ca3a140545a42 |
| SHA512 | 4107cc7b57c704dde69a1ad5a4617842dd1c99e5bd4f5940da6c7c9120ac869ba8aafa94a82361690820f2f71dd65f1f1e7e77420f24f5314e39266e5f5e5569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Job
| MD5 | add0f628c5fd4cabb0026aa3129d2730 |
| SHA1 | f5b701083ecc8cf6171da6d1c881a2b676a5c5e8 |
| SHA256 | f89fb9278fe7adc534759d76677c7d6806f47c0a0f5aa3bf92287e438ae637d2 |
| SHA512 | ee2465a50d2506680d56e526f4ce69aa6f6ea4f4244371cb56bf90d3dfdedb34b25ce0de6e6acd80128544b6188c9ff217f845b6e8fef2843fa52509ff94cac5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rugs
| MD5 | ef184ffd17abae29eb2d8592242d0a0c |
| SHA1 | 0310d608c20df37e7e29a241b729cb87df6fd2ff |
| SHA256 | c229230da0d9f0533abe2289bd5c0ad8d28cf43aa53cb9b6974fe7b9ccbcfe2a |
| SHA512 | dcae2f0c1901cd6f1e03b05674b298e4bcb4e56d997c4c04a3eb376a140d1e09c76d90df32c285d34001e42b20e0a085bc09bcb8cfec1245a230c0935638d83e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Envelope
| MD5 | 1b5abf179cee52cab937711b74cb2be0 |
| SHA1 | e845151b7a14077094cdc91a00946057d9143af0 |
| SHA256 | c330dacbe37ea27af2519875e1dd7e7cc87fcdc51a7cac8a79582fc2d2aba562 |
| SHA512 | fa5c3c17a894cb10694e68edffd80ec5b820eedd8b98b6d960eda573a52b1a4786b3ced76bd5c156bf10a9712751c7fad725aa26bdb91c7dc4c93ec92eb11c38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Philippines
| MD5 | feaef2882cbe76a204fd8d54228d3f0e |
| SHA1 | cc9f129cd9b30147a36dc717aa6cce89010c5a70 |
| SHA256 | 26740fec75d648ffe50d10225c4fe6c784d0bbd640ba67f415af27e2a3cceea9 |
| SHA512 | f9ba276e35ae280a0e0e68d8d0bcbb366b61caa03c042e73dd26ae8d62c0f417ce762b5b9a71958f2ddf9e58ff71e734ef982d7fe319d11de56ffe34f93ab193 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Headquarters
| MD5 | 6e88335e4768ad05581502124bce6f06 |
| SHA1 | a028a16477b11b615f3cfa9fef833cfb300cc5fc |
| SHA256 | 0bfa99aedeede4fc8d55b4a455c77951b6382be6aedd0ee43d690e67d7446e72 |
| SHA512 | cef73f170a5dae92d3ce60e5b7ecd3e02280eeac93aa000c68c55a0eef3504afa3a20c624b324fcbe90e1489203481d9c785992626da4f3295ccc8dcfde6b23e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mv
| MD5 | 4503cf81b6c45672fd2cb5d91a152fb0 |
| SHA1 | aec2272bf6d871f3c57ead5d936313f434171c3a |
| SHA256 | 718559583f176e8490355e7eab9798b1145f7bed33da34ecb6f2773f884f2943 |
| SHA512 | 7bd60403de4ddd9e487a364414645a8b16a7ccd19fbb984e1590d993b7e4cbac63788e143d78b763f993ade45a8a12d9b1206773afcdc2def7c5b6329fded208 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kinda
| MD5 | 705cf895a0bff9222a81695379901550 |
| SHA1 | 1193389066e77a060a73a78758f22c4dd63dfc89 |
| SHA256 | 04931a8e11e08fb84cb2afcf89ab038c09917d40ca16cc21b84fcd160ffcaf95 |
| SHA512 | 60fd74f74ba112c92dcbdbddfa1a161e51849e55821c7979ee877ca8cbed08b4ac52a35d71c79b197f8a27f50049ba1baf956cabd3a093c6be7f712a6f56ee12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ref
| MD5 | 68b581399c9f6d1532023aeb3cddebcf |
| SHA1 | dbc29a3f2f0d864db17f0804e9a7f4e1ffed763c |
| SHA256 | 5cc78ee895e813fd3cbf08c9c519c890662d9ddaf92e526bb3f1afff08f0725a |
| SHA512 | cba377bc14a2ae4174ef9738eec3ee32380a0d5319af7301df84975d82fe7dcd84a8c3572ed1966512d0712b85a9d32b163b5993d751c131471af2dbe823c4da |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\Colorado.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2892\K
| MD5 | 992086438ec4ff45677110d54caf1f70 |
