rms | 9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379

Analysis

max time kernel
152s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-04-2022 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
Size

4.1MB
MD5

cf430d5f775e4a32801e55af43db9bbb
SHA1

f2faf3d9fbbfbaf5296da25af0c7b37ff26a858c
SHA256

9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379
SHA512

aa49f98c13ff17f0b2060f02cfe5d33518679bacb39bab7ddd20c9c4d3a302b941a39505db19dc96c46f71da74832bb57f6e783dbc687da2d2caf841643d90bb

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
1808	pr.exe
1904	rutserv.exe
1056	rutserv.exe
1508	rutserv.exe
1476	rutserv.exe
1556	rfusclient.exe
1820	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014202-75.dat	upx
behavioral1/files/0x000600000001422c-76.dat	upx
behavioral1/files/0x0006000000014366-80.dat	upx
behavioral1/files/0x000600000001448b-81.dat	upx
behavioral1/files/0x000600000001448b-84.dat	upx
behavioral1/files/0x000600000001448b-86.dat	upx
behavioral1/files/0x000600000001448b-89.dat	upx
behavioral1/files/0x000600000001448b-92.dat	upx
behavioral1/files/0x000600000001448b-94.dat	upx
behavioral1/files/0x0006000000014366-97.dat	upx
behavioral1/files/0x0006000000014366-96.dat	upx
behavioral1/files/0x0006000000014366-100.dat	upx
behavioral1/files/0x0006000000014366-104.dat	upx

Loads dropped DLL 4 IoCs

pid	Process
1456	cmd.exe
1608	cmd.exe
1476	rutserv.exe
1476	rutserv.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\pr.exe	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
File created	C:\Program Files\Server\rfusclient.exe	cmd.exe
File created	C:\Program Files\Microsoft Games\1.bat	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
File created	C:\Program Files\Microsoft Games\pr.exe	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
File opened for modification	C:\Program Files\Server\vp8decoder.dll	cmd.exe
File created	C:\Program Files\Server\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files\Server\rutserv.exe	attrib.exe
File opened for modification	C:\Program Files\Server\vp8decoder.dll	attrib.exe
File created	C:\Program Files\Microsoft Games\__tmp_rar_sfx_access_check_7097577	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
File opened for modification	C:\Program Files\Server\rutserv.exe	cmd.exe
File opened for modification	C:\Program Files\Server\vp8encoder.dll	cmd.exe
File opened for modification	C:\Program Files\Server\rfusclient.exe	attrib.exe
File opened for modification	C:\Program Files\Server\vp8encoder.dll	attrib.exe
File created	C:\Program Files\Server\rutserv.exe	cmd.exe
File created	C:\Program Files\Server\vp8decoder.dll	cmd.exe
File opened for modification	C:\Program Files\Microsoft Games\1.bat	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
File opened for modification	C:\Program Files\Server\rfusclient.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1752	timeout.exe
1136	timeout.exe
1784	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1776	taskkill.exe
1688	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
592	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1904	rutserv.exe
1904	rutserv.exe
1904	rutserv.exe
1904	rutserv.exe
1056	rutserv.exe
1056	rutserv.exe
1508	rutserv.exe
1508	rutserv.exe
1476	rutserv.exe
1476	rutserv.exe
1476	rutserv.exe
1476	rutserv.exe
1556	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1904	rutserv.exe
Token: SeDebugPrivilege	1508	rutserv.exe
Token: SeTakeOwnershipPrivilege	1476	rutserv.exe
Token: SeTcbPrivilege	1476	rutserv.exe
Token: SeTcbPrivilege	1476	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1904	rutserv.exe
1056	rutserv.exe
1508	rutserv.exe
1476	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1456	1828	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe	27
PID 1828 wrote to memory of 1456	1828	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe	27
PID 1828 wrote to memory of 1456	1828	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe	27
PID 1828 wrote to memory of 1456	1828	9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe	27
PID 1456 wrote to memory of 1808	1456	cmd.exe	29
PID 1456 wrote to memory of 1808	1456	cmd.exe	29
PID 1456 wrote to memory of 1808	1456	cmd.exe	29
PID 1456 wrote to memory of 1808	1456	cmd.exe	29
PID 1808 wrote to memory of 1780	1808	pr.exe	30
PID 1808 wrote to memory of 1780	1808	pr.exe	30
PID 1808 wrote to memory of 1780	1808	pr.exe	30
PID 1808 wrote to memory of 1780	1808	pr.exe	30
PID 1780 wrote to memory of 1608	1780	WScript.exe	31
PID 1780 wrote to memory of 1608	1780	WScript.exe	31
PID 1780 wrote to memory of 1608	1780	WScript.exe	31
PID 1780 wrote to memory of 1608	1780	WScript.exe	31
PID 1780 wrote to memory of 1608	1780	WScript.exe	31
PID 1780 wrote to memory of 1608	1780	WScript.exe	31
PID 1780 wrote to memory of 1608	1780	WScript.exe	31
PID 1608 wrote to memory of 1776	1608	cmd.exe	33
PID 1608 wrote to memory of 1776	1608	cmd.exe	33
PID 1608 wrote to memory of 1776	1608	cmd.exe	33
PID 1608 wrote to memory of 1776	1608	cmd.exe	33
PID 1608 wrote to memory of 1688	1608	cmd.exe	35
PID 1608 wrote to memory of 1688	1608	cmd.exe	35
PID 1608 wrote to memory of 1688	1608	cmd.exe	35
PID 1608 wrote to memory of 1688	1608	cmd.exe	35
PID 1608 wrote to memory of 1720	1608	cmd.exe	36
PID 1608 wrote to memory of 1720	1608	cmd.exe	36
PID 1608 wrote to memory of 1720	1608	cmd.exe	36
PID 1608 wrote to memory of 1720	1608	cmd.exe	36
PID 1608 wrote to memory of 592	1608	cmd.exe	37
PID 1608 wrote to memory of 592	1608	cmd.exe	37
PID 1608 wrote to memory of 592	1608	cmd.exe	37
PID 1608 wrote to memory of 592	1608	cmd.exe	37
PID 1608 wrote to memory of 1752	1608	cmd.exe	38
PID 1608 wrote to memory of 1752	1608	cmd.exe	38
PID 1608 wrote to memory of 1752	1608	cmd.exe	38
PID 1608 wrote to memory of 1752	1608	cmd.exe	38
PID 1608 wrote to memory of 1136	1608	cmd.exe	39
PID 1608 wrote to memory of 1136	1608	cmd.exe	39
PID 1608 wrote to memory of 1136	1608	cmd.exe	39
PID 1608 wrote to memory of 1136	1608	cmd.exe	39
PID 1608 wrote to memory of 1732	1608	cmd.exe	40
PID 1608 wrote to memory of 1732	1608	cmd.exe	40
PID 1608 wrote to memory of 1732	1608	cmd.exe	40
PID 1608 wrote to memory of 1732	1608	cmd.exe	40
PID 1608 wrote to memory of 1904	1608	cmd.exe	41
PID 1608 wrote to memory of 1904	1608	cmd.exe	41
PID 1608 wrote to memory of 1904	1608	cmd.exe	41
PID 1608 wrote to memory of 1904	1608	cmd.exe	41
PID 1608 wrote to memory of 1056	1608	cmd.exe	42
PID 1608 wrote to memory of 1056	1608	cmd.exe	42
PID 1608 wrote to memory of 1056	1608	cmd.exe	42
PID 1608 wrote to memory of 1056	1608	cmd.exe	42
PID 1608 wrote to memory of 1508	1608	cmd.exe	43
PID 1608 wrote to memory of 1508	1608	cmd.exe	43
PID 1608 wrote to memory of 1508	1608	cmd.exe	43
PID 1608 wrote to memory of 1508	1608	cmd.exe	43
PID 1476 wrote to memory of 1680	1476	rutserv.exe	45
PID 1476 wrote to memory of 1680	1476	rutserv.exe	45
PID 1476 wrote to memory of 1680	1476	rutserv.exe	45
PID 1476 wrote to memory of 1680	1476	rutserv.exe	45
PID 1476 wrote to memory of 1556	1476	rutserv.exe	46

