Overview

overview

10

Static

static

3

JaffaCakes...24.exe

windows7-x64

10

JaffaCakes...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_78db881af6d41d8ce120db6dfe104f24.exe

  • Size

    2.4MB

  • MD5

    78db881af6d41d8ce120db6dfe104f24

  • SHA1

    1519b9fcc1f17b90a88acbfc089b5d2f76f21bad

  • SHA256

    b644b71318ac3f1a5c01249c65bcc490ef7cffe13925c1e8e200eecd91df6c9c

  • SHA512

    ea19d704961651c5fdac730f47b1470a9816dad13d9a3b67c6116eb6a778d8823a479d930676105172cea9fe235dd45f9993e12a228b984a43b5299a18866f58

  • SSDEEP

    49152:d7K+TDiZtK4JnUTTbd7xnXTPTntYmzZfv+3nmRVHdA0IyDmAHA5Z4/:deLtKzRpX/tzVc0bIyawA5Z4/

Score
10/10
rmsdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationrattrojan

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Rms family
    rms
  • Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

    defense_evasion
  • Modifies Windows Firewall 2 TTPs 8 IoCs
    defense_evasion
  • Sets file to hidden 1 TTPs 5 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    defense_evasion
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 12 IoCs
  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 5 IoCs
    defense_evasion
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 16 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78db881af6d41d8ce120db6dfe104f24.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78db881af6d41d8ce120db6dfe104f24.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Program Files (x86)\Company\NewProduct\setup.exe
      "C:\Program Files (x86)\Company\NewProduct\setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:316
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\stop.js"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
          4⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im RManServer.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1572
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im rutserv.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1708
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h "C:\Windows\System32\catroot3"
            5⤵
            • Sets file to hidden
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1916
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:276
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:984
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\stop.js"
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1812
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\install.bat"
            5⤵
            • Sets file to hidden
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1500
          • C:\Windows\SysWOW64\net.exe
            net stop rserver3
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop rserver3
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1624
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im rserver3.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2824
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im r_server.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1060
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im cam_server.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2804
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Windows\system32\cam_server.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1124
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Windows\SysWOW64\cam_server.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1956
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h "C:\Windows\system32\rserver30"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1260
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h "C:\Windows\SysWOW64\rserver30"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1184
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Windows\system32\r_server.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:1712
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Windows\SysWOW64\r_server.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:948
          • C:\Windows\SysWOW64\net.exe
            net stop Telnet
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1352
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop Telnet
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2480
          • C:\Windows\SysWOW64\sc.exe
            sc config tlntsvr start= disabled
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:1148
          • C:\Windows\SysWOW64\net.exe
            net stop "Service Host Controller"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2688
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Service Host Controller"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:608
          • C:\Windows\SysWOW64\net.exe
            net user HelpAssistant /delete
            5⤵
            • Indicator Removal: Network Share Connection Removal
            • System Location Discovery: System Language Discovery
            PID:772
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user HelpAssistant /delete
              6⤵
              • Indicator Removal: Network Share Connection Removal
              • System Location Discovery: System Language Discovery
              PID:1380
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /delete /tn security /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1544
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete rule name="RealIP"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1880
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete rule name="Microsoft Outlook Express"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2024
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete rule name="Service Host Controller"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:944
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ß½πªí Windows"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2168
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete rule name="ò«ßΓ-»α«µÑßß ñ½∩ ºáñáτ Windows"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:1696
          • C:\Windows\SysWOW64\netsh.exe
            netsh firewall delete portopening tcp 57009
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2420
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete rule name="cam_server"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2140
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall delete portopening tcp 57011 all
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2052
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Ä»Ñαᵿ«¡¡á∩ ß¿ßΓѼá Microsoft Windows" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2340
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run /v "Service Host Controller" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2952
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v HelpAssistant /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:548
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "cam_server.exe" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1860
          • C:\Windows\SysWOW64\reg.exe
            reg delete "HKLM\System\CurrentControlSet\Services\RServer3" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1912
          • C:\Windows\SysWOW64\catroot3\rutserv.exe
            "rutserv.exe" /silentinstall
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:884
          • C:\Windows\SysWOW64\catroot3\rutserv.exe
            "rutserv.exe" /firewall
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1616
          • C:\Windows\SysWOW64\regedit.exe
            regedit /s set.reg
            5⤵
            • System Location Discovery: System Language Discovery
            • Runs .reg file with regedit
            PID:1588
          • C:\Windows\SysWOW64\catroot3\rutserv.exe
            "rutserv.exe" /start
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1556
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/block_reader.sys"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2832
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/HookLib.dll"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2596
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp/realip.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2216
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\stop.js"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2636
          • C:\Windows\SysWOW64\attrib.exe
            attrib -s -h -r "C:\Users\Admin\AppData\Local\Temp\install.bat"
            5⤵
            • System Location Discovery: System Language Discovery
            • Views/modifies file attributes
            PID:2628
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1256
  • C:\Windows\SysWOW64\catroot3\rutserv.exe
    C:\Windows\SysWOW64\catroot3\rutserv.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1732
    • C:\Windows\SysWOW64\catroot3\rfusclient.exe
      C:\Windows\SysWOW64\catroot3\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2776
      • C:\Windows\SysWOW64\catroot3\rfusclient.exe
        C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1256
    • C:\Windows\SysWOW64\catroot3\rfusclient.exe
      C:\Windows\SysWOW64\catroot3\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