| SHA1 | e44b653431cb5094db4d4ac04325a7582cd5df90 |
| SHA256 | 607f87584495e2a2c2158ae7f84513fc408ef72bbc159174904e21fdf7fa64b6 |
| SHA512 | 9100206a55c2ec1ec58186e2b6e053092125ea73d98d2c60536be52aa9307c8c9b5f0af2852aacc8c10b7ad3fef02b2484f7bbf105ce508972d2ee037d7e0b19 |
memory/2728-34-0x0000000077460000-0x0000000077536000-memory.dmp
memory/2728-35-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2728-36-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-37-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-38-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-40-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-41-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-42-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-43-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-44-0x0000000004A70000-0x0000000004E70000-memory.dmp
memory/2728-46-0x0000000004A70000-0x0000000004E70000-memory.dmp
memory/2728-45-0x0000000003950000-0x00000000039BD000-memory.dmp
memory/2728-47-0x0000000077270000-0x0000000077419000-memory.dmp
memory/2728-49-0x0000000004A70000-0x0000000004E70000-memory.dmp
memory/2728-50-0x0000000075ED0000-0x0000000075F17000-memory.dmp
memory/2956-51-0x00000000000C0000-0x00000000000C9000-memory.dmp
memory/2728-53-0x0000000004A70000-0x0000000004E70000-memory.dmp
memory/2956-55-0x0000000001D70000-0x0000000002170000-memory.dmp
memory/2956-57-0x0000000077270000-0x0000000077419000-memory.dmp
memory/2956-59-0x0000000001D70000-0x0000000002170000-memory.dmp
memory/2956-60-0x0000000075ED0000-0x0000000075F17000-memory.dmp
memory/2956-61-0x0000000001D70000-0x0000000002170000-memory.dmp
memory/2956-62-0x0000000077270000-0x0000000077419000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 01:51
Reported
2024-04-05 01:53
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3948 created 2588 | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\dialer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe
"C:\Users\Admin\AppData\Local\Temp\ec975154fabacbe2d626ab551470dec7500cfcc32507270ef1d0039c44e47d6d.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Kim Kim.bat && Kim.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 2922
C:\Windows\SysWOW64\findstr.exe
findstr /V "FrancisIdeasRatsSas" Oven
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2922\Colorado.pif + Ooo + Faqs + Boating + Job + Rugs + Envelope + Philippines 2922\Colorado.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Headquarters + Mv + Kinda + Ref 2922\K
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif
2922\Colorado.pif 2922\K
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 932
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ZlGDgraNEOaxhscYACzkP.ZlGDgraNEOaxhscYACzkP | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.66.18.2.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kim
| MD5 | 630852ea3d1d215fd718032b5ca858db |
| SHA1 | 9245a44b3248bebca81dd5900adc02ea6fa58c5d |
| SHA256 | b39c74a7317907fba760423d509b130c3b1ab6e6285507947c8d5a4dc82202bb |
| SHA512 | 1cf52f0d3c5e499fd7e89f7fcdbce665ee227acdc0482a4ae147f8378fa51dc5be1a8dd71c3c4c1c788e39a74563e4d55df256cf3566c2863e51680122e46d8e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Oven
| MD5 | 727785418f7d2ca3ca9935eff4c6339e |
