rms | e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031

Analysis

max time kernel
13s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24/05/2022, 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
Size

6.2MB
MD5

9af294b452c7e6d6b6698595fc25afa1
SHA1

a353d76c5a509b87c3895ffa8b88fbd38d3c4d7c
SHA256

e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031
SHA512

de4c752d87daf97cdbe639c7323a71941c9a9461d6f7b828f45ad0173442d99292b745a8d92a294ec73e6f2e8e3465bc849df33bfd036ab2a4c69cd30b712f49

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1rfusclient.exe, explorer.exe"	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1rfusclient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 3 IoCs

pid	Process
612	1rfusclient.exe
4456	svnhost.exe
4624	svnhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	1rfusclient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	1rfusclient.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Zont911\Tupe.bat	1rfusclient.exe
File created	C:\Windows\System64\1rfusclient.exe	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1rfusclient.exe
File created	C:\Windows\System64\vp8encoder.dll	1rfusclient.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1rfusclient.exe
File created	C:\Windows\System64\systemsmss.exe	1rfusclient.exe
File created	C:\Windows\System64\svnhost.exe	1rfusclient.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1rfusclient.exe
File opened for modification	C:\Windows\System64\1rfusclient.exe	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
File created	C:\Windows\Zont911\Regedit.reg	1rfusclient.exe
File created	C:\Windows\Zont911\Home.zip	1rfusclient.exe
File created	C:\Windows\System64\vp8decoder.dll	1rfusclient.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1rfusclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
5000	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	svnhost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4456	svnhost.exe
4624	svnhost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 612	4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe	81
PID 4428 wrote to memory of 612	4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe	81
PID 4428 wrote to memory of 612	4428	e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe	81
PID 612 wrote to memory of 5000	612	1rfusclient.exe	82
PID 612 wrote to memory of 5000	612	1rfusclient.exe	82
PID 612 wrote to memory of 5000	612	1rfusclient.exe	82
PID 612 wrote to memory of 1068	612	1rfusclient.exe	89
PID 612 wrote to memory of 1068	612	1rfusclient.exe	89
PID 612 wrote to memory of 1068	612	1rfusclient.exe	89
PID 1068 wrote to memory of 2924	1068	cmd.exe	86
PID 1068 wrote to memory of 2924	1068	cmd.exe	86
PID 1068 wrote to memory of 2924	1068	cmd.exe	86
PID 1068 wrote to memory of 4456	1068	cmd.exe	84
PID 1068 wrote to memory of 4456	1068	cmd.exe	84
PID 1068 wrote to memory of 4456	1068	cmd.exe	84
PID 1068 wrote to memory of 4624	1068	cmd.exe	85
PID 1068 wrote to memory of 4624	1068	cmd.exe	85
PID 1068 wrote to memory of 4624	1068	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe
"C:\Users\Admin\AppData\Local\Temp\e1763315e4a75661f19e324cac85ea4b1acbe6ffe2a2dc9441bd6fc2d89f3031.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\System64\1rfusclient.exe
  "C:\Windows\System64\1rfusclient.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068

C:\Windows\System64\svnhost.exe
"C:\Windows\System64\svnhost.exe" /silentinstall
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\System64\svnhost.exe
"C:\Windows\System64\svnhost.exe" /firewall
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Windows\SysWOW64\chcp.com
Chcp 1251
1⤵
PID:2924

C:\Windows\System64\svnhost.exe
"C:\Windows\System64\svnhost.exe" /start
1⤵
PID:4548

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
PID:4592
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  PID:4168
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  PID:392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1rfusclient.exe

Filesize
1.9MB

MD5
a0b708127a0403a75a95806f1af163df

SHA1
118d847afcb31922f6ad61c3b3648ce85e534f99

SHA256
f1d6d99ada408318c23dc3e49428d948e32b2d28d0eae42ccc5171c41f09bf20

SHA512
d3d2fd9c240147de9a45b2255cc87efc2489039c3fc54ee4ff5e3db885037a46cc3b0e9d0ecff0c74f03e8ed2c5e50d108233398bd8f2d6ca26e1ec1640f8a2f

Download Submit
C:\Windows\System64\1rfusclient.exe

Filesize
1.4MB

MD5
ffd51c3360673861ffe8707d485d7b92

SHA1
2ec3835362f3235b9fe89f3ddaace913d8f295c4

SHA256
bb6568784419b583af9d051c99f738a28a0117e2dafe4ab0622a4dcade3604c5

SHA512
e243daea811c0bd8524b8abdb5f7b7035e4ed7818703e236450c62e2088383e93518f94225fca80319b4abeed4aa83bab17b6ef3bef7cf005845a10c42c1f335

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
105KB

MD5
56bde384771a737cce7feeb1229552b5

SHA1
ecf2c606e4aa53b86111eb5bdbc5993ce6af999d

SHA256
72ebccfc4372aaba5564f6047000ef0d5057678071c74e5827dfcdbe851e3a00

SHA512
519cd53fcf72e4f57207189373f52dc08bb79ac94ec790551b02b215edabfe6b15328545045e57fabda58332c9d73c6521aa474e794125a45790add17ef7ec49

