chaos | 1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470

Analysis

max time kernel
118s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
19-04-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe
Size

50KB
MD5

fe7c4b36fca4fdf53789979a4a09c880
SHA1

89caf7f3b9f4d7d732ade5593e1958f6f025afa1
SHA256

1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470
SHA512

e0668f6dfda991ab07870d53ce291f73d48533c44dfed1178c8b98b57c799eb77f19451bc70d09caaf757bf18ef6217b44e7fc626b38c89261dc8920796339f3
SSDEEP

768:mDrJUAkwf3ppZuBdrm+KiPxWEh9HgPxWEjj4G:8rkwf3ppZRsPxZgPx94G

Score

10^/10

chaos hermeticwiper xworm zgrat persistence pyinstaller ransomware rat spyware stealer trojan wiper

Malware Config

Extracted

Family

xworm

Version

3.1

gamemodz.duckdns.org:6969

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\giavbr.exe	family_chaos
behavioral2/memory/1816-20701-0x00000000009D0000-0x00000000009EC000-memory.dmp	family_chaos

Detect HermeticWiper 1 IoCs

Detect HermeticWiper Payload.

wiper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\uxkiuo.exe	family_hermeticwiper

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1180-4896-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1112-3-0x0000000005FD0000-0x00000000061F6000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-6-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-7-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-9-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-11-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-13-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-15-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-17-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-19-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-21-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-23-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-25-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-27-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-29-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-31-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-33-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-35-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-37-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-39-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-41-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-43-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-45-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-47-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-49-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-51-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-53-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-55-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-57-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-59-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-61-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-63-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-65-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-67-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1
behavioral2/memory/1112-69-0x0000000005FD0000-0x00000000061F0000-memory.dmp	family_zgrat_v1

HermeticWiper
HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.
wiper hermeticwiper
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 4 IoCs

Processes:

cvtres.exemtmahd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	cvtres.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvtres.lnk	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	mtmahd.exe

Executes dropped EXE 2 IoCs

Processes:

mtmahd.execvtres.exe

pid process

1668 mtmahd.exe
4416 cvtres.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1668	mtmahd.exe
4416	cvtres.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cvtres.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-801765966-3955847401-2235691403-1000\Software\Microsoft\Windows\CurrentVersion\Run\cvtres = "C:\\Users\\Admin\\AppData\\Roaming\\cvtres.exe"	cvtres.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

mtmahd.exe

description	ioc	process
File created	C:\Users\Admin\Saved Games\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\Videos\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	mtmahd.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	mtmahd.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	mtmahd.exe
File created	C:\$Recycle.Bin\S-1-5-21-801765966-3955847401-2235691403-1000\desktop.ini	mtmahd.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	mtmahd.exe
File created	C:\Users\Public\desktop.ini	mtmahd.exe
File created	C:\Windows\Downloaded Program Files\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.22000.348_none_d5c2f424027f1f86\f\Desktop.ini	mtmahd.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	mtmahd.exe
File created	C:\Users\Admin\Contacts\desktop.ini	mtmahd.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	mtmahd.exe
File created	C:\Program Files\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\Music\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	mtmahd.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	mtmahd.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	mtmahd.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	mtmahd.exe
File created	C:\Users\Public\Libraries\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	mtmahd.exe
File created	C:\Users\Public\Music\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	mtmahd.exe
File created	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	mtmahd.exe
File created	C:\Users\Public\Desktop\desktop.ini	mtmahd.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\Desktop\desktop.ini	mtmahd.exe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	mtmahd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	mtmahd.exe
File created	C:\Windows\Media\Desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	mtmahd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\Pictures\desktop.ini	mtmahd.exe
File created	C:\Users\Public\Videos\desktop.ini	mtmahd.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	mtmahd.exe
File created	C:\Windows\Offline Web Pages\desktop.ini	mtmahd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	mtmahd.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	mtmahd.exe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	mtmahd.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

mtmahd.exe

description ioc process

File created C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf mtmahd.exe

flow	ioc
2	ip-api.com

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	mtmahd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe

description	pid	process	target process
PID 1112 set thread context of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe