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe
"C:\Users\Admin\AppData\Local\Temp\9d3bd35fb7ff01941e927cf476ff39cef2dd8ce608fa307a3484c1c522f5f379.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Microsoft Games\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Program Files\Microsoft Games\pr.exe
    pr stx.exe -p123 -dC:\Program Files\Microsoft Games
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Program\install.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Program\install.bat" "
        5⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        6⤵
        
        PID:1720
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:592
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:1752
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:1136
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\Server\*.*"
        6⤵
        Drops file in Program Files directory
        Views/modifies file attributes
        
        PID:1732
      - C:\Program Files\Server\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1904
      - C:\Program Files\Server\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1056
      - C:\Program Files\Server\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1508
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1784

C:\Program Files\Server\rutserv.exe
"C:\Program Files\Server\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files\Server\rfusclient.exe
  "C:\Program Files\Server\rfusclient.exe" /tray
  2⤵
  PID:1680
- C:\Program Files\Server\rfusclient.exe
  "C:\Program Files\Server\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- - C:\Program Files\Server\rfusclient.exe
    "C:\Program Files\Server\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\1.bat

Filesize
51B

MD5
a13092696a05b6b80083e042102f8e27

SHA1
e47d31664f0ae6263ea3ca439c8dfcfebecb167d

SHA256
d2ba7625bce55b56654bed236a8d8fcb8a1c028bea4a2b7b6e93b3fbd002631b

SHA512
540a15faa82081e0c68345f86fc30e39bb99ed550eeb34aba3b0b556e90093c257a735e34b26c7cb48193e4c1bc1f0e4ede857508b0d90600cf6cf4d67c6b62b