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
185KB

MD5
eff2960c522fbc1ec1deb32b1d931b89

SHA1
0d30c59616e8150b14ed8fdd3fd7406cbbded01a

SHA256
9514c6d30abe5463c5562f0cc25c2364be3b878db2ed13590b35a630bd5014ba

SHA512
8c03af8adad589be55770c40e5254493c2ef42a5cd2da4a3950ae94a7047ea4f33777bd8ff35172a07d4d72b3320db53a080f867adb4c7d5128f953f504beb83

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
187KB

MD5
20d6500b26914c05af02ccfb302b1aed

SHA1
2ca29f54df7f738429eebe4f18616d87d0d565ce

SHA256
cf5b108ca926be2ebfb44818d4f8c8428acbbe0ba540418778b53b01b92073d5

SHA512
0aa54e6978b66884e247bd0ef784f9b13186f4ad54c9a87fc213bcb37263c48fdea6b434c9559911b0cd80e161a39005942b5ab4d0a4f8a79108c227372ea798

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
149KB

MD5
c45f6daaf6072d69e376cd4ad47d63bf

SHA1
a87f05e72d50a57879933f5341287d3488bf1e77

SHA256
dc65cec19d603561ab9f9bf9025bdc1a6e33d5bf08ab3b40b19b3516ce5dbba2

SHA512
4ef76c59b132d995f83de39309f1667efcb1a24b65f9af71b7d1d76914bc1d6fc5d05c5a245ec204380242071e37e770bb0a77089d2591118f6214628329d6c9

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
175KB

MD5
73351b6944337f2ad144ef9d2b015570

SHA1
0c9467c7034569c5e7d6a0f44d932e957cc874f5

SHA256
22bf534da472b0019e2502fb66e8b0269292a43a22755cd7ca101b281415d740

SHA512
16f80d9fa6e8dd2c2f78b2130f4ae764396d845c96b8bff4e2e967c05f8bcd8ca674eb4c62ca988a09fbddd0dabc8fbd69650b314112c1a711b7abda043b1a71

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
135KB

MD5
ad243eac725efe2e56fef5f0957d50e6

SHA1
d5faa676499475fa40949c010a1645a85a495193

SHA256
a07e0e66ac804a0c8022c163dcd80852ea0a942bb26bcffa3a15c74e1f6d27a8

SHA512
6b5e4c3e81d8a1402f01c3838cc85ad7538893c6bc0c902cfeadd944edd343be24e441847443bf13ee6b01e26d15fb483e651428c1a5652fd057dbfd0e605dfc

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
195KB

MD5
0f72af047b95135a8eb6137815208e3e

SHA1
ab0a087eea06421fce4e1ca01882ea2e26420faa

SHA256
077b24c80f819e84eca5dd99d5a5ae7a211daf7fd5e916aaa1deda7ce0af741f

SHA512
3259f836fc8d1afa563699a5ed6758c0c74a6fe769e32175cd548714cd67f7ad5d442f6463fe01481681437c2fbaee9e5e8070f2e7980865b68662f950f3ee6c

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
136KB

MD5
1ca3c052eb42fd72e2492a85c26ea4d2

SHA1
57990711b6e0a47f85f095bceef1fc24addaf8f7

SHA256
1e000013585fe39f9e1e2f90872740ac449f671979c1800709ca3d2d92cb2d2f

SHA512
f7da3b132836a4c2e5a1f92fcf36e8ac93e9d7a7a115018d71f5a692f606327b7e36180e7206b1c65a1df5eb03b8acaa2e9e58159680c346b3d1cfd1623a56b2

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
139KB

MD5
5b3b95305455ade889ced37278a7edea

SHA1
041ba16b04ca153ea8e0cb5aee753430c66522c2

SHA256
438931666f33395fa5940ad444045f151d34963c88e449d2acec94aac240ff3a

SHA512
13a2b6de51a3ab29a9b10569cf07fcf5e8130fa583769d1653276b0c46d4bb6360e6b8f39e89e9397d30c4e4a5f90d3b09e1990f58cfb81ea805f6e01ad3e202

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
227KB

MD5
8f5756802a389d8061ed4685f0af9eb6

SHA1
419215ed1696083ffdfdd74cfd7983a9832410b6

SHA256
1f86cf082d5c1060561b696c6bb57d398d55d6187c240c99fe3c8c306012bced

SHA512
65e55a1d13071ffb3ffda881d7e1a7781fda054b84ac365220409c1b9e5d3b5a9256b0e3d5f2904f8080dd319a59ddd49c069f904658eec4f0bacfb0263d4fbd

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
197ede8c427e5b375c6e8c5b0cc6da21

SHA1
8068ff6e5750931b323b66c8a5d7ae844bf4f7ae

SHA256
1360100a21148dc3073474ea2ac0aa7c3eca89290901421d2b78d5452c26aa0f

SHA512
7a578298169b2f5ebcfdea41d7c871d1397407079f39905572a14bd89132f516cff7c35273d3591a7edb42d178dbab1cc96cda200a358b8459b5b35190d65ab7

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
281B

MD5
020d7ae318d01b6d0d92aa48ef198e82

SHA1
709c08b071bd6cf789ed6667b4f7c957338e81aa

SHA256
6fbce5a6530fe597afa45f71efba019f881765e26eeaa964d653c266e609593e

SHA512
b1ac136d59539f72773d9d3aa190e2d87e9ed8d909e6e8c3c5a6e8feb737543855e72a592429ef4372edb3cdd1fc67537b8e058da56b8d7517d8a57e753fcef0

Download Submit