Drops file in Program Files directory 64 IoCs

Processes:

mtmahd.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_148921\java.exe	mtmahd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_MedTile.scale-125.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SmallTile.scale-100_contrast-white.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\HxOutlook_App.dll	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-64_altform-unplated.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-40.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.altform-unplated_targetsize-48.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosStoreLogo.contrast-black.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-lightunplated.png	mtmahd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\vlc.mo	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-200_contrast-white.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-80_altform-lightunplated.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\dom\portalContainsElement.js	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-300.png	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ppd.xrm-ms	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbInterop.dll	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherAppList.targetsize-72_altform-unplated_contrast-white.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-125.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-150.png	mtmahd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version	mtmahd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js	mtmahd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-80_altform-unplated_contrast-black.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardLogo.types.js	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pt-BR.dll	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.Sampler.dll	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.scale-100.png	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\devtools\zh-TW.pak	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Net.Http.Rtc.dll	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png	mtmahd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll	mtmahd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll	mtmahd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms	mtmahd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	mtmahd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\omni.ja	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\ui-strings.js	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_da_135x40.svg	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\d3dcompiler_47.dll	mtmahd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml	mtmahd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms	mtmahd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_av1_plugin.dll	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_selected_18.svg	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png	mtmahd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_fa.dll	mtmahd.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@fluentui\dom-utilities\lib-amd\isVirtualElement.js	mtmahd.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Windows.Forms.Primitives.resources.dll	mtmahd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\uk.pak	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-180_8wekyb3d8bbwe\AppxSignature.p7x	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-lightunplated_contrast-black.png	mtmahd.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png	mtmahd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs	mtmahd.exe

Drops file in Windows directory 64 IoCs

Processes:

