rms | 5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898

Analysis

max time kernel
151s
max time network
161s
platform
windows10_x64
resource
win10v20210408
submitted
15-05-2021 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
Size

4.5MB
MD5

b0a1bc98a73714157640946afacaedb6
SHA1

98eaa35b9cf69326af51e047ea3c4128f1754732
SHA256

5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898
SHA512

320e65d63ff49366c1f6f19cbe79ab75d46829ab54e0e892581fcfd21e5c455fb13d5eed9de7daacc3872710bb88dbff9285a8d6517bf8d5ce1b7c6f9e897230

Score

10^/10

rms aspackv2 evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Program Files (x86)\System\vp8encoder.dll	acprotect
C:\Program Files (x86)\System\vp8decoder.dll	acprotect

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Program Files (x86)\System\rfusclient.exe	aspack_v212_v242
C:\Program Files (x86)\System\rutserv.exe	aspack_v212_v242
C:\Program Files (x86)\System\rutserv.exe	aspack_v212_v242
C:\Program Files (x86)\System\rutserv.exe	aspack_v212_v242
C:\Program Files (x86)\System\rutserv.exe	aspack_v212_v242
C:\Program Files (x86)\System\rutserv.exe	aspack_v212_v242
C:\Program Files (x86)\System\rfusclient.exe	aspack_v212_v242
C:\Program Files (x86)\System\rfusclient.exe	aspack_v212_v242
C:\Program Files (x86)\System\rfusclient.exe	aspack_v212_v242

Executes dropped EXE 7 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

2320 rutserv.exe
2340 rutserv.exe
2348 rutserv.exe
2288 rutserv.exe
592 rfusclient.exe
3172 rfusclient.exe
2556 rfusclient.exe
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Program Files (x86)\System\vp8encoder.dll	upx
C:\Program Files (x86)\System\vp8decoder.dll	upx

Drops file in System32 directory 3 IoCs

Processes:

rutserv.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\symbols\exe\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\rutserv.pdb	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\exe\rutserv.pdb	rutserv.exe

Drops file in Program Files directory 30 IoCs

Processes:

5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exeattrib.exerutserv.exeattrib.exereg.exe

description	ioc	process
File created	C:\Program Files (x86)\System\regedit.reg	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File created	C:\Program Files (x86)\System\install.bat	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\rutserv.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\System\vp8encoder.dll	attrib.exe
File opened for modification	C:\Program Files (x86)\System	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File created	C:\Program Files (x86)\System\rutserv.exe	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\vp8decoder.dll	attrib.exe
File created	C:\Program Files (x86)\System\vp8encoder.dll	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\install.bat	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\rutserv.exe	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\regedit.reg	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\install.vbs	attrib.exe
File opened for modification	C:\Program Files (x86)\System\mailsend.exe	attrib.exe
File opened for modification	C:\Program Files (x86)\System\rfusclient.exe	attrib.exe
File created	C:\Program Files (x86)\System\vp8decoder.dll	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\vp8decoder.dll	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File created	C:\Program Files (x86)\System\rfusclient.exe	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\rfusclient.exe	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\rutserv.pdb	rutserv.exe
File opened for modification	C:\Program Files (x86)\System\install.vbs	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\vp8encoder.dll	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\mailsend.exe	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\Common Files\System	attrib.exe
File created	C:\Program Files (x86)\System\__tmp_rar_sfx_access_check_259291109	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System\regedit.reg	attrib.exe
File opened for modification	C:\Program Files (x86)\System\id.txt	reg.exe
File opened for modification	C:\Program Files (x86)\System\install.bat	attrib.exe
File created	C:\Program Files (x86)\System\mailsend.exe	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
File opened for modification	C:\Program Files (x86)\System	attrib.exe
File created	C:\Program Files (x86)\System\install.vbs	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3060 timeout.exe
3964 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1348 taskkill.exe
3164 taskkill.exe
3964 taskkill.exe
3860 taskkill.exe

pid	process
3060	timeout.exe
3964	timeout.exe

pid	process
1348	taskkill.exe
3164	taskkill.exe
3964	taskkill.exe
3860	taskkill.exe

Modifies registry class 1 IoCs

Processes:

5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2216 regedit.exe

pid	process
2216	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
2320	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
2320	rutserv.exe
2340	rutserv.exe
2340	rutserv.exe
2348	rutserv.exe
2348	rutserv.exe
2288	rutserv.exe
2288	rutserv.exe
2288	rutserv.exe
2288	rutserv.exe
2288	rutserv.exe
2288	rutserv.exe
3172	rfusclient.exe
3172	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

2556 rfusclient.exe

pid	process
2556	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	3860	taskkill.exe
Token: SeDebugPrivilege	2320	rutserv.exe
Token: SeDebugPrivilege	2348	rutserv.exe
Token: SeTakeOwnershipPrivilege	2288	rutserv.exe
Token: SeTcbPrivilege	2288	rutserv.exe
Token: SeTcbPrivilege	2288	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid process

