rms | 0a976946c1fc20d370f9221c428ea4a799c663d5be5bf6c9610607d84372c1a9

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe
Size

2.3MB
MD5

1fbf1e13343007f3a60fbcca6bfd31fd
SHA1

48e54e874d609632a73578d8baf8acca29204afb
SHA256

0a976946c1fc20d370f9221c428ea4a799c663d5be5bf6c9610607d84372c1a9
SHA512

5b79cc008a8b9af3f9033e95280b7d6b1894d767a189e5eb461dc75c806611209a418f171c3dedf0d0fc188b9387a94dffd66074f90c8f8ec8bd21fbba4c7d30
SSDEEP

49152:XmjXBlvQafJMoMApwJ/Y0QuBD266B6tryc51ClzH5DWbnZdo84uuqpwmq:XmHzeApwjQ6pr3yzZDknE8nuBmq

Score

10^/10

rms discovery persistence rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe

Executes dropped EXE 7 IoCs

Processes:

RManServer.exeRManServer.exeMonitor.exeRManServer.exeRManServer.exeRManFUSClient.exeRManFUSClient.exe

pid process

3420 RManServer.exe
3836 RManServer.exe
3948 Monitor.exe
2580 RManServer.exe
3676 RManServer.exe
1380 RManFUSClient.exe
644 RManFUSClient.exe

pid	process
3420	RManServer.exe
3836	RManServer.exe
3948	Monitor.exe
2580	RManServer.exe
3676	RManServer.exe
1380	RManFUSClient.exe
644	RManFUSClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monitor = "C:\\Windows\\System32\\Monitor.exe -autorun"	regedit.exe

Drops file in System32 directory 29 IoCs

Processes:

cmd.exeRManServer.exeRManServer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\RManFUSClient.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfVorbisEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\HookDrv.dll	cmd.exe
File created	C:\Windows\SysWOW64\msvcp80.dll	cmd.exe
File created	C:\Windows\SysWOW64\RManServer.exe	cmd.exe
File created	C:\Windows\SysWOW64\RManWLN.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\dsfTheoraEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msvcp80.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RManWLN.dll	RManServer.exe
File created	C:\Windows\SysWOW64\Logs\rom_log_2024.html	RManServer.exe
File opened for modification	C:\Windows\SysWOW64\dsfOggMux.dll	cmd.exe
File created	C:\Windows\SysWOW64\dsfTheoraEncoder.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RManServer.exe	cmd.exe
File created	C:\Windows\SysWOW64\dsfVorbisEncoder.dll	cmd.exe
File created	C:\Windows\SysWOW64\Monitor.exe	cmd.exe
File created	C:\Windows\SysWOW64\msvcr80.dll	cmd.exe
File created	C:\Windows\SysWOW64\RManIpcServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RManIpcServer.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\msvcr80.dll	cmd.exe
File created	C:\Windows\SysWOW64\PushSource.ax	cmd.exe
File opened for modification	C:\Windows\SysWOW64\HookDrv.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Monitor.exe	cmd.exe
File created	C:\Windows\SysWOW64\Microsoft.VC80.CRT.manifest	cmd.exe
File created	C:\Windows\SysWOW64\dsfOggMux.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\RManWLN.dll	cmd.exe
File created	C:\Windows\SysWOW64\RManWLN.dll	RManServer.exe
File opened for modification	C:\Windows\SysWOW64\PushSource.ax	cmd.exe
File created	C:\Windows\SysWOW64\RManFUSClient.exe	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2452-0-0x0000000000400000-0x0000000000E3B000-memory.dmp	upx
behavioral2/memory/2452-96-0x0000000000400000-0x0000000000E3B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regedit.exeMonitor.exeRManServer.exeRManFUSClient.exeRManFUSClient.exe1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.execmd.exeregedit.exeRManServer.exereg.exeRManServer.exeRManServer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Monitor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManFUSClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RManServer.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2188 regedit.exe
2504 regedit.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RManServer.exeRManFUSClient.exe