mtmahd.exe

description	ioc	process
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.Resources.dll	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..-educationn-license_31bf3856ad364e35_10.0.22000.120_none_47cf6d98eacff6a7\f\EducationN-OEM-NONSLP-1-ul-phn-rtm.xrm-ms	mtmahd.exe
File created	C:\Windows\Fonts\SegUIVar.ttf	mtmahd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.SecureBoot.Commands.Resources.dll	mtmahd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.dll	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..rests-adm.resources_31bf3856ad364e35_10.0.22000.469_el-gr_710a4bdcb183296c\n\NewsAndInterests.adml	mtmahd.exe
File created	C:\Windows\diagnostics\system\Power\DiagPackage.diagpkg	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\f\PeopleLogo.scale-200.png	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\f\resources.pri	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\StartMenu\Assets\FileIcons\32\mpp.svg	mtmahd.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_hightrust.config.default	mtmahd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe.config	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_bg-bg_38e191258479b99c\f\RS_AdjustScreenBrightness.psd1	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_ru-ru_677df8cd408e3c6b\f\SkyDrive.adml	mtmahd.exe
File created	C:\Windows\Cursors\lmove.cur	mtmahd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_fr-fr_c0dfb3fbe28248cb\f\CredentialProviders.adml	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_ru-ru_677df8cd408e3c6b\f\StartMenu.adml	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-w..pdate-adm.resources_31bf3856ad364e35_10.0.22000.120_pl-pl_58bb77b6b619d8e1\f\WindowsUpdate.adml	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft.activedir..anagement.resources_31bf3856ad364e35_10.0.22000.120_nl-nl_b3a2919aabc8e717\f\Microsoft.ActiveDirectory.Management.resources.dll	mtmahd.exe
File created	C:\Windows\diagnostics\system\Apps\DiagPackage.diagpkg	mtmahd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\v4.0_10.0.22000.1__31bf3856ad364e35\Policy.1.2.Microsoft.Interop.Security.AzRoles.dll	mtmahd.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.Outlook\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Outlook.dll	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\domExplorer.css	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.318_el-gr_d96adb9bb03bb5ce\f\SetupCore.dll.mui	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_zh-tw_81df88dcd41bf746\f\Sharing.adml	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\WsxPackManager.winmd	mtmahd.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0\10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll	mtmahd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..aries-quechua-emoji_31bf3856ad364e35_10.0.22000.348_none_5812faa22c16c337\f\datamap.046b.dat	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..edia-base.resources_31bf3856ad364e35_10.0.22000.120_tr-tr_466776d15db17fff\f\reagent.adml	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-t..i-pcshell.resources_31bf3856ad364e35_10.0.22000.184_pt-br_d2d521f08e01a360\f\twinui.pcshell.dll.mui	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-taskbar-dll.resources_31bf3856ad364e35_10.0.22000.184_he-il_06dee48259eb5659\f\Taskbar.dll.mui	mtmahd.exe
File created	C:\Windows\Fonts\constanz.ttf	mtmahd.exe
File opened for modification	C:\Windows\Fonts\DUBAI-LIGHT.TTF	mtmahd.exe
File created	C:\Windows\Fonts\sserifet.fon	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.22000.493_zh-cn_d981f9e520bd91f5\f\license.rtf	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\intellisenseListBox.css	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..cottish-gaelic-main_31bf3856ad364e35_10.0.22000.348_none_802f86f3ed3c9279\f\MsSp7gd.lex	mtmahd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild\Microsoft.Build.Core.xsd	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\f\CpuUsageTreeGrid.css	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_hr-hr_10008081311767e0\f\RS_ResetDisplayIdleTimeout.psd1	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..erprisesn.resources_31bf3856ad364e35_10.0.22000.493_ro-ro_be3df210b405b65e\f\license.rtf	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_ko-kr_f97b780808b2b89b\f\DiagPackage.dll.mui	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_nb-no_e20df93ce0d7e457\f\RS_ChangeProcessorState.psd1	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-shell32.resources_31bf3856ad364e35_10.0.22000.184_sl-si_3c205731a4ef3172\f\shell32.dll.mui	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\wow64_ds-ui-ext_31bf3856ad364e35_10.0.22000.120_none_760706ceb922e90c\f\dsuiext.dll	mtmahd.exe
File created	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~is-is~1.0.mum	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\f\NarratorMedTile.scale-100.png	mtmahd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll	mtmahd.exe
File created	C:\Windows\PolicyDefinitions\en-US\RacWmiProv.adml	mtmahd.exe
File opened for modification	C:\Windows\Installer\1e0a.msi	mtmahd.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_ro-ro_6dfa1f44ab862afc\f\RS_AdjustDimDisplay.psd1	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..ting-spooler-client_31bf3856ad364e35_10.0.22000.348_none_8e858d419de44d36\f\winspool.drv	mtmahd.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeCollabSync.exe	mtmahd.exe
File created	C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Basic~ur-pk~1.0.mum	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..dminflows.resources_31bf3856ad364e35_10.0.22000.184_et-ee_f6bb42a03854b1d1\f\Windows.UI.SettingsAdminFlowUIThreshold.et-EE.pri	mtmahd.exe
File created	C:\Windows\INF\hal.inf	mtmahd.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Runtime\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.Tools.Office.Runtime.dll	mtmahd.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll	mtmahd.exe
File created	C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\n\FileExplorerExtensions\Assets\images\contrast-black\windows.refresh.svg	mtmahd.exe
File created	C:\Windows\Media\Windows Message Nudge.wav	mtmahd.exe
File created	C:\Windows\PolicyDefinitions\DistributedLinkTracking.admx	mtmahd.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\qphbnr.exe	pyinstaller

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5036 schtasks.exe

pid	process
5036	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.execvtres.exe

description	pid	process
Token: SeDebugPrivilege	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe
Token: SeDebugPrivilege	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe
Token: SeDebugPrivilege	1180	cvtres.exe
Token: SeDebugPrivilege	1180	cvtres.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.execvtres.exe

description	pid	process	target process
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1112 wrote to memory of 1180	1112	1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe	cvtres.exe
PID 1180 wrote to memory of 5036	1180	cvtres.exe	schtasks.exe
PID 1180 wrote to memory of 5036	1180	cvtres.exe	schtasks.exe
PID 1180 wrote to memory of 5036	1180	cvtres.exe	schtasks.exe
PID 1180 wrote to memory of 1668	1180	cvtres.exe	mtmahd.exe
PID 1180 wrote to memory of 1668	1180	cvtres.exe	mtmahd.exe
PID 1180 wrote to memory of 1668	1180	cvtres.exe	mtmahd.exe

