rms | 9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12

Analysis

max time kernel
141s
max time network
162s
platform
windows7_x64
resource
win7-20220414-en
submitted
15-04-2022 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe
Size

6.2MB
MD5

ab92d1376a186f27c4e5440843173020
SHA1

9aebb2a37972d52c671985f9833c820934fa96d3
SHA256

9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12
SHA512

f7e05d9c1723446e31bed30ffd22563dc03880aabdc8fbe37b70e7fcba68dba933ad1bd5f44a0d6a66df01519178bcee653b0273d1c55fdedb273a1fa85f0a48

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 10 IoCs

pid	Process
928	rfusclient.exe
1568	rutserv.exe
1144	rfusclient.exe
1800	rutserv.exe
956	rfusclient.exe
628	rutserv.exe
620	rutserv.exe
796	rfusclient.exe
900	rfusclient.exe
1588	rfusclient.exe

Loads dropped DLL 32 IoCs

pid	Process
604	MsiExec.exe
928	rfusclient.exe
928	rfusclient.exe
928	rfusclient.exe
928	rfusclient.exe
928	rfusclient.exe
928	rfusclient.exe
928	rfusclient.exe
1568	rutserv.exe
1144	rfusclient.exe
1144	rfusclient.exe
1144	rfusclient.exe
1144	rfusclient.exe
1144	rfusclient.exe
1144	rfusclient.exe
1800	rutserv.exe
956	rfusclient.exe
956	rfusclient.exe
956	rfusclient.exe
956	rfusclient.exe
956	rfusclient.exe
956	rfusclient.exe
628	rutserv.exe
620	rutserv.exe
796	rfusclient.exe
796	rfusclient.exe
620	rutserv.exe
900	rfusclient.exe
900	rfusclient.exe
900	rfusclient.exe
1588	rfusclient.exe
1588	rfusclient.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sysfiles\rasadhlp.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rwln.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8encoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\microsoft.vc90.crt.manifest	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcp90.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\sysfiles\Logs\rms_log_2022-04.html	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\ripcserver.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\vp8decoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\oledlg.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rfusclient.exe	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\RWLN.dll	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\Logs\rms_log_2022-04.html	rutserv.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msvcr90.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\msimg32.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\rutserv.exe	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sysfiles\gdiplus.dll	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6c2a5c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BB3.tmp	msiexec.exe
File created	C:\Windows\Installer\6c2a5e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6615.tmp	msiexec.exe
File created	C:\Windows\Installer\6c2a60.msi	msiexec.exe
File created	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\6c2a5c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{AB7AA605-500F-4153-8207-FB5563419112}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\6c2a5e.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "22"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806fc0499f50d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5DE63DA1-BC92-11EC-AE54-7EE61918B1DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "22"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd4000000000200000000001066000000010000200000005c78d99a11ee7cabf058242122c87d50775d9c6c67a476ccca3ae406cc9bd802000000000e80000000020000200000001c370fd50b004693dfb60f404980c9783ed4edc7dd2ebb47caaca5d9e1e3146190000000a55e84d915738419a796d649182b89166bdb39f5f8f5a658f3d0ab3b95d4a561dd8d3a5764143c3d69cfda2506130ab7024d38d91547c5c56e553fbf1822826d95cbf96092fd66155085a9f1a4761947f0f1db2bd3ed17ca9174bf310f826a45e26c3de27cb757beccdecb7ec0c3be44c0b307ac186621fd55756ce256fa8107aceac538c5e8f97534eba263fa36c7e7400000002ea08cf26515a05b7906c15f16835bca6c4f9ec1f90d5c470f866b20c7b4fe4f54024d1e955424051103e0b00e169601c6006b69925a64d67a22f524cdf82f8a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "34"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "34"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "62"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "62"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "34"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "62"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "22"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "266"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000358f16e0538341458b70f68dad1eafd400000000020000000000106600000001000020000000529680960d23df4fbf2f5731e6bcac61d6b35acab537b8a203b972b7e7ebc9ea000000000e8000000002000020000000f27a8dc504e86a824731966db5d33ced0eb8539444a738636bf0af9c452805a52000000039ee236cfd8e83c592dbee2a08cc54b6675b64400812b21b2b0764cb06cac53f4000000014087a496017f9a1b044728ea61f0742a60673b6bbd31b02c3589b99fcf63017a18c97283052cfdaa639cb0fe4920b3a1de1435a73b0e0be13fe743d17a764ab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\Total = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru\ = "266"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "266"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "356774717"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\ya.ru	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rfusclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rfusclient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rfusclient.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921\Remote_Office_Manager	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Version = "97648640"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductIcon = "C:\\Windows\\Installer\\{AB7AA605-500F-4153-8207-FB5563419112}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\506AA7BAF00535142870BF5536141921	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\PackageName = "rms5.2.1_server.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\506AA7BAF00535142870BF5536141921	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\ProductName = "Microsoft Visual C++ 2008 Redistributable - x86 10.0.743894.2047"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\PackageCode = "558594499A0F7BE41A10BED2C55AA173"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\506AA7BAF00535142870BF5536141921\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1500	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
580	msiexec.exe
580	msiexec.exe
1568	rutserv.exe
1568	rutserv.exe
1800	rutserv.exe
1800	rutserv.exe
628	rutserv.exe
628	rutserv.exe
620	rutserv.exe
620	rutserv.exe
620	rutserv.exe
620	rutserv.exe
796	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1588	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	580	msiexec.exe
Token: SeTakeOwnershipPrivilege	580	msiexec.exe
Token: SeSecurityPrivilege	580	msiexec.exe
Token: SeCreateTokenPrivilege	1288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1288	msiexec.exe
Token: SeLockMemoryPrivilege	1288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1288	msiexec.exe
Token: SeMachineAccountPrivilege	1288	msiexec.exe
Token: SeTcbPrivilege	1288	msiexec.exe
Token: SeSecurityPrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeLoadDriverPrivilege	1288	msiexec.exe
Token: SeSystemProfilePrivilege	1288	msiexec.exe
Token: SeSystemtimePrivilege	1288	msiexec.exe
Token: SeProfSingleProcessPrivilege	1288	msiexec.exe
Token: SeIncBasePriorityPrivilege	1288	msiexec.exe
Token: SeCreatePagefilePrivilege	1288	msiexec.exe
Token: SeCreatePermanentPrivilege	1288	msiexec.exe
Token: SeBackupPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeShutdownPrivilege	1288	msiexec.exe
Token: SeDebugPrivilege	1288	msiexec.exe
Token: SeAuditPrivilege	1288	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1288	msiexec.exe
Token: SeChangeNotifyPrivilege	1288	msiexec.exe
Token: SeRemoteShutdownPrivilege	1288	msiexec.exe
Token: SeUndockPrivilege	1288	msiexec.exe
Token: SeSyncAgentPrivilege	1288	msiexec.exe
Token: SeEnableDelegationPrivilege	1288	msiexec.exe
Token: SeManageVolumePrivilege	1288	msiexec.exe
Token: SeImpersonatePrivilege	1288	msiexec.exe
Token: SeCreateGlobalPrivilege	1288	msiexec.exe
Token: SeShutdownPrivilege	896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	896	msiexec.exe
Token: SeCreateTokenPrivilege	896	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	896	msiexec.exe
Token: SeLockMemoryPrivilege	896	msiexec.exe
Token: SeIncreaseQuotaPrivilege	896	msiexec.exe
Token: SeMachineAccountPrivilege	896	msiexec.exe
Token: SeTcbPrivilege	896	msiexec.exe
Token: SeSecurityPrivilege	896	msiexec.exe
Token: SeTakeOwnershipPrivilege	896	msiexec.exe
Token: SeLoadDriverPrivilege	896	msiexec.exe
Token: SeSystemProfilePrivilege	896	msiexec.exe
Token: SeSystemtimePrivilege	896	msiexec.exe
Token: SeProfSingleProcessPrivilege	896	msiexec.exe
Token: SeIncBasePriorityPrivilege	896	msiexec.exe
Token: SeCreatePagefilePrivilege	896	msiexec.exe