pid process

3676 RManServer.exe
3676 RManServer.exe
3676 RManServer.exe
3676 RManServer.exe
1380 RManFUSClient.exe
1380 RManFUSClient.exe

pid	process
2188	regedit.exe
2504	regedit.exe

pid	process
3676	RManServer.exe
3676	RManServer.exe
3676	RManServer.exe
3676	RManServer.exe
1380	RManFUSClient.exe
1380	RManFUSClient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RManServer.exeRManServer.exeRManServer.exe

description	pid	process
Token: SeDebugPrivilege	3420	RManServer.exe
Token: SeDebugPrivilege	2580	RManServer.exe
Token: SeTakeOwnershipPrivilege	3676	RManServer.exe
Token: SeTcbPrivilege	3676	RManServer.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.execmd.exeRManServer.exe

description	pid	process	target process
PID 2452 wrote to memory of 2532	2452	1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2532	2452	1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe	cmd.exe
PID 2452 wrote to memory of 2532	2452	1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe	cmd.exe
PID 2532 wrote to memory of 2492	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 2492	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 2492	2532	cmd.exe	reg.exe
PID 2532 wrote to memory of 3420	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 3420	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 3420	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 3836	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 3836	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 3836	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 2188	2532	cmd.exe	regedit.exe
PID 2532 wrote to memory of 2188	2532	cmd.exe	regedit.exe
PID 2532 wrote to memory of 2188	2532	cmd.exe	regedit.exe
PID 2532 wrote to memory of 2504	2532	cmd.exe	regedit.exe
PID 2532 wrote to memory of 2504	2532	cmd.exe	regedit.exe
PID 2532 wrote to memory of 2504	2532	cmd.exe	regedit.exe
PID 2532 wrote to memory of 3948	2532	cmd.exe	Monitor.exe
PID 2532 wrote to memory of 3948	2532	cmd.exe	Monitor.exe
PID 2532 wrote to memory of 3948	2532	cmd.exe	Monitor.exe
PID 2532 wrote to memory of 2580	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 2580	2532	cmd.exe	RManServer.exe
PID 2532 wrote to memory of 2580	2532	cmd.exe	RManServer.exe
PID 3676 wrote to memory of 1380	3676	RManServer.exe	RManFUSClient.exe
PID 3676 wrote to memory of 1380	3676	RManServer.exe	RManFUSClient.exe
PID 3676 wrote to memory of 1380	3676	RManServer.exe	RManFUSClient.exe
PID 3676 wrote to memory of 644	3676	RManServer.exe	RManFUSClient.exe
PID 3676 wrote to memory of 644	3676	RManServer.exe	RManFUSClient.exe
PID 3676 wrote to memory of 644	3676	RManServer.exe	RManFUSClient.exe

C:\Users\Admin\AppData\Local\Temp\1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1fbf1e13343007f3a60fbcca6bfd31fd_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\77A1.tmp\Remote Manipulator System - Server.bat" "
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2492
- - C:\Windows\SysWOW64\RManServer.exe
    "C:\Windows\System32\RManServer.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\SysWOW64\RManServer.exe
    "C:\Windows\System32\RManServer.exe" /firewall
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3836
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "settings.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2188
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "Autorun.reg"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2504
- - C:\Windows\SysWOW64\Monitor.exe
    "C:\Windows\System32\Monitor.exe" /start
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3948
- - C:\Windows\SysWOW64\RManServer.exe
    "C:\Windows\System32\RManServer.exe" /start
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2580

C:\Windows\SysWOW64\RManServer.exe
C:\Windows\SysWOW64\RManServer.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\SysWOW64\RManFUSClient.exe
  "C:\Windows\SysWOW64\RManFUSClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1380
- C:\Windows\SysWOW64\RManFUSClient.exe
  C:\Windows\SysWOW64\RManFUSClient.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\77A1.tmp\Autorun.reg