C:\Users\Admin\AppData\Local\Temp\1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe
"C:\Users\Admin\AppData\Local\Temp\1b3711717d430ce33222b97fe8ec692741b7ac8bd9bfb4c2c975ae2f46b37470.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cvtres" /tr "C:\Users\Admin\AppData\Roaming\cvtres.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5036
- - C:\Users\Admin\AppData\Local\Temp\mtmahd.exe
    "C:\Users\Admin\AppData\Local\Temp\mtmahd.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\giavbr.exe
    "C:\Users\Admin\AppData\Local\Temp\giavbr.exe"
    3⤵
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\uxkiuo.exe
    "C:\Users\Admin\AppData\Local\Temp\uxkiuo.exe"
    3⤵
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\qphbnr.exe
    "C:\Users\Admin\AppData\Local\Temp\qphbnr.exe"
    3⤵
    PID:8152
  - - C:\Users\Admin\AppData\Local\Temp\qphbnr.exe
      "C:\Users\Admin\AppData\Local\Temp\qphbnr.exe"
      4⤵
      PID:2464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -NoProfile -ExecutionPolicy Bypass Start-Process ./assets/700.exe"
        5⤵
        
        PID:5016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass Start-Process ./assets/700.exe
        6⤵
        
        PID:6228

C:\Users\Admin\AppData\Roaming\cvtres.exe
C:\Users\Admin\AppData\Roaming\cvtres.exe
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004E0
1⤵
PID:6468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\az.txt

Filesize
9B

MD5
9d88efac0177f99fa528033afb54e378

SHA1
a6fef6b2f49cdb2e476020bd1e7da65997d9bfc3

SHA256
845640b68b92599fcab7a1a64ddd79087781cefcc5ed743ac4eee5c760b4ada5

SHA512
ffa3236f35b7e8ed5e52c31d330aaf1bb0ee87e5e107b033a3377f593d6a02c6716332f582c175fc2f17a520db9f28036254c58b2fea74844e1e90f75628abfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\PIL\_imaging.cp311-win_amd64.pyd

Filesize
2.3MB

MD5
442b67aacded7ea702d53b9f601fcecb

SHA1
b0c644cbf7298c7f319b6bdb27eae2dcffdb66e4

SHA256
338db35f14174040ae3fa5b246b8dd6d0a8264cec1ae64ea87c9446bbdebf193

SHA512
645bd6fd0008b29a2e88d9a86120525496aa011d29a29e3518b35016d31f21fed62fb333efa92a1ec6d9ee5a6943624023b4a03931a6acbdd4ef8b13084bfb82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\__splash\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\__splash\tcl86t.dll

Filesize
1.8MB

MD5
ac6cd2fb2cd91780db186b8d6e447b7c

SHA1
b387b9b6ca5f0a2b70028ab2147789c4fe24ef7a

SHA256
a91781fe13548b89817462b00058a75fb0b607ec8ce99d265719ced573ade7b6

SHA512
45b24ca07a44d8d90e5efeded2697a37f000b39d305fe63a67292fdd237de3f8efd5e85b139b5702faa695f9f27f12f24ac497e005e2f3c24c141d7cd85305b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\__splash\tk86t.dll

Filesize
1.5MB

MD5
499fa3dea045af56ee5356c0ce7d6ce2

SHA1
0444b7d4ecd25491245824c17b84916ee5b39f74

SHA256
20139f4c327711baf18289584fa0c8112f7bb3ba55475bded21f3d107672ed94

SHA512
d776749effa241ba1415b28d2fcff1d64ed903569a8c4e56dfddd672a53b2f44119734b1959b72a9b3f4060bb2c67b7dea959cc2d4a8e9f781f17009c6840fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_asyncio.pyd