Token: SeCreatePermanentPrivilege	896	msiexec.exe
Token: SeBackupPrivilege	896	msiexec.exe
Token: SeRestorePrivilege	896	msiexec.exe
Token: SeShutdownPrivilege	896	msiexec.exe
Token: SeDebugPrivilege	896	msiexec.exe
Token: SeAuditPrivilege	896	msiexec.exe
Token: SeSystemEnvironmentPrivilege	896	msiexec.exe
Token: SeChangeNotifyPrivilege	896	msiexec.exe
Token: SeRemoteShutdownPrivilege	896	msiexec.exe
Token: SeUndockPrivilege	896	msiexec.exe
Token: SeSyncAgentPrivilege	896	msiexec.exe
Token: SeEnableDelegationPrivilege	896	msiexec.exe
Token: SeManageVolumePrivilege	896	msiexec.exe
Token: SeImpersonatePrivilege	896	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1288	msiexec.exe
1288	msiexec.exe
2024	iexplore.exe
896	msiexec.exe
896	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2024	iexplore.exe
2024	iexplore.exe
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE
1816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2024	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	28
PID 1784 wrote to memory of 2024	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	28
PID 1784 wrote to memory of 2024	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	28
PID 1784 wrote to memory of 2024	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	28
PID 1784 wrote to memory of 736	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	29
PID 1784 wrote to memory of 736	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	29
PID 1784 wrote to memory of 736	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	29
PID 1784 wrote to memory of 736	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	29
PID 1784 wrote to memory of 736	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	29
PID 1784 wrote to memory of 736	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	29
PID 1784 wrote to memory of 736	1784	9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe	29
PID 736 wrote to memory of 1320	736	cmd.exe	31
PID 736 wrote to memory of 1320	736	cmd.exe	31
PID 736 wrote to memory of 1320	736	cmd.exe	31
PID 736 wrote to memory of 1320	736	cmd.exe	31
PID 736 wrote to memory of 1288	736	cmd.exe	33
PID 736 wrote to memory of 1288	736	cmd.exe	33
PID 736 wrote to memory of 1288	736	cmd.exe	33
PID 736 wrote to memory of 1288	736	cmd.exe	33
PID 736 wrote to memory of 1288	736	cmd.exe	33
PID 736 wrote to memory of 1288	736	cmd.exe	33
PID 736 wrote to memory of 1288	736	cmd.exe	33
PID 2024 wrote to memory of 1816	2024	iexplore.exe	34
PID 2024 wrote to memory of 1816	2024	iexplore.exe	34
PID 2024 wrote to memory of 1816	2024	iexplore.exe	34
PID 2024 wrote to memory of 1816	2024	iexplore.exe	34
PID 736 wrote to memory of 896	736	cmd.exe	36
PID 736 wrote to memory of 896	736	cmd.exe	36
PID 736 wrote to memory of 896	736	cmd.exe	36
PID 736 wrote to memory of 896	736	cmd.exe	36
PID 736 wrote to memory of 896	736	cmd.exe	36
PID 736 wrote to memory of 896	736	cmd.exe	36
PID 736 wrote to memory of 896	736	cmd.exe	36
PID 736 wrote to memory of 1500	736	cmd.exe	37
PID 736 wrote to memory of 1500	736	cmd.exe	37
PID 736 wrote to memory of 1500	736	cmd.exe	37
PID 736 wrote to memory of 1500	736	cmd.exe	37
PID 736 wrote to memory of 1772	736	cmd.exe	38
PID 736 wrote to memory of 1772	736	cmd.exe	38
PID 736 wrote to memory of 1772	736	cmd.exe	38
PID 736 wrote to memory of 1772	736	cmd.exe	38
PID 736 wrote to memory of 1772	736	cmd.exe	38
PID 736 wrote to memory of 1772	736	cmd.exe	38
PID 736 wrote to memory of 1772	736	cmd.exe	38
PID 580 wrote to memory of 604	580	msiexec.exe	40
PID 580 wrote to memory of 604	580	msiexec.exe	40
PID 580 wrote to memory of 604	580	msiexec.exe	40
PID 580 wrote to memory of 604	580	msiexec.exe	40
PID 580 wrote to memory of 604	580	msiexec.exe	40
PID 580 wrote to memory of 604	580	msiexec.exe	40
PID 580 wrote to memory of 604	580	msiexec.exe	40
PID 580 wrote to memory of 928	580	msiexec.exe	41
PID 580 wrote to memory of 928	580	msiexec.exe	41
PID 580 wrote to memory of 928	580	msiexec.exe	41
PID 580 wrote to memory of 928	580	msiexec.exe	41
PID 928 wrote to memory of 1568	928	rfusclient.exe	42
PID 928 wrote to memory of 1568	928	rfusclient.exe	42
PID 928 wrote to memory of 1568	928	rfusclient.exe	42
PID 928 wrote to memory of 1568	928	rfusclient.exe	42
PID 580 wrote to memory of 1144	580	msiexec.exe	43
PID 580 wrote to memory of 1144	580	msiexec.exe	43
PID 580 wrote to memory of 1144	580	msiexec.exe	43
PID 580 wrote to memory of 1144	580	msiexec.exe	43
PID 1144 wrote to memory of 1800	1144	rfusclient.exe	44