| SHA1 | 2f9310a83802c4cb1081661ed5874d51b503a7d3 |
| SHA256 | c443fd55318a668b4cc6e8940dd02ac1fef4c59139fb6744d397d0ad4c88f0cd |
| SHA512 | 97dd7cb5ffc1405e540d1f45796ff1885938308030672877cd732ee63ee46847626f0e169a7baf585252321545c4757da67be89345c96b8ca4fcdab0b37c0f3b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif
| MD5 | f62787118cfd7060849bfb732ca4e71c |
| SHA1 | dda2061ff03f0e200d3790fb570243364d6f2788 |
| SHA256 | 5ac498f3e88a82c903c4203dd44d8ea449528dc194f4d66d6b8e594c71c5591c |
| SHA512 | 45dcf25a6a7e0a39a69649e54b687ef633c87dca222f0473462d1a0e6e54be0e749662404dedad86feb6ae9fd6c98f719a6130b8bf616c205e5af3b856b0a27d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ooo
| MD5 | 78c34d2bd450bea859100a1c07349bc7 |
| SHA1 | d64f38b2869a47511d2486418874b0c5d5ac5966 |
| SHA256 | 467eef5cdfb2f97f688b4d5cdb315c90e8e52d1db6ae64e66aab5184223ea554 |
| SHA512 | 06aeff1ceadd573d156fd2dedd9cc1aee7c8b80e2ecc45e9a82cdce43f0cc8aff73b7b12e4b2e3a90c319638e245f226dd72f81d5094cabca4bd7a346a4b5bd4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Faqs
| MD5 | d4d8d1d363822e1df54082abe29bdda1 |
| SHA1 | 5eb8bd1baeeb72786591f79230042abc1b3812c6 |
| SHA256 | 63a76c01adf19631852f58069a573bdec4b6107bee697c5412fa769ef96edfc2 |
| SHA512 | 672f7f19702e19832976230f19b776c0f4cd6638db5b81bd2183e6e292ab74f8c383c44699bc7906d2b5edcf1c6e1379d011f2eaed2e0f16fe9be07447008843 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Job
| MD5 | add0f628c5fd4cabb0026aa3129d2730 |
| SHA1 | f5b701083ecc8cf6171da6d1c881a2b676a5c5e8 |
| SHA256 | f89fb9278fe7adc534759d76677c7d6806f47c0a0f5aa3bf92287e438ae637d2 |
| SHA512 | ee2465a50d2506680d56e526f4ce69aa6f6ea4f4244371cb56bf90d3dfdedb34b25ce0de6e6acd80128544b6188c9ff217f845b6e8fef2843fa52509ff94cac5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Boating
| MD5 | 2d292a074a6d19f926f3c70dd6ce64d1 |
| SHA1 | fb764cd612a439185c7b43205f269a23827f394d |
| SHA256 | ff051daa7d4e6a85b29ac4f8c2ff75c52b97b32ae4cde129be2ca3a140545a42 |
| SHA512 | 4107cc7b57c704dde69a1ad5a4617842dd1c99e5bd4f5940da6c7c9120ac869ba8aafa94a82361690820f2f71dd65f1f1e7e77420f24f5314e39266e5f5e5569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Envelope
| MD5 | 1b5abf179cee52cab937711b74cb2be0 |
| SHA1 | e845151b7a14077094cdc91a00946057d9143af0 |
| SHA256 | c330dacbe37ea27af2519875e1dd7e7cc87fcdc51a7cac8a79582fc2d2aba562 |
| SHA512 | fa5c3c17a894cb10694e68edffd80ec5b820eedd8b98b6d960eda573a52b1a4786b3ced76bd5c156bf10a9712751c7fad725aa26bdb91c7dc4c93ec92eb11c38 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Rugs
| MD5 | ef184ffd17abae29eb2d8592242d0a0c |
| SHA1 | 0310d608c20df37e7e29a241b729cb87df6fd2ff |
| SHA256 | c229230da0d9f0533abe2289bd5c0ad8d28cf43aa53cb9b6974fe7b9ccbcfe2a |
| SHA512 | dcae2f0c1901cd6f1e03b05674b298e4bcb4e56d997c4c04a3eb376a140d1e09c76d90df32c285d34001e42b20e0a085bc09bcb8cfec1245a230c0935638d83e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Philippines
| MD5 | feaef2882cbe76a204fd8d54228d3f0e |
| SHA1 | cc9f129cd9b30147a36dc717aa6cce89010c5a70 |
| SHA256 | 26740fec75d648ffe50d10225c4fe6c784d0bbd640ba67f415af27e2a3cceea9 |
| SHA512 | f9ba276e35ae280a0e0e68d8d0bcbb366b61caa03c042e73dd26ae8d62c0f417ce762b5b9a71958f2ddf9e58ff71e734ef982d7fe319d11de56ffe34f93ab193 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Headquarters