2320 rutserv.exe
2340 rutserv.exe
2348 rutserv.exe
2288 rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exeWScript.execmd.exerutserv.exerfusclient.exe

description	pid	process	target process
PID 744 wrote to memory of 2840	744	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe	WScript.exe
PID 744 wrote to memory of 2840	744	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe	WScript.exe
PID 744 wrote to memory of 2840	744	5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe	WScript.exe
PID 2840 wrote to memory of 3568	2840	WScript.exe	cmd.exe
PID 2840 wrote to memory of 3568	2840	WScript.exe	cmd.exe
PID 2840 wrote to memory of 3568	2840	WScript.exe	cmd.exe
PID 3568 wrote to memory of 1524	3568	cmd.exe	attrib.exe
PID 3568 wrote to memory of 1524	3568	cmd.exe	attrib.exe
PID 3568 wrote to memory of 1524	3568	cmd.exe	attrib.exe
PID 3568 wrote to memory of 2736	3568	cmd.exe	attrib.exe
PID 3568 wrote to memory of 2736	3568	cmd.exe	attrib.exe
PID 3568 wrote to memory of 2736	3568	cmd.exe	attrib.exe
PID 3568 wrote to memory of 1348	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 1348	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 1348	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3164	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3164	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3164	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3964	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3964	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3964	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3860	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3860	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 3860	3568	cmd.exe	taskkill.exe
PID 3568 wrote to memory of 1912	3568	cmd.exe	reg.exe
PID 3568 wrote to memory of 1912	3568	cmd.exe	reg.exe
PID 3568 wrote to memory of 1912	3568	cmd.exe	reg.exe
PID 3568 wrote to memory of 2216	3568	cmd.exe	regedit.exe
PID 3568 wrote to memory of 2216	3568	cmd.exe	regedit.exe
PID 3568 wrote to memory of 2216	3568	cmd.exe	regedit.exe
PID 3568 wrote to memory of 3060	3568	cmd.exe	timeout.exe
PID 3568 wrote to memory of 3060	3568	cmd.exe	timeout.exe
PID 3568 wrote to memory of 3060	3568	cmd.exe	timeout.exe
PID 3568 wrote to memory of 2320	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2320	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2320	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2340	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2340	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2340	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2348	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2348	3568	cmd.exe	rutserv.exe
PID 3568 wrote to memory of 2348	3568	cmd.exe	rutserv.exe
PID 2288 wrote to memory of 592	2288	rutserv.exe	rfusclient.exe
PID 2288 wrote to memory of 592	2288	rutserv.exe	rfusclient.exe
PID 2288 wrote to memory of 592	2288	rutserv.exe	rfusclient.exe
PID 2288 wrote to memory of 3172	2288	rutserv.exe	rfusclient.exe
PID 2288 wrote to memory of 3172	2288	rutserv.exe	rfusclient.exe
PID 2288 wrote to memory of 3172	2288	rutserv.exe	rfusclient.exe
PID 3568 wrote to memory of 3600	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3600	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3600	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3652	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3652	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3652	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3164	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3164	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3164	3568	cmd.exe	sc.exe
PID 3568 wrote to memory of 3964	3568	cmd.exe	timeout.exe
PID 3568 wrote to memory of 3964	3568	cmd.exe	timeout.exe
PID 3568 wrote to memory of 3964	3568	cmd.exe	timeout.exe
PID 3172 wrote to memory of 2556	3172	rfusclient.exe	rfusclient.exe
PID 3172 wrote to memory of 2556	3172	rfusclient.exe	rfusclient.exe
PID 3172 wrote to memory of 2556	3172	rfusclient.exe	rfusclient.exe
PID 3568 wrote to memory of 2148	3568	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1524 attrib.exe
2736 attrib.exe

pid	process
1524	attrib.exe
2736	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe
"C:\Users\Admin\AppData\Local\Temp\5f170e10de8753eb1199b6ebf9098c1f37a684a9128ac1082bcc2f04d4079898.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Program Files (x86)\System" +H +S /S /D
4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:1524

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Program Files (x86)\System\*.*" +H +S /S /D
4⤵
- Drops file in Program Files directory
- Views/modifies file attributes
PID:2736

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SysWOW64\taskkill.exe
Taskkill /f /im rutserv.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\SysWOW64\taskkill.exe
Taskkill /f /im rfusclient.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
4⤵
PID:1912

C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
4⤵
- Runs .reg file with regedit
PID:2216

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:3060

C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /silentinstall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /firewall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2340

C:\Program Files (x86)\System\rutserv.exe
rutserv.exe /start
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\SysWOW64\sc.exe
sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
4⤵
PID:3600

C:\Windows\SysWOW64\sc.exe
sc config RManService obj= LocalSystem type= interact type= own
4⤵
PID:3652

C:\Windows\SysWOW64\sc.exe
sc config RManService DisplayName= "Windows_Defender v6.3"
4⤵
PID:3164

C:\Windows\SysWOW64\timeout.exe
timeout 120
4⤵
- Delays execution with timeout.exe
PID:3964

C:\Windows\SysWOW64\reg.exe
reg export "HKEY_LOCAL_MACHINE\SYSTEM\Remote Manipulator System\v4" "id.txt"
4⤵
- Drops file in Program Files directory
PID:2148

