lumma | bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777

Analysis

max time kernel
357s
max time network
358s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MilwaukeeRivers.exe
Size

948KB
MD5

e922a4d7d2c3c937231aa937b9a2ad25
SHA1

b78ade0fbd78bff01d5c86079c9224d7b87f0770
SHA256

bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
SHA512

501a15eb4c5c64f2df9f454c11951907f33a834885113e14491a6823d8e3373c09523a3eedb52952aada8071dbeec88338dbdeb02a2c4d7a8e0af48eb1dbe5f6
SSDEEP

24576:7gk8NlvGOgHdQFQ/Dfw/EQky/vgNs9OHYkc:WvGOgHeFODfwcC3WsSS

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://servicedny.site

https://authorisev.site

https://faulteyotk.site

https://dilemmadu.site

https://contemteny.site

https://goalyfeastz.site

https://opposezmny.site

https://seallysl.site

https://proggresinvj.cyou

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Executes dropped EXE 5 IoCs

Processes:

Comparing.pifComparing.pifComparing.pifComparing.pifComparing.pif

pid process

1976 Comparing.pif
2856 Comparing.pif
924 Comparing.pif
3048 Comparing.pif
1568 Comparing.pif
Loads dropped DLL 5 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.exe

pid process

2268 cmd.exe
808 cmd.exe
2096 cmd.exe
1264 cmd.exe
2128 cmd.exe

pid	process
2268	cmd.exe
808	cmd.exe
2096	cmd.exe
1264	cmd.exe
2128	cmd.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
2900	tasklist.exe
680	tasklist.exe
304	tasklist.exe
2108	tasklist.exe
1568	tasklist.exe
2704	tasklist.exe
2780	tasklist.exe
616	tasklist.exe
2328	tasklist.exe
552	tasklist.exe

Drops file in Windows directory 30 IoCs

Processes:

MilwaukeeRivers.exeMilwaukeeRivers.exeMilwaukeeRivers.exeMilwaukeeRivers.exeMilwaukeeRivers.exe

description	ioc	process
File opened for modification	C:\Windows\AgePlants	MilwaukeeRivers.exe
File opened for modification	C:\Windows\NycOperational	MilwaukeeRivers.exe
File opened for modification	C:\Windows\MrnaWasher	MilwaukeeRivers.exe
File opened for modification	C:\Windows\EarlTowards	MilwaukeeRivers.exe
File opened for modification	C:\Windows\LakesDies	MilwaukeeRivers.exe
File opened for modification	C:\Windows\StormCups	MilwaukeeRivers.exe
File opened for modification	C:\Windows\StormCups	MilwaukeeRivers.exe
File opened for modification	C:\Windows\EarlTowards	MilwaukeeRivers.exe
File opened for modification	C:\Windows\LakesDies	MilwaukeeRivers.exe
File opened for modification	C:\Windows\MrnaWasher	MilwaukeeRivers.exe
File opened for modification	C:\Windows\AgePlants	MilwaukeeRivers.exe
File opened for modification	C:\Windows\NycOperational	MilwaukeeRivers.exe
File opened for modification	C:\Windows\AgePlants	MilwaukeeRivers.exe
File opened for modification	C:\Windows\MrnaWasher	MilwaukeeRivers.exe
File opened for modification	C:\Windows\AgePlants	MilwaukeeRivers.exe
File opened for modification	C:\Windows\LakesDies	MilwaukeeRivers.exe
File opened for modification	C:\Windows\NycOperational	MilwaukeeRivers.exe
File opened for modification	C:\Windows\StormCups	MilwaukeeRivers.exe
File opened for modification	C:\Windows\EarlTowards	MilwaukeeRivers.exe
File opened for modification	C:\Windows\MrnaWasher	MilwaukeeRivers.exe
File opened for modification	C:\Windows\StormCups	MilwaukeeRivers.exe
File opened for modification	C:\Windows\EarlTowards	MilwaukeeRivers.exe
File opened for modification	C:\Windows\StormCups	MilwaukeeRivers.exe
File opened for modification	C:\Windows\LakesDies	MilwaukeeRivers.exe
File opened for modification	C:\Windows\NycOperational	MilwaukeeRivers.exe
File opened for modification	C:\Windows\MrnaWasher	MilwaukeeRivers.exe
File opened for modification	C:\Windows\LakesDies	MilwaukeeRivers.exe
File opened for modification	C:\Windows\NycOperational	MilwaukeeRivers.exe
File opened for modification	C:\Windows\EarlTowards	MilwaukeeRivers.exe
File opened for modification	C:\Windows\AgePlants	MilwaukeeRivers.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Comparing.piffindstr.exetasklist.execmd.exeComparing.piffindstr.exeMilwaukeeRivers.exefindstr.exechoice.exeMilwaukeeRivers.exetasklist.execmd.exefindstr.execmd.exeMilwaukeeRivers.exeComparing.pifcmd.exetasklist.exefindstr.exechoice.exefindstr.exechoice.exetasklist.exefindstr.exefindstr.execmd.execmd.exechoice.exetasklist.exefindstr.exechoice.execmd.execmd.exefindstr.execmd.exetasklist.exeMilwaukeeRivers.exetasklist.exetasklist.exefindstr.exefindstr.exetasklist.execmd.exeComparing.piftasklist.execmd.execmd.exefindstr.execmd.exeMilwaukeeRivers.execmd.exeComparing.pifcmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comparing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comparing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MilwaukeeRivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MilwaukeeRivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MilwaukeeRivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comparing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MilwaukeeRivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comparing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MilwaukeeRivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Comparing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Comparing.pifComparing.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Comparing.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Comparing.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Comparing.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Comparing.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Comparing.pif