| MD5 | 6e88335e4768ad05581502124bce6f06 |
| SHA1 | a028a16477b11b615f3cfa9fef833cfb300cc5fc |
| SHA256 | 0bfa99aedeede4fc8d55b4a455c77951b6382be6aedd0ee43d690e67d7446e72 |
| SHA512 | cef73f170a5dae92d3ce60e5b7ecd3e02280eeac93aa000c68c55a0eef3504afa3a20c624b324fcbe90e1489203481d9c785992626da4f3295ccc8dcfde6b23e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ref
| MD5 | 68b581399c9f6d1532023aeb3cddebcf |
| SHA1 | dbc29a3f2f0d864db17f0804e9a7f4e1ffed763c |
| SHA256 | 5cc78ee895e813fd3cbf08c9c519c890662d9ddaf92e526bb3f1afff08f0725a |
| SHA512 | cba377bc14a2ae4174ef9738eec3ee32380a0d5319af7301df84975d82fe7dcd84a8c3572ed1966512d0712b85a9d32b163b5993d751c131471af2dbe823c4da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mv
| MD5 | 4503cf81b6c45672fd2cb5d91a152fb0 |
| SHA1 | aec2272bf6d871f3c57ead5d936313f434171c3a |
| SHA256 | 718559583f176e8490355e7eab9798b1145f7bed33da34ecb6f2773f884f2943 |
| SHA512 | 7bd60403de4ddd9e487a364414645a8b16a7ccd19fbb984e1590d993b7e4cbac63788e143d78b763f993ade45a8a12d9b1206773afcdc2def7c5b6329fded208 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kinda
| MD5 | 705cf895a0bff9222a81695379901550 |
| SHA1 | 1193389066e77a060a73a78758f22c4dd63dfc89 |
| SHA256 | 04931a8e11e08fb84cb2afcf89ab038c09917d40ca16cc21b84fcd160ffcaf95 |
| SHA512 | 60fd74f74ba112c92dcbdbddfa1a161e51849e55821c7979ee877ca8cbed08b4ac52a35d71c79b197f8a27f50049ba1baf956cabd3a093c6be7f712a6f56ee12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\Colorado.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2922\K
| MD5 | 992086438ec4ff45677110d54caf1f70 |
| SHA1 | e44b653431cb5094db4d4ac04325a7582cd5df90 |
| SHA256 | 607f87584495e2a2c2158ae7f84513fc408ef72bbc159174904e21fdf7fa64b6 |
| SHA512 | 9100206a55c2ec1ec58186e2b6e053092125ea73d98d2c60536be52aa9307c8c9b5f0af2852aacc8c10b7ad3fef02b2484f7bbf105ce508972d2ee037d7e0b19 |
memory/3948-33-0x0000000077C61000-0x0000000077D81000-memory.dmp
memory/3948-34-0x0000000001E90000-0x0000000001E91000-memory.dmp
memory/3948-35-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-36-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-37-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-39-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-40-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-41-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-42-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-43-0x0000000005890000-0x0000000005C90000-memory.dmp
memory/3948-46-0x0000000005890000-0x0000000005C90000-memory.dmp
memory/3948-45-0x0000000005890000-0x0000000005C90000-memory.dmp
memory/3948-44-0x0000000004790000-0x00000000047FD000-memory.dmp
memory/3948-47-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp
memory/3948-49-0x0000000005890000-0x0000000005C90000-memory.dmp
memory/3948-50-0x00000000770B0000-0x00000000772C5000-memory.dmp
memory/4816-51-0x0000000001010000-0x0000000001019000-memory.dmp
memory/4816-53-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/4816-55-0x00007FFC876D0000-0x00007FFC878C5000-memory.dmp
memory/4816-56-0x0000000002B30000-0x0000000002F30000-memory.dmp
memory/4816-58-0x00000000770B0000-0x00000000772C5000-memory.dmp
memory/3948-59-0x0000000005890000-0x0000000005C90000-memory.dmp
memory/4816-60-0x0000000002B30000-0x0000000002F30000-memory.dmp