C:\Users\Admin\AppData\Local\Temp\9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe
"C:\Users\Admin\AppData\Local\Temp\9e53945f65d0528540a52741bde298a2626582e684f56ddd0f4e534e13491c12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ya.ru/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /passive REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1288
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {AB7AA605-500F-4153-8207-FB5563419112} /passive REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:896
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1500
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "rms5.2.1_server.msi" /qn
    3⤵
    PID:1772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B7D751A1B2AA71A41CD9A5A800DFC63C
  2⤵
  - Loads dropped DLL
  PID:604
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1568
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1800
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  "C:\Windows\SysWOW64\sysfiles\rfusclient.exe" /server /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:956
- - C:\Windows\SysWOW64\sysfiles\rutserv.exe
    "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:628

C:\Windows\SysWOW64\sysfiles\rutserv.exe
C:\Windows\SysWOW64\sysfiles\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:620
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:796
- - C:\Windows\SysWOW64\sysfiles\rfusclient.exe
    C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: SetClipboardViewer
    PID:1588
- C:\Windows\SysWOW64\sysfiles\rfusclient.exe
  C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c7dfbe54bfb97ac10793711850c8d62e

SHA1
11aa65565053483109765f02762aca3148e8e48b

SHA256
6dc3e35ead237b3d77eca0bffa426bb82459d17bdba72dc9894cd1f691757eef

SHA512
54a70eb862f9c97c7488d6f594cbcd6f062f4e9a2444fa7988ceb6a868863a46157824fb85a45fc7899b75a5e9559289fb39da4756cb287bafca5f921f856938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\k007hrg\imagestore.dat

Filesize
4KB

MD5
704e74b48b102b5bdd5559a2251223f0

SHA1
72bc09c5930fec0d9fdba46ee092da423eb34848

SHA256
0a7767704cc071e4344ba3a0a731836028cafc57c2de0fa08db5cce902ce3844

SHA512
7fcd010191555d51f8a822a1bf3d73f39a17fa48ded15a45d9efb8806a57f6c4ee14f1dd0022fb524e2dd0137e36155456db1f97293cb0e2e24cfa4467aebdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
234B

MD5
e68ce62a8f6eb00ef26f304f5cd22976

SHA1
54eca93b59e74f03e767c1e49737e831c755c36b

SHA256
1b8d2d2b6a4fbd789c21b1ed0ea00a3fd704d368e1ab869673b265bd74221356

SHA512
3c32a3b2c11fdc3439ef0f5d5e9061e9ce1a8aaf4b06e0036288296cd9deb3fe95a2c759264422b2f0894afe4914af102e450ed3328e78b13115b5ca1a89f574