Filesize
63KB

MD5
61a5ae75f514b3ccbf1b939e06a5d451

SHA1
8154795e0f14415fb5802da65aafa91d7cbc57ec

SHA256
2b772076c2dba91fb4f61182b929485cc6c660baab4bce6e08aa18e414c69641

SHA512
bcd077d5d23fdab8427cc077b26626644b1b4b793c7f445e4f85094bd596c28319a854623b6e385f8e479b52726a9b843c4376bf288dc4f09edc30f332dbaf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_bz2.pyd

Filesize
82KB

MD5
a62207fc33140de460444e191ae19b74

SHA1
9327d3d4f9d56f1846781bcb0a05719dea462d74

SHA256
ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2

SHA512
90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_ctypes.pyd

Filesize
120KB

MD5
9b344f8d7ce5b57e397a475847cc5f66

SHA1
aff1ccc2608da022ecc8d0aba65d304fe74cdf71

SHA256
b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

SHA512
2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_lzma.pyd

Filesize
155KB

MD5
0c7ea68ca88c07ae6b0a725497067891

SHA1
c2b61a3e230b30416bc283d1f3ea25678670eb74

SHA256
f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11

SHA512
fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_overlapped.pyd

Filesize
49KB

MD5
7db2b9d0fd06f7bd7e32b52bd626f1ce

SHA1
6756c6adf03d4887f8be371954ef9179b2df78cd

SHA256
24f9971debbd864e3ba615a89d2c5b0e818f9ab2be4081499bc877761992c814

SHA512
5b3f55c89056c0bf816c480ed7f8aad943a5ca07bd9b9948f0aa7163664d462c3c46d233ee11dd101ce46dc8a53b29e8341e227fe462e81d29e257a6897a5f3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_queue.pyd

Filesize
31KB

MD5
06248702a6cd9d2dd20c0b1c6b02174d

SHA1
3f14d8af944fe0d35d17701033ff1501049e856f

SHA256
ac177cd84c12e03e3a68bca30290bc0b8f173eee518ef1fa6a9dce3a3e755a93

SHA512
5b22bbff56a8b48655332ebd77387d307f5c0a526626f3654267a34bc4863d8afaf08ff3946606f3cf00b660530389c37bdfac91843808dbebc7373040fec4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_socket.pyd

Filesize
77KB

MD5
26dd19a1f5285712068b9e41808e8fa0

SHA1
90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

SHA256
eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

SHA512
173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_ssl.pyd

Filesize
157KB

MD5
ab0e4fbffb6977d0196c7d50bc76cf2d

SHA1
680e581c27d67cd1545c810dbb175c2a2a4ef714

SHA256
680ad2de8a6cff927822c1d7dd22112a3e8a824e82a7958ee409a7b9ce45ec70

SHA512
2bff84a8ec7a26dde8d1bb09792ead8636009c8ef3fa68300a75420197cd7b6c8eaaf8db6a5f97442723e5228afa62961f002948e0eeee8c957c6517547dffba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\_tkinter.pyd

Filesize
62KB

MD5
6352db60d88705ce62b5665764529006

SHA1
e7a22fd590661e91dfe5cace1adff17d7a3de5ec

SHA256
4536d9092a366426aa01e1800d9d4de669928bbcb277f2363d54df44da096c31

SHA512
78b19668c82aef75dcdf98fd0b90677f3530cb7e80dc7cfec5640637fecb3e5d4fb38c21051fc305133882d26c6f8ecb03825227a3d66c5045b968bdc624bd2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\base_library.zip

Filesize
1.7MB

MD5
df673df8c5f4b100f5588b8cf1834b68

SHA1
dc82a6a581fc4ad98ef94046753a107f3079e2a8

SHA256
61f8ceeb90d4321ea6b9593627ee414acac0de654327e703c679aebc8c520c6f

SHA512
6836c4bc80a15b89401006d1b061a7ce7c1431b742dcc903bcf027713bf8886189f88e8937dd13bd2c5e21671063adb09939d1c1fcf2db755d8935abd846dc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\pyexpat.pyd