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Comparing.pifComparing.pifComparing.pifComparing.pifComparing.pif

pid	process
1976	Comparing.pif
1976	Comparing.pif
1976	Comparing.pif
2856	Comparing.pif
2856	Comparing.pif
2856	Comparing.pif
924	Comparing.pif
924	Comparing.pif
924	Comparing.pif
3048	Comparing.pif
3048	Comparing.pif
3048	Comparing.pif
1568	Comparing.pif
1568	Comparing.pif
1568	Comparing.pif

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

tasklist.exetasklist.exeAUDIODG.EXEtasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2780	tasklist.exe
Token: SeDebugPrivilege	680	tasklist.exe
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE
Token: 33	2316	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2316	AUDIODG.EXE
Token: SeDebugPrivilege	304	tasklist.exe
Token: SeDebugPrivilege	616	tasklist.exe
Token: SeDebugPrivilege	2328	tasklist.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	1568	tasklist.exe
Token: SeDebugPrivilege	552	tasklist.exe
Token: SeDebugPrivilege	2704	tasklist.exe
Token: SeDebugPrivilege	2900	tasklist.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

Comparing.pifComparing.pifComparing.pifComparing.pifComparing.pif

pid	process
1976	Comparing.pif
1976	Comparing.pif
1976	Comparing.pif
2856	Comparing.pif
2856	Comparing.pif
2856	Comparing.pif
924	Comparing.pif
924	Comparing.pif
924	Comparing.pif
3048	Comparing.pif
3048	Comparing.pif
3048	Comparing.pif
1568	Comparing.pif
1568	Comparing.pif
1568	Comparing.pif

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

Comparing.pifComparing.pifComparing.pifComparing.pifComparing.pif

pid	process
1976	Comparing.pif
1976	Comparing.pif
1976	Comparing.pif
2856	Comparing.pif
2856	Comparing.pif
2856	Comparing.pif
924	Comparing.pif
924	Comparing.pif
924	Comparing.pif
3048	Comparing.pif
3048	Comparing.pif
3048	Comparing.pif
1568	Comparing.pif
1568	Comparing.pif
1568	Comparing.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MilwaukeeRivers.execmd.exeMilwaukeeRivers.execmd.exe