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms5.2.1_server.msi

Filesize
6.5MB

MD5
2625e0e4874b1e37014dda1406bd4167

SHA1
7cf55914b8b1eecbf404d63bdc5f0764f8d98ead

SHA256
c78b25acc17b401d511359faf60c56d5d7cbe564058d58a3d7ccdf320e99edd1

SHA512
8b17e16d99b0be6dbbe60292c4be304b51e279fd023acc1c65a39acb55e0be1a53e6f84de44d87bac8c3ac9f4a7a504a110fa08b16ee0c28125d9c0ba097ac7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\33LG21KX.txt

Filesize
599B

MD5
33fd385c6591e5e5689772b27299047b

SHA1
62a81f578ec4a1f72e97256c2f7cbae9c21e5c6a

SHA256
ffe18db279cf9cc44e7297ee5ebee74cfc82d980310bbd4f1cebaf6c4d8ad2d9

SHA512
c6f0c2ca7121840efeed4040912818914b38b3c06c6c21cf908e2be2c1a4c2c4d78e1799f9bbd12a4b705e6fb9dc0d21da7c77cdf1d5f1f37e68f3cb9fcd67c5

Download Submit
C:\Windows\Installer\MSI2BB3.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\SysWOW64\sysfiles\RWLN.dll

Filesize
357KB

MD5
bb1f3e716d12734d1d2d9219a3979a62

SHA1
0ef66eed2f2ae45ec2d478902833b830334109cb

SHA256
d7e9c9043ed7df2af800d9b2a33e3efddf68b70f043e9717afc4b7dd4e13e077

SHA512
bbc90747dd45a01b05f5c0b6fa58ffe18af894b05363267ac1cc9fe3262f5e65c8ae4e08dfd82d89b9112e86e42d24a12784b79f5ea30b6443015c19b6792c9c

Download Submit
C:\Windows\SysWOW64\sysfiles\dsfvorbisdecoder.dll

Filesize
234KB

MD5
8e3f59b8c9dfc933fca30edefeb76186

SHA1
37a78089d5936d1bc3b60915971604c611a94dbd

SHA256
528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

SHA512
3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

Download Submit
C:\Windows\SysWOW64\sysfiles\dsfvorbisencoder.dll

Filesize
1.6MB

MD5
ff622a8812d8b1eff8f8d1a32087f9d2

SHA1
910615c9374b8734794ac885707ff5370db42ef1

SHA256
1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

SHA512
1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

Download Submit
C:\Windows\SysWOW64\sysfiles\gdiplus.dll

Filesize
1.6MB

MD5
871c903a90c45ca08a9d42803916c3f7

SHA1
d962a12bc15bfb4c505bb63f603ca211588958db

SHA256
f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

SHA512
985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

Download Submit
C:\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
C:\Windows\SysWOW64\sysfiles\msvcp90.dll

Filesize
556KB

MD5
b2eee3dee31f50e082e9c720a6d7757d

SHA1
3322840fef43c92fb55dc31e682d19970daf159d

SHA256
4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

SHA512
8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

Download Submit
C:\Windows\SysWOW64\sysfiles\msvcr90.dll

Filesize
637KB

MD5
7538050656fe5d63cb4b80349dd1cfe3

SHA1
f825c40fee87cc9952a61c8c34e9f6eee8da742d

SHA256
e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

SHA512
843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

Download Submit
C:\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
C:\Windows\SysWOW64\sysfiles\rasadhlp.dll

Filesize
3KB

MD5
8679b09cc9600a1f11a3c09cec12637b

SHA1
cad5c92e561b64d1f4e1f70c7596dcf186304ecb

SHA256
7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f

SHA512
93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
C:\Windows\SysWOW64\sysfiles\ripcserver.dll

Filesize
144KB

MD5
30e269f850baf6ca25187815912e21c5

SHA1
eb160de97d12b4e96f350dd0d0126d41d658afb3

SHA256
379191bfd34d41e96760c7a539e2056a22be3d44bf0e8712b53e443f55aead90

SHA512
9b86a4eefdcae46e605f85e752ef61e39fd0212a19b7fd4c35eb3ab99851a0b906d048d12d1e1e985a340a67a64d405b8cf803555865137278f0c19d686df5e7