Network Share Connection Removal

1
T1070.005

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\setup.exe
    Filesize

    2.3MB

    MD5

    50657a7200b9070b2cd4c2f683164b26

    SHA1

    5232acec938a88d249b6a50909f8757db8b14b84

    SHA256

    5065fbb828b01e89e01719ece8221e915286ef7e8dec1559c495adb387ff718c

    SHA512

    76c224caad7651bc1d594d19c22c4d36bf66c61233322ddcebfbb4932867bb7fe746d68b5ed3abefa8a3ff2635fc50a60e10befcc65960ce447fd26a02135ef8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
    Filesize

    198B

    MD5

    ae03f2c3c24e31238d7c7c51766e8e7c

    SHA1

    fbe46630368375e5b61b66bc64d15f44adc8ab1f

    SHA256

    248e01e6260e83ccede66fe4bc9192360c190eb9096d794d2363b02fcfb9c7a8

    SHA512

    02e7a25453c1f8cb10b2df2690a419f2a6e2a15087b9a24b62ec3e6760a723bb57c2ecbd0f74ffe0d59145c650b588bf8a47f582ac93a49d3daf90b7afd3ab30

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HookDrv.dll
    Filesize

    144KB

    MD5

    513066a38057079e232f5f99baef2b94

    SHA1

    a6da9e87415b8918447ec361ba98703d12b4ee76

    SHA256

    02dbea75e8dbcdfc12c6b92a6c08efad83d4ca742ed7aee393ab26cab0c58f9e

    SHA512

    83a074bef57f78ede2488dd586b963b92837e17eea77ebd1464f3da06954ae8ca07f040089af0c257e2836611ae39424574bd365aea4a6318a2707e031cd31a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Microsoft.VC80.CRT.manifest
    Filesize

    1KB

    MD5

    d34b3da03c59f38a510eaa8ccc151ec7

    SHA1

    41b978588a9902f5e14b2b693973cb210ed900b2

    SHA256

    a50941352cb9d8f7ba6fbf7db5c8af95fb5ab76fc5d60cfd0984e558678908cc

    SHA512

    231a97761d652a0fc133b930abba07d456ba6cd70703a632fd7292f6ee00e50ef28562159e54acc3fc6cc118f766ea3f2f8392579ae31cc9c0c1c0dd761d36f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PushSource.ax
    Filesize

    448KB

    MD5

    d7eb741be9c97a6d1063102f0e4ca44d

    SHA1

    bf8bdca7f56ed39fb96141ae9593dec497f4e2c8

    SHA256

    0914ab04bfd258008fec4605c3fa0e23c0d5111b9cfc374cfa4eaa1b4208dff7

    SHA512

    cbcaedf5aca641313ba2708e4be3ea0d18dd63e4543f2c2fdcbd31964a2c01ff42724ec666da24bf7bf7b8faaa5eceae761edf82c71919753d42695c9588e65e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RIPCServer.dll
    Filesize