Filesize
194KB

MD5
48e6930e3095f5a2dcf9baa67098acfb

SHA1
ddcd143f386e74e9820a3f838058c4caa7123a65

SHA256
c1ed7017ce55119df27563d470e7dc3fb29234a7f3cd5fc82d317b6fe559300b

SHA512
b50f42f6c7ddbd64bf0ff37f40b8036d253a235fb67693a7f1ed096f5c3b94c2bde67d0db63d84a8c710505a891b43f913e1b1044c42b0f5f333d0fe0386a62c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\pygame\base.cp311-win_amd64.pyd

Filesize
30KB

MD5
58e3a6e70958d266c40f0e34e4e3622b

SHA1
285304368a161da6d49fe77d04bcefa9f954532d

SHA256
e4a4e703d1bcbf8e5d5cf14f16cafdb21db937fb9c8b86fa2a3736ae23db70c9

SHA512
14e68bce1d751594ffaed6adce383f42468fe8917bae05809100558af679e5878a10e1bda4e5b644c894ef018ed1771ffe5bc6a3a03411ac3a70694db1f7b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\python3.dll

Filesize
65KB

MD5
7442c154565f1956d409092ede9cc310

SHA1
c72f9c99ea56c8fb269b4d6b3507b67e80269c2d

SHA256
95086ac060ffe6933ac04a6aa289b1c7d321f14380315e24ba0d6c4adfa0842b

SHA512
2bf96828534bcdf71e48d1948b989011d8e3ba757c38cc17905a13d3021ea5deb57e2c68d79507a6acbb62be009cfc85b24d14543958dba1d3bc3e4ca7d4f844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\select.pyd

Filesize
29KB

MD5
756c95d4d9b7820b00a3099faf3f4f51

SHA1
893954a45c75fb45fe8048a804990ca33f7c072d

SHA256
13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

SHA512
0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\tcl\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\tk\text.tcl

Filesize
34KB

MD5
7c2ac370de0b941ae13572152419c642

SHA1
7598cc20952fa590e32da063bf5c0f46b0e89b15

SHA256
4a42ad370e0cd93d4133b49788c0b0e1c7cd78383e88bacb51cb751e8bfda15e

SHA512
8325a33bfd99f0fce4f14ed5dc6e03302f6ffabce9d1abfefc24d16a09ab3439a4b753cbf06b28d8c95e4ddabfb9082c9b030619e8955a7e656bd6c61b9256c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\tk\ttk\cursors.tcl

Filesize
4KB

MD5
18ec3e60b8dd199697a41887be6ce8c2

SHA1
13ff8ce95289b802a5247b1fd9dea90d2875cb5d

SHA256
7a2ed9d78fabcafff16694f2f4a2e36ff5aa313f912d6e93484f3bcd0466ad91

SHA512
4848044442efe75bcf1f89d8450c8ecbd441f38a83949a3cd2a56d9000cacaa2ea440ca1b32c856ab79358ace9c7e3f70ddf0ec54aa93866223d8fef76930b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\tk\ttk\fonts.tcl

Filesize
5KB

MD5
80331fcbe4c049ff1a0d0b879cb208de

SHA1
4eb3efdfe3731bd1ae9fd52ce32b1359241f13cf

SHA256
b94c319e5a557a5665b1676d602b6495c0887c5bacf7fa5b776200112978bb7b

SHA512
a4bd2d91801c121a880225f1f3d0c4e30bf127190cf375f6f7a49eb4239a35c49c44f453d6d3610df0d6a7b3cb15f4e79bd9c129025cc496ceb856fcc4b6de87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\tk\ttk\ttk.tcl

Filesize
4KB

MD5
af45b2c8b43596d1bdeca5233126bd14

SHA1
a99e75d299c4579e10fcdd59389b98c662281a26

SHA256
2c48343b1a47f472d1a6b9ee8d670ce7fb428db0db7244dc323ff4c7a8b4f64b

SHA512
c8a8d01c61774321778ab149f6ca8dda68db69133cb5ba7c91938e4fd564160ecdcec473222affb241304a9acc73a36b134b3a602fd3587c711f2adbb64afa80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI81522\tk\ttk\utils.tcl