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
C:\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
C:\Windows\SysWOW64\sysfiles\vp8decoder.dll

Filesize
403KB

MD5
6f6bfe02e84a595a56b456f72debd4ee

SHA1
90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

SHA256
5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

SHA512
ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

Download Submit
C:\Windows\SysWOW64\sysfiles\vp8encoder.dll

Filesize
685KB

MD5
c638bca1a67911af7f9ed67e7b501154

SHA1
0fd74d2f1bd78f678b897a776d8bce36742c39b7

SHA256
519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

SHA512
ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

Download Submit
\Windows\Installer\MSI2BB3.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\msimg32.dll

Filesize
3KB

MD5
51af730a69ae4d520bed1ef9b658e0f8

SHA1
d2fbeac55b43bc4503154c465a99e91f57f9cbd3

SHA256
1a1b2ae21c9ecd0d2fcf1098b9906b39d8c440dbb1165d2e5c3b1a8b03b071fe

SHA512
348803eeb31ecf767474bdc5831c0a89d0fbf5b35913ab40f673ef5c5ccc2e02fe823ee596b8ab7a0beca40d07d0841426064a42fc0ef5d91d12ae9869d07685

Download Submit
\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
\Windows\SysWOW64\sysfiles\oledlg.dll

Filesize
4KB

MD5
d3f47f9ef1d3c358446c3680021e98ac

SHA1
5c50ab5a79d770a1e5ad43378d69d218de3ec4e6

SHA256
52fdc5181c9de91bfce282955f921b1938caf40a7d1528131b5155a367585ede

SHA512
eb55db05f167b4a49f2d586c446ac993463b3755e567d1e2e6024fbd8d2c683ea4c537c91978676de7f34aa20bcf86d9cb35072345e29bc8f94ebbc1bf894b8f

Download Submit
\Windows\SysWOW64\sysfiles\rasadhlp.dll

Filesize
3KB

MD5
8679b09cc9600a1f11a3c09cec12637b

SHA1
cad5c92e561b64d1f4e1f70c7596dcf186304ecb

SHA256
7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f

SHA512
93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

Download Submit
\Windows\SysWOW64\sysfiles\rasadhlp.dll

Filesize
3KB

MD5
8679b09cc9600a1f11a3c09cec12637b

SHA1
cad5c92e561b64d1f4e1f70c7596dcf186304ecb

SHA256
7e840982833d4c4d68835003960762fa3982c899ac1c8b63e4fdbbb35448152f

SHA512
93a8d0e78932793ccd534c17c48af203665d7b3d326d7b21b2b4aa54925a853e674324774fa9a99194eca7a930d504568095529a6b6a2e63b73f0c719bc424e6

Download Submit
\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
\Windows\SysWOW64\sysfiles\rfusclient.exe

Filesize
3.9MB

MD5
fd73724d0268dafcefb8b4061e4045b0

SHA1
8205f76d796577817d5f9c1ef735a229c69a215f

SHA256
cef753b98d114554b8d9b44d7a0062904f7da3165e79aa346c445e3a0f7805f2

SHA512
8c135e80c2e70a5abb2975ca1c9ba77c9093ba0f8cab1e19d80ac0ab6b8049009ba7739f3a30f69bb4d5374f80fe3cf7e8735c2249927721595f380e5307d96e

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
\Windows\SysWOW64\sysfiles\rutserv.exe

Filesize
4.7MB

MD5
5cd22562ef246c66c255676937d33f0d

SHA1
1d44452f59a8cf755e7931c55f2f84d147400b8e

SHA256
a063ec7ae0beda06cec13706320f5a9d537e4f19755ce2761cbc2b25070e2246

SHA512
0da8af59ae88169947114a0fdca61106863faf7244072f011c68270f197945fb384a319ccb7bf99d460458500d8e6f88306006bb6d76d19a13ab67adec1b21cf

Download Submit
memory/580-60-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1784-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download