C:\Program Files (x86)\System\rutserv.exe
"C:\Program Files (x86)\System\rutserv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288

C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe" /tray
2⤵
- Executes dropped EXE
PID:592

C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3172

C:\Program Files (x86)\System\rfusclient.exe
"C:\Program Files (x86)\System\rfusclient.exe" /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\System\install.bat
MD5
6a3fa56f41cd7c001937ec0d7f6707ee

SHA1
f1e9908d2396510fe1d348fdc2b92dec204fc845

SHA256
7bc5d01ae15bdb23c0f3885252a4a40ba87474d445589dab7d1fd78b377c8a8d

SHA512
6573c30c53627495285652845d4eea646810af7e58dd21ab7a78d3a282f54b71291d02018380df5521aeb69ccfe391946082641caec39d616dc8d622385198f9

Download Submit
C:\Program Files (x86)\System\install.vbs
MD5
c719a030434d3fa96d62868f27e904a6

SHA1
f2f750a752dd1fda8915a47b082af7cf2d3e3655

SHA256
2696ee4302a85c6b4101fc6d1ce8e38b94fd9c2bbd1acc73b553576b3aacb92f

SHA512
47a9367f7596d19c0636766cd34ca3701d3b1239a284f2333fd04a48422f53b0df21002fd38a4f229f6a2f9f9e8163267e13ecb24d9ce6de1863d5f59ab04ff0

Download Submit
C:\Program Files (x86)\System\mailsend.exe
MD5
ac23b87f8ec60ddd3f555556f89a6af8

SHA1
3cea6f84757d15ee8d7fa19d3dfc4992c50aa90c

SHA256
80a1d0a15066c7af67cf5377e59e450c2a96018505236f8f3352173282b27ae4

SHA512
57e67eab9c2a3b94161500eb0091533a539454e9bfddd47c61477299de9455b7ca11c498c5d8a7d77f4763a2053acb4ff96868a9313fede29969edc16d35b167

Download Submit
C:\Program Files (x86)\System\regedit.reg
MD5
251212852a073e6fc5fbe3af92f66adb

SHA1
6ee07cb20f57830325c11867e68fea49ae0e87ea

SHA256
f2c83f4cc13b0cd28090dd128ec5ff221681118f6100eddaead88526070ceecb

SHA512
f3853ece99edc6d39edbf1c7bca471e71aa034684a85358b033e50418ffa061f1e8724cba76065048901c20c9f9a6dbd86a17ee33756c0452d4d3358047296be

Download Submit
C:\Program Files (x86)\System\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Program Files (x86)\System\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Program Files (x86)\System\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Program Files (x86)\System\rfusclient.exe
MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Program Files (x86)\System\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files (x86)\System\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files (x86)\System\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files (x86)\System\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files (x86)\System\rutserv.exe
MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files (x86)\System\vp8decoder.dll
MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\Program Files (x86)\System\vp8encoder.dll
MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
memory/592-152-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/592-157-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/592-148-0x0000000000000000-mapping.dmp

Download
memory/1348-126-0x0000000000000000-mapping.dmp

Download
memory/1524-118-0x0000000000000000-mapping.dmp

Download
memory/1912-130-0x0000000000000000-mapping.dmp

Download
memory/2148-164-0x0000000000000000-mapping.dmp

Download
memory/2216-131-0x0000000000000000-mapping.dmp

Download
memory/2288-147-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2288-146-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2320-135-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2320-136-0x0000000000AC0000-0x0000000000B6E000-memory.dmp

Filesize
696KB

Download
memory/2320-133-0x0000000000000000-mapping.dmp

Download
memory/2340-139-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2340-140-0x0000000000AC0000-0x0000000000B6E000-memory.dmp

Filesize
696KB

Download
memory/2340-137-0x0000000000000000-mapping.dmp

Download
memory/2348-141-0x0000000000000000-mapping.dmp

Download
memory/2348-145-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2556-160-0x0000000000000000-mapping.dmp

Download
memory/2556-163-0x0000000000AE0000-0x0000000000C2A000-memory.dmp

Filesize
1.3MB

Download
memory/2556-162-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2736-119-0x0000000000000000-mapping.dmp

Download
memory/2840-114-0x0000000000000000-mapping.dmp

Download
memory/3060-132-0x0000000000000000-mapping.dmp

Download
memory/3164-127-0x0000000000000000-mapping.dmp

Download
memory/3164-156-0x0000000000000000-mapping.dmp

Download
memory/3172-153-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3172-158-0x0000000000A50000-0x0000000000B9A000-memory.dmp

Filesize
1.3MB

Download
memory/3172-149-0x0000000000000000-mapping.dmp

Download
memory/3568-117-0x0000000000000000-mapping.dmp

Download
memory/3600-154-0x0000000000000000-mapping.dmp

Download
memory/3652-155-0x0000000000000000-mapping.dmp

Download
memory/3860-129-0x0000000000000000-mapping.dmp

Download
memory/3964-159-0x0000000000000000-mapping.dmp

Download
memory/3964-128-0x0000000000000000-mapping.dmp

Download