Filesize
8KB

MD5
d98edc491da631510f124cd3934f535f

SHA1
33037a966067c9f5c9074ae5532ff3b51b4082d4

SHA256
d58610a34301bb6e61a60bec69a7cecf4c45c6a034a9fc123977174b586278be

SHA512
23faed8298e561f490997fe44ab61cd8ccb9f1f63d48bb4cf51fc9e591e463ff9297973622180d6a599cabb541c82b8fe33bf38a82c5d5905bbfa52ca0341399

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_guxwqo5w.ewm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\giavbr.exe

Filesize
84KB

MD5
7051dcbe9a0837a312b09a5ae3b42430

SHA1
3553ff8725a57929e438228bf141b695c13cecb4

SHA256
ce750c7054359e9e88556d48f7eea341374b74f494caed48251185b54c9ed644

SHA512
2e82160bff1fbdd6f6a9f0210dfaf831650fdefdf8e3bb70c3c2717122b107ef3610c5c5f55908843df7ba3bd3bbefc40b9d1dda07877083cbd2ab8b090a276c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mtmahd.exe

Filesize
172KB

MD5
bc1bade9688d5f472c5f2df32323161d

SHA1
ebaac201839daf02c53f89a1cd6fa9fd6fb17e5a

SHA256
6eccd34b5fd479c02356e2f27c4a0d4703d4c0a1ba6e2ca079f652f6b8d9a989

SHA512
10520c7e5eff0a817e2ce605891a31498ca912771009543975209d4468250bd889adce1b568278f47a20af745a127e42ec70134c3710f77d9273ce1bf611a08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qphbnr.exe

Filesize
31.8MB

MD5
1dd78e1d166b8996cebef2335a6a5ff4

SHA1
a5b9d55a7ce0ea5b870c000389f2de11eee10d3c

SHA256
016a3d5b64325ea0d7bb3561cfba8ba43ee937be69c8cd4f26ba8ee1e532d10f

SHA512
9d7bc3a7d493a2b7854caff5739b17faadff1e3330590c9ae089ac4354f31a08d6ed06dc5e2affed0baf3b1a2d04eafe23e67acef03b08be2f7ee7fabe7504f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uxkiuo.exe

Filesize
114KB

MD5
3f4a16b29f2f0532b7ce3e7656799125

SHA1
61b25d11392172e587d8da3045812a66c3385451

SHA256
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

SHA512
32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80

Download Submit
C:\Users\Admin\AppData\Roaming\cvtres.exe

Filesize
45KB

MD5
70d838a7dc5b359c3f938a71fad77db0

SHA1
66b83eb16481c334719eed406bc58a3c2b910923

SHA256
e4dbdbf7888ea96f3f8aa5c4c7f2bcf6e57d724dd8194fe5f35b673c6ef724ea

SHA512
9c9a945db5b5e7ff8105bfe74578e6f00b5f707f7c3d8f1f1fb41553a6d0eab29cef026e77877a1ad6435fa7bc369141921442e1485f2b0894c6bbcbd7791034

Download Submit
memory/1112-51-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-7-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-67-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-69-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-3169-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/1112-3562-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/1112-4888-0x00000000062E0000-0x00000000062E1000-memory.dmp

Filesize
4KB

Download
memory/1112-4889-0x0000000006590000-0x00000000065F2000-memory.dmp

Filesize
392KB

Download
memory/1112-4890-0x0000000006600000-0x000000000664C000-memory.dmp

Filesize
304KB

Download
memory/1112-4891-0x0000000005160000-0x00000000051B4000-memory.dmp

Filesize
336KB

Download
memory/1112-0-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/1112-4894-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/1112-2-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/1112-3-0x0000000005FD0000-0x00000000061F6000-memory.dmp