Filesize
338B

MD5
838adedefbfc54ea749dbb3cbf889e04

SHA1
3ab9a263996437a5c9b9a62fa7562c34ee9d730b

SHA256
996b4bed9fefd6a4310292f294d54879dbf9e523f143f94837503710ba7fb542

SHA512
71b5ed6a702628b6b70aca5c7932882922c5630c2a8aa58a1a7896517281efb8b39a997f3bbb6b8e7c2d9bd9a3826538568c07ab1ed2d6ccbde5e00c3db2790a

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\HookDrv.dll

Filesize
174KB

MD5
895d68b21984db50bfbffc88d289f5da

SHA1
2cc6625e1fcdeac9dceb6a0f381f52ba574365a8

SHA256
d3b6c19376b95cb9501181b42b7cbebd44b994d9652ef5fc103eec0d747b8e7d

SHA512
7d4d78b985c13fcd3ea835db7eab5373881257830e2f3f8cac3efc22b1e6d38ac99d1245539cf286beb6f67f077bb2582980c9f7c4250fd8546ff65edabcd68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\Microsoft.VC80.CRT.manifest

Filesize
1KB

MD5
d34b3da03c59f38a510eaa8ccc151ec7

SHA1
41b978588a9902f5e14b2b693973cb210ed900b2

SHA256
a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc

SHA512
231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\Monitor.exe

Filesize
485KB

MD5
34091d46829a8474956451e03ac8bec0

SHA1
e625b1e5154f9946e5434879253fada3b4a55530

SHA256
df9d397b2b3201072a4fff263b094852c4fd41ab174a2ad7ae8e4f98cf273d6c

SHA512
4cbe1ca0b0895a67a520a5478204dd849c0544b0d8cda28014b36262a2ec28e8c2daca1688edb8465e7bd49ace274d6c0711d64f557310c2b7cd9710372b2b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\PushSource.ax

Filesize
447KB

MD5
fb755251b8b9ac0f35494854f21ccdbf

SHA1
32de2cbfaf4a6d773f3b94af8e2a6cf66a01eabb

SHA256
ecbc5b49263df7950fd7329dfd44d5ad4da77845ffd1981afe3bd6798e1cd9f5

SHA512
a78d76ebefaa276f811b16b22caf84045982b305c13efb824db8b16b668fe07421486711567bfe83ecd4509a7b2896a0decaff624209c159f5a9e8b3e1dce215

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\RManFUSClient.exe

Filesize
2.5MB

MD5
0af0dfc7b2d726e2c698909d678f267c

SHA1
36b9a69a73e3e28b1b1088403bf8bb3b6fe33d6f

SHA256
046ec1a641abea178947313eadbb9ea4164ef59eed78437234ab6805194cd92c

SHA512
739116edc753e765b730203d4f609c11e541ad964fb83bd0d63f69f962f8827c9e2d17b53b99c3709441beaf94a69d3f24ffbda1cc72856ecda62ceeac8bbf14

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\RManIpcServer.dll

Filesize
124KB

MD5
7d94872e3bbf6b60aec6bfe03f2423d7

SHA1
67dd0a451e5a5247d077ffe347f404a0334b2d10

SHA256
a39ffbec4e0df7ad55467e2954d7cbb47b8116c46e348d419daed65bf55744e7

SHA512
25835b2d7ed18e85ab2939e00c1de66dd7a79dd95c08b692f97f6eb9217cc43a665eeaae5e7d216581ef5fa418353b24fc9f7d9b9ff022a6057b9801968a827b