description	pid	process	target process
PID 2260 wrote to memory of 2268	2260	MilwaukeeRivers.exe	cmd.exe
PID 2260 wrote to memory of 2268	2260	MilwaukeeRivers.exe	cmd.exe
PID 2260 wrote to memory of 2268	2260	MilwaukeeRivers.exe	cmd.exe
PID 2260 wrote to memory of 2268	2260	MilwaukeeRivers.exe	cmd.exe
PID 2268 wrote to memory of 2780	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 2780	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 2780	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 2780	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 2644	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 2644	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 2644	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 2644	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 680	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 680	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 680	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 680	2268	cmd.exe	tasklist.exe
PID 2268 wrote to memory of 1152	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 1152	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 1152	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 1152	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 3004	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 3004	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 3004	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 3004	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 1820	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 1820	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 1820	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 1820	2268	cmd.exe	findstr.exe
PID 2268 wrote to memory of 2016	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 2016	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 2016	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 2016	2268	cmd.exe	cmd.exe
PID 2268 wrote to memory of 1976	2268	cmd.exe	Comparing.pif
PID 2268 wrote to memory of 1976	2268	cmd.exe	Comparing.pif
PID 2268 wrote to memory of 1976	2268	cmd.exe	Comparing.pif
PID 2268 wrote to memory of 1976	2268	cmd.exe	Comparing.pif
PID 2268 wrote to memory of 2120	2268	cmd.exe	choice.exe
PID 2268 wrote to memory of 2120	2268	cmd.exe	choice.exe
PID 2268 wrote to memory of 2120	2268	cmd.exe	choice.exe
PID 2268 wrote to memory of 2120	2268	cmd.exe	choice.exe
PID 1004 wrote to memory of 808	1004	MilwaukeeRivers.exe	cmd.exe
PID 1004 wrote to memory of 808	1004	MilwaukeeRivers.exe	cmd.exe
PID 1004 wrote to memory of 808	1004	MilwaukeeRivers.exe	cmd.exe
PID 1004 wrote to memory of 808	1004	MilwaukeeRivers.exe	cmd.exe
PID 808 wrote to memory of 304	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 304	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 304	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 304	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 1664	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1664	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1664	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1664	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 616	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 616	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 616	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 616	808	cmd.exe	tasklist.exe
PID 808 wrote to memory of 1976	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1976	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1976	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1976	808	cmd.exe	findstr.exe
PID 808 wrote to memory of 1560	808	cmd.exe	cmd.exe
PID 808 wrote to memory of 1560	808	cmd.exe	cmd.exe
PID 808 wrote to memory of 1560	808	cmd.exe	cmd.exe
PID 808 wrote to memory of 1560	808	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe
"C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 215655
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "GeologicalAllowStoryVirtually" Commitments
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2016
- - C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif
    Comparing.pif g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1976
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2344

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 0
1⤵
PID:2880

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe
"C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:616
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 215655
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "GeologicalAllowStoryVirtually" Commitments
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif
    Comparing.pif g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2856
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2516

C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe
"C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2096
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:572
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 215655
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif
    Comparing.pif g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:924
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232

C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe
"C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1264
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 215655
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif
    Comparing.pif g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3048
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120

C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe
"C:\Users\Admin\AppData\Local\Temp\MilwaukeeRivers.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\SysWOW64\findstr.exe
    findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 215655
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2596
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "GeologicalAllowStoryVirtually" Commitments
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\215655\Comparing.pif
    Comparing.pif g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1568
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\215655\g

Filesize
497KB

MD5
d266b3c08227e9cb46232736b80e5aa0

SHA1
173c8acee3adeae51142bd0e72c3309e34ee520f

SHA256
ec2604a7647c0186b5e12315f62c27927dbb1cf8f939612e129dcdfc1392b998

SHA512
59cfe54e855d98f3f4b01fa7670b9594376c450cfe210e5f626574dd7449e066f55b6c8d218428601ac526a9d0f2ba7a244d54c12b4dca6e0919800b58f31f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab567B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commitments

Filesize
6KB

MD5
95b88aac08c10ed0630bff6e25a48d22

SHA1
ad839ffe077b94d8aa26523557826b66268db8ad

SHA256
7c047d4bd015bf4db77fa60edadd2cd71a0969c8b6ba68c7a1799b63ab3a4ed3

SHA512
5342208ef56103e9329f877aec12fc3e85dca2e1363f21960c8293841f0093463a16298ccb8be6d418835febfb3e3e10cee5336ba342a5d170942186974590a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Etc

Filesize
77KB

MD5
a2e6f3d6b4b15803fc39db66d53d5a68

SHA1
4d9e598b94c8a1c3f88a7d70c72c726b306b7da1

SHA256
fc1405b7240e36717d575f651d792db859226ff4ea8ea80773bf7200b6a582b8

SHA512
56254f9a620fb0e38e8252a8cc1dd7d0e599d9c4854ffb8ca69771ef9fb0b3deb6508492d4d2095ab8b7e1bbc0f381dd9fe743d1161ca344f4445d1c5e1b811c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lingerie

Filesize
77KB

MD5
2f47e917ab451b39dee57628583e0e49

SHA1
9a5323f7f24a7d98acb6ad484f39ae2211297dc7

SHA256
fe0de264e44fe42611ad2faafa7a97d45c48de38f251cbc446913611f170e3eb

SHA512
71044cf3e0848e8d7bac6666e452690ef2ee623f408477f815235d0f737b1ec200f44152bfd59616bcd8db538765337c62019f3ff5a122c3fd6f6e8eff16f0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mate