Filesize
2.1MB

Download
memory/1112-4-0x00000000067D0000-0x0000000006D76000-memory.dmp

Filesize
5.6MB

Download
memory/1112-5-0x0000000006320000-0x00000000063B2000-memory.dmp

Filesize
584KB

Download
memory/1112-63-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-6-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-65-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-9-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-61-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-11-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-13-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-59-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-15-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-17-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-19-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-21-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-23-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-25-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-27-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-57-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-55-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-53-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-29-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-31-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-33-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-35-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-37-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-1-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/1112-49-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-47-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-45-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-43-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-41-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1112-39-0x0000000005FD0000-0x00000000061F0000-memory.dmp

Filesize
2.1MB

Download
memory/1180-4910-0x0000000006060000-0x000000000606A000-memory.dmp

Filesize
40KB

Download
memory/1180-4896-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1180-4898-0x00000000052A0000-0x0000000005306000-memory.dmp

Filesize
408KB

Download
memory/1180-4895-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/1180-4899-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/1180-4897-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/1180-4908-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/1180-4909-0x0000000005170000-0x0000000005180000-memory.dmp

Filesize
64KB

Download
memory/1668-20062-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1668-19927-0x000000006F2D0000-0x000000006F881000-memory.dmp

Filesize
5.7MB

Download
memory/1668-8491-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1668-5035-0x000000006F2D0000-0x000000006F881000-memory.dmp

Filesize
5.7MB

Download
memory/1668-4923-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1668-4922-0x000000006F2D0000-0x000000006F881000-memory.dmp

Filesize
5.7MB

Download
memory/1668-19928-0x000000006F2D0000-0x000000006F881000-memory.dmp

Filesize
5.7MB

Download
memory/1668-19926-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1668-19929-0x0000000001390000-0x00000000013A0000-memory.dmp

Filesize
64KB

Download
memory/1816-20701-0x00000000009D0000-0x00000000009EC000-memory.dmp

Filesize
112KB

Download
memory/1816-20794-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/1816-22462-0x00007FF8993C0000-0x00007FF899E82000-memory.dmp

Filesize
10.8MB

Download
memory/1816-20685-0x000000001DB10000-0x000000001E040000-memory.dmp

Filesize
5.2MB

Download
memory/1816-20751-0x000000001E040000-0x000000001E3A6000-memory.dmp

Filesize
3.4MB

Download
memory/1816-20765-0x00007FF8993C0000-0x00007FF899E82000-memory.dmp

Filesize
10.8MB

Download
memory/6228-22111-0x00007FF8993C0000-0x00007FF899E82000-memory.dmp

Filesize
10.8MB

Download
memory/6228-22131-0x0000020CBA960000-0x0000020CBAF8A000-memory.dmp

Filesize
6.2MB

Download
memory/6228-22145-0x0000020CB9B90000-0x0000020CB9D0C000-memory.dmp

Filesize
1.5MB

Download
memory/6228-22129-0x0000020CA16A0000-0x0000020CA16B0000-memory.dmp

Filesize
64KB

Download
memory/6228-22182-0x0000020CBAF90000-0x0000020CBB216000-memory.dmp

Filesize
2.5MB

Download
memory/6228-22128-0x0000020CA16A0000-0x0000020CA16B0000-memory.dmp

Filesize
64KB

Download
memory/6228-22198-0x0000020CB9B60000-0x0000020CB9B82000-memory.dmp

Filesize
136KB

Download
memory/6228-22199-0x0000020CBA8A0000-0x0000020CBA906000-memory.dmp

Filesize
408KB

Download
memory/6228-22200-0x0000020CBB220000-0x0000020CBB286000-memory.dmp

Filesize
408KB

Download
memory/6228-22189-0x0000020CB9AD0000-0x0000020CB9AF4000-memory.dmp

Filesize
144KB

Download
memory/6228-22214-0x0000020CBB290000-0x0000020CBB5FC000-memory.dmp

Filesize
3.4MB

Download
memory/6228-22220-0x0000020CB9D80000-0x0000020CB9DE6000-memory.dmp

Filesize
408KB

Download
memory/6228-22228-0x00007FF8993C0000-0x00007FF899E82000-memory.dmp

Filesize
10.8MB

Download
memory/6228-22127-0x0000020CB99D0000-0x0000020CB9A06000-memory.dmp

Filesize
216KB

Download