    96KB

    MD5

    329354f10504d225384e19c8c1c575db

    SHA1

    9ef0b6256f3c5bbeb444cb00ee4b278847e8aa66

    SHA256

    24735b40df2cdac4da4e3201fc597eed5566c5c662aa312fa491b7a24e244844

    SHA512

    876585dd23f799f1b7cef365d3030213338b3c88bc2b20174e7c109248319bb5a3feaef43c0b962f459b2f4d90ff252c4704d6f1a0908b087e24b4f03eba9c0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RWLN.dll
    Filesize

    325KB

    MD5

    cf6ce6b13673dd11f0cd4b597ac56edb

    SHA1

    2017888be6edbea723b9b888ac548db5115df09e

    SHA256

    7bda291b7f50049088ea418b5695929b9be11cc014f6ec0f43f495285d1d6f74

    SHA512

    e5b69b4ee2ff8d9682913a2f846dc2eca8223d3100d626aea9763653fe7b8b35b8e6dc918f4c32e8ae2fc1761611dcd0b16d623ede954f173db33216b33f49dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dsfOggMux.dll
    Filesize

    84KB

    MD5

    65889701199e41ae2abee652a232af6e

    SHA1

    3f76c39fde130b550013a4f13bfea2862b5628cf

    SHA256

    ef12a65d861a14aed28480946bc56fce479a21e9beac2983239eac6551d4f32e

    SHA512

    edbb1a1541a546d69e3fd64047a20613b47b3c08f2b639a53160b825c4a1462c4cc08a7bf417aa2db814f412fb16619c6c0d9364e21cc1c6d753ecf81f1d30f5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dsfTheoraEncoder.dll
    Filesize

    240KB

    MD5

    5f2fc8a0d96a1e796a4daae9465f5dd6

    SHA1

    224f13f3cbaa441c0cb6d6300715fda7136408ea

    SHA256

    f8686d8752801bb21c3d94ebe743758d79b9b59f33589ec8620e75a949d1871f

    SHA512

    da866275159b434205f259176c3937b7c77b14ed95d052152b05b984909e094bbd3b2702d3e874a4a1e1bc02fc5a8476ea43df8aee43542d56e832eacc8f54ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dsfVorbisEncoder.dll
    Filesize

    1.6MB

    MD5

    086a9fd9179aad7911561eeff08cf7e2

    SHA1

    d390c28376e08769a06a4a8b46609b3a668f728b

    SHA256

    2cede6701b73a4ddd6422fde157ea54644a3a9598b3ba217cf2b30b595cf6282

    SHA512

    a98f593a306208da49e57e265daf37d6b1bd9f190fba45d65dd6cfa08801b760f540ea5cc443f9a1512eb5ddc01b1e4e28fc8ddecb9c0f1d42c884c4efaa7193

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\install.bat
    Filesize

    4KB

    MD5

    8df90cf16db8cca10642e6bfabd37e4f

    SHA1

    d5de18dbc5d9718162d553914c01f6ac929526da

    SHA256

    4e710a193a4cf02fc8068a03b2a3cb758e7d4b5b731c83031f1776acc13227a6

    SHA512

    bc364225aa8be575e9d9aead935a30c0c5e490f852916cb38c01abe1e694537c75da80641a6e76c9ee962a37b746a73b42c412df76860099256eebbe6ac989d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\msvcp80.dll
    Filesize

    541KB

    MD5

    8c53ccd787c381cd535d8dcca12584d8

    SHA1

    bc7ce60270a58450596aa3e3e5d0a99f731333d9

    SHA256

    384aaee2a103f7ed5c3ba59d4fb2ba22313aaa1fbc5d232c29dbc14d38e0b528

    SHA512

    e86c1426f1ad62d8f9bb1196dee647477f71b9aacafabb181f35e639c105779f95f1576b72c0a9216e876430383b8d44f27748b13c25e0548c254a0f641e4755