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\RManServer.exe

Filesize
3.0MB

MD5
275ceaf3c7e10e65bf581d5476e78dba

SHA1
2f1964303f7ff832758b488612b3f91e88e9affb

SHA256
e1c1dd13ecd145a14e5119cdb05b5e2aec12afa77e47f65d864579493af97318

SHA512
a9a2d96320d9e288f7293e9ca675fd8979f474dc85a7a8e504b9e80b0e6e93445912be0a2e98f653324682708a9f2f913d0b474f86f739ee71b17a1e47a8ea83

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\RManWLN.dll

Filesize
311KB

MD5
4ed36e9479243d9426b196f306d21d04

SHA1
e102a9b2a8101b1105f6e3996df3ce6af17f31f4

SHA256
f54a5149b1df0f141ca14844fd38458761ebd43bdd63e7f516a88370ac0c917d

SHA512
46d94a53d0871d7ff728a2b6afd39b83978b37241e7f3e01e0d6e79de57ff81f20e081f4f210efd294ce274e5a79934078de4662d4da974a3279e5d6c93df5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\Remote Manipulator System - Server.bat

Filesize
1KB

MD5
b8ca6a242f139d9fc202031e001b2c38

SHA1
9f944dc9596d64ac4cf1cda3095ee49bf46a40e1

SHA256
37e4a95c6e490627c070d3363f263d391740c8e5ac819c834588ac800e79d817

SHA512
0ac5b24778a58679af6210992a78c1d37e8f307a61a283809d356705dd3018ea6c9d65b78d266246ccedccab3e218eec0817e9561e82ef70384cae843a209699

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\dsfOggMux.dll

Filesize
84KB

MD5
65889701199e41ae2abee652a232af6e

SHA1
3f76c39fde130b550013a4f13bfea2862b5628cf

SHA256
ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

SHA512
edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\dsfTheoraEncoder.dll

Filesize
240KB

MD5
5f2fc8a0d96a1e796a4daae9465f5dd6

SHA1
224f13f3cbaa441c0cb6d6300715fda7136408ea

SHA256
f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

SHA512
da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
086a9fd9179aad7911561eeff08cf7e2

SHA1
d390c28376e08769a06a4a8b46609b3a668f728b

SHA256
2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

SHA512
a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\msvcp80.dll

Filesize
541KB

MD5
8c53ccd787c381cd535d8dcca12584d8

SHA1
bc7ce60270a58450596aa3e3e5d0a99f731333d9

SHA256
384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

SHA512
e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\msvcr80.dll

Filesize
617KB

MD5
1169436ee42f860c7db37a4692b38f0e

SHA1
4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

SHA256
9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

SHA512
e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\77A1.tmp\settings.reg

Filesize
11KB

MD5
4b3e03d85e20ed8800047413f3546caa

SHA1
2cccd97b59c9f63019d8db1a229ab6ebe25dba78

SHA256
f0535a9f2f48b59c3745350608551164f3ad0d3d82a7a4cd89facae2d98c1c4c

SHA512
3bf439390338642fa9420f57ea0d6f66ff9d20285c2fbbef7d817c1073f7e34a451c9308833a821dcf72d4a392dad335f07dbd385665448c4800718779549fbc

Download Submit
memory/644-100-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/1380-99-0x0000000000400000-0x0000000000718000-memory.dmp

Filesize
3.1MB

Download
memory/2452-0-0x0000000000400000-0x0000000000E3B000-memory.dmp

Filesize
10.2MB

Download
memory/2452-96-0x0000000000400000-0x0000000000E3B000-memory.dmp

Filesize
10.2MB

Download
memory/2580-95-0x0000000000400000-0x000000000078A000-memory.dmp

Filesize
3.5MB

Download
memory/3420-77-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/3420-79-0x0000000000400000-0x000000000078A000-memory.dmp

Filesize
3.5MB

Download
memory/3676-98-0x0000000000400000-0x000000000078A000-memory.dmp

Filesize
3.5MB

Download
memory/3836-81-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/3836-82-0x0000000000400000-0x000000000078A000-memory.dmp

Filesize
3.5MB

Download
memory/3948-88-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download