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mate

Filesize
866KB

MD5
25c0cca1b4b6c482fd0135e0e5e747a0

SHA1
339571736c2fc5cde1ad6f9e7dc58ee62a863c63

SHA256
1de377cc55c433743b916de2cfabda2ba5e73ff825f3e7f968ad8905bdd8dfb4

SHA512
a5b2ade00f9f896578f97feccd320675fa1c2824934549352edc9bcb39ca411278ea8a91f0649c3a1aae3c46ee6b6f9b25bb6e2d0afaee57dc35bf50843b2089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Reliability

Filesize
60KB

MD5
8c746ced3ce86327e752383866d630d8

SHA1
3d6befc5ad1e28419ad7834dae43a2b51dbb818a

SHA256
e7db8c4fda3f419f74f3939af4984a4ff079541b02843d6805b048d8bdff0421

SHA512
06b54b6279b80aab06d1e47c221058cae54fa5b9c875fc3c7f4d82f90dbc4acce9b246b678056c2a3d45493b82ceddcd5e2420ca4014c15cd9093cee2b0f27db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seek

Filesize
88KB

MD5
54c81389f168a434cf19946888499a41

SHA1
3bcb690da7b8809ddf88e833a47dacc04633bc80

SHA256
c9766c34ff13cbb3b62afbc794bc79171e1d573b5d4e2e3ff2c4b21885d537f6

SHA512
61a2a3b2dcbca67ca41e5bb96bba3d31c4f17d491f6430f5b1584ca083310a4d4adb612b5baa6561b0aa5966ba062a0ba85a09e09065f0ec149eacd665328394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spend

Filesize
90KB

MD5
3b05748621287f6259899970ef155a38

SHA1
def8acf6355fbe03c1f369c86475a1880755fcb2

SHA256
450619a5707d27235f489c4f5b6dbaa953405b7907dd23c03c6ccac08e1187a1

SHA512
787fcbac6a9cea27f2033bdce73c0390d1c8c74d7fbd857fec66efb4d679a9981ec095d289801c92cafc4d5cfb6747f6fce87619d55c5ed10927d25731e9b0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Started

Filesize
86KB

MD5
6517aa64b07030e6916dfaa84c900553

SHA1
40de8c112f344c59e045e3bcd9d7f9f9cb427d7e

SHA256
3bfc145b382f207a3aded6e9ac0bc61f07c94c0b81658fd43cbb741a1aa7fefe

SHA512
ad71d36193b99219e36cda11dc98bd4d44768c6ea0557f76c1902286942317a66cfab6359d36a7439ec7e30ca85041941e55d5bb77abbe9eb10183c7f7b8c7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar569D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Te

Filesize
23KB

MD5
1e40cfd6dfe1b3c142469bec11eb51f7

SHA1
0e13c823035cbec02e0745e1970bfb7f3bdaa1bc

SHA256
d720ff2ac7655230dc5cf3512402471ce822e7dea81e3cd6121ba34f93081c1e

SHA512
3bfac352f9a61d151a2b217a893ca2e0c2819cf5e06a7c39d60f0fff8481482bde885596d4aaaacc0eba97f5e8d030937315d1df5ebc6768e0e7bdc8893837d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Washing

Filesize
19KB

MD5
93654b776416f68061f5812121d460e3

SHA1
917be2e9a18b06f4b49c9f506faa596d8da4084e

SHA256
6cfb0951411a034c4b06886a3d8bbbe1b58c988c8280183d0409b49aa4069d92

SHA512
6f0dae32fa26e7f02d1b781e7837d971b8e4fdab7ef03df2b1082ca9c7cc048dc23bbf092d827e2fc46b2fd293a26d1bdaeaff34d5c62d4a20b44c2c17cd4570

Download Submit
\Users\Admin\AppData\Local\Temp\215655\Comparing.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/1976-549-0x00000000036D0000-0x0000000003730000-memory.dmp

Filesize
384KB

Download
memory/1976-548-0x00000000036D0000-0x0000000003730000-memory.dmp

Filesize
384KB

Download
memory/1976-546-0x00000000036D0000-0x0000000003730000-memory.dmp

Filesize
384KB

Download
memory/1976-547-0x00000000036D0000-0x0000000003730000-memory.dmp

Filesize
384KB

Download
memory/1976-545-0x00000000036D0000-0x0000000003730000-memory.dmp

Filesize
384KB

Download
memory/2516-1122-0x0000000076CD0000-0x0000000076DCA000-memory.dmp

Filesize
1000KB

Download
memory/2516-1121-0x0000000076DD0000-0x0000000076EEF000-memory.dmp

Filesize
1.1MB

Download