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\msvcr80.dll
    Filesize

    617KB

    MD5

    1169436ee42f860c7db37a4692b38f0e

    SHA1

    4ccd15bf2c1b1d541ac883b0f42497e8ced6a5a3

    SHA256

    9382aaed2db19cd75a70e38964f06c63f19f63c9dfb5a33b0c2d445bb41b6e46

    SHA512

    e06064eb95a2ab9c3343672072f5b3f5983fc8ea9e5c92f79e50ba2e259d6d5fa8ed97170dea6d0d032ea6c01e074eefaab850d28965c7522fb7e03d9c65eae0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
    Filesize

    2.8MB

    MD5

    a90c6e72a9e2602560c521a1647664ad

    SHA1

    22f7f0ddb0af04df7109c3ddbb7027909041fa73

    SHA256

    579e5984ad5eb6e5e4b004acd01c95f609a1330f3900cd9851562eb4ac879197

    SHA512

    fbba623cab28c0648e8bdd03c99df9e2a84180d72ea8e63367e943f8b432ebc36a7e10a8bfce11ad1803e54a8514f1ded4fec72e680ee04386965b5eb6a5d6c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rutserv.exe
    Filesize

    3.2MB

    MD5

    62dbd11dc36780e35af1aafaa6a8f0f1

    SHA1

    dc6aaac7171b351be3397c3e0e1769dffa848723

    SHA256

    b06604ee55206b081a8378f771f3501f48df1c0023b1d6edcbc5f781aa521f57

    SHA512

    b7f311286387ab39a0a54ac3dbcb74d9db3de4e2657dd6f0e182e38e9ed5400e87f1000c7b978fd4bb34fc373dd99bcb18271296f03248366a9cb52afdaa695d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rversionlib.dll
    Filesize

    310KB

    MD5

    3f95a06f40eaf51b86cef2bf036ebd7a

    SHA1

    64009c5f79661eb2f82c9a76a843c0d3a856695d

    SHA256

    1eb88258b18b215b44620326e35c90a8589f384710e7b2d61abf4f59203bd82d

    SHA512

    6f28b5de28026319bed198f06b5461f688ca401129f1125e9e9d3b58956cc0d546234c2d202827bd74b99afd2ead958a863a520a1f4b7e599d385a8a67062897

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\set.reg
    Filesize

    14KB

    MD5

    77c8f244537598b4e97df70217e344f9

    SHA1

    cd84b589fcf6b999b6aa02311044f3c95a47cf0a

    SHA256

    31fed19631457b45b54b36c6a34cd354d390c9bfb55e2686cdaa76f940a6646a

    SHA512

    da7c6ad837652d5604c7010cfeef26cd2041b219477d39bd6b56cf1dd470a75b493a90e60d0751d92f9aca47f212074079ef4da6e09c48108969e5a922d62b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\stop.js
    Filesize

    215B

    MD5

    804b35ef108ec9839eb6a9335add8ca1

    SHA1

    bf91e6645c4a1c8cab2d20388469da9ed0a82d56

    SHA256

    fe111b7ea4e14ab7ba5004aea52b10030e0282bb5c40d4ba55761a2c5be59406

    SHA512

    822a3ec5e0e353058d4355bc01a44440dafe8d16c57744a3dcbc962eb110ed3f6843556568616bfc5dc7fad5f5832cd27d6591dc50105f2c79fc16c33919936d

    Download Submit

  • memory/884-115-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/884-111-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/884-114-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1256-158-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1256-157-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1556-148-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1556-147-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1616-122-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1616-123-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1732-160-0x00000000002E0000-0x0000000000338000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1732-133-0x00000000002E0000-0x0000000000338000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1732-201-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1732-195-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1732-177-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1732-172-0x00000000002E0000-0x0000000000338000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1732-159-0x0000000000400000-0x00000000007C6000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2380-16-0x0000000000400000-0x0000000000424000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2776-161-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2776-162-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2776-180-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download

  • memory/2812-169-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2812-163-0x0000000000400000-0x000000000075E000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2812-164-0x0000000000230000-0x0000000000288000-memory.dmp

    Filesize

    352KB

    Download