Download Submit
C:\Program Files\Microsoft Games\pr.exe

Filesize
3.9MB

MD5
a7106656ff2c7f40df421e52ff887e01

SHA1
735932c2ce630e8fd65ed8eb475bcaa24b70d979

SHA256
7216b1f398d9a277db705515ad260d766b9c5719f726987080cf8454fa4e6315

SHA512
a9f56fd5f7550465e1059c28dace97101e6af9235b236cf3de85770ab214159cb6e6f2b6e0e2f1c5eb92555a3dd5a0e3e31521bcf98e4b21bc1f0903207287b0

Download Submit
C:\Program Files\Microsoft Games\pr.exe

Filesize
3.9MB

MD5
a7106656ff2c7f40df421e52ff887e01

SHA1
735932c2ce630e8fd65ed8eb475bcaa24b70d979

SHA256
7216b1f398d9a277db705515ad260d766b9c5719f726987080cf8454fa4e6315

SHA512
a9f56fd5f7550465e1059c28dace97101e6af9235b236cf3de85770ab214159cb6e6f2b6e0e2f1c5eb92555a3dd5a0e3e31521bcf98e4b21bc1f0903207287b0

Download Submit
C:\Program Files\Server\rfusclient.exe

Filesize
1.5MB

MD5
8b9cd29aa7c2ea3cfaa1080ada962d5a

SHA1
7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

SHA256
15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

SHA512
29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

Download Submit
C:\Program Files\Server\rfusclient.exe

Filesize
1.5MB

MD5
8b9cd29aa7c2ea3cfaa1080ada962d5a

SHA1
7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

SHA256
15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

SHA512
29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

Download Submit
C:\Program Files\Server\rfusclient.exe

Filesize
1.5MB

MD5
8b9cd29aa7c2ea3cfaa1080ada962d5a

SHA1
7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

SHA256
15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

SHA512
29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

Download Submit
C:\Program Files\Server\rutserv.exe

Filesize
1.7MB

MD5
3d378bcfec79805a04de89d6a2d917b4

SHA1
e47758259358246a8989c6e79a433a91830deb79

SHA256
7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

SHA512
4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

Download Submit
C:\Program Files\Server\rutserv.exe

Filesize
1.7MB

MD5
3d378bcfec79805a04de89d6a2d917b4

SHA1
e47758259358246a8989c6e79a433a91830deb79

SHA256
7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

SHA512
4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

Download Submit
C:\Program Files\Server\rutserv.exe

Filesize
1.7MB

MD5
3d378bcfec79805a04de89d6a2d917b4

SHA1
e47758259358246a8989c6e79a433a91830deb79

SHA256
7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

SHA512
4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

Download Submit
C:\Program Files\Server\rutserv.exe

Filesize
1.7MB

MD5
3d378bcfec79805a04de89d6a2d917b4

SHA1
e47758259358246a8989c6e79a433a91830deb79

SHA256
7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

SHA512
4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

Download Submit
C:\Program Files\Server\rutserv.exe

Filesize
1.7MB

MD5
3d378bcfec79805a04de89d6a2d917b4

SHA1
e47758259358246a8989c6e79a433a91830deb79

SHA256
7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

SHA512
4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

Download Submit
C:\Program Files\Server\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Program Files\Server\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Program\install.bat

Filesize
624B

MD5
4c20504c645f84bce230745131dc1919

SHA1
8c18cede047b4e810090e55187dc776548821d82

SHA256
7cd4f05d659e3ceeb104907a47ea875fc5bf0a32aad02f5a4f38b1b725b688c6

SHA512
58286ef8df7249d3fc6d76c3e163ff3e709b10c31de893da16787b9a685f66475e876af40972c530bf8e2671fdcb66f3f92083cec128694df8906b0b92bb3eb7

Download Submit
C:\Program\install.vbs

Filesize
86B

MD5
53b4089b17b50772970facafacef3941

SHA1
8f69320a1a627488d8d7adc5daef8ee7d0a70ff9

SHA256
3211edb49cce04b4611d91ac235966d542678e4434ca1c2b236975c990b0935c

SHA512
e0da4f4f4d7a29c62746942488f73e09b9f484be781366f94e7f981ee431a4c013dc4b479ff1525831922ec162e0fdc235dd919ab96fdc4fdd3de55b5ad6d531

Download Submit
C:\Program\regedit.reg

Filesize
11KB

MD5
6751ac3d0065b80ca2b9629974cc5850

SHA1
33306bdf0a65933634bd3a1652bb846de83f6688

SHA256
834c8ee696b6a27095481d0212d9dffd2cf292132a088882f9af4454af4001b9

SHA512
af160339c2c8d177456909d800eed1c16b5b1a94a02ebd2a69f5c24eaa77576f8a79d647d54c25e6a74190e78cf03e14832a33536ea7461326d3c740b202bf2f

Download Submit
C:\Program\rfusclient.exe

Filesize
1.5MB

MD5
8b9cd29aa7c2ea3cfaa1080ada962d5a

SHA1
7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

SHA256
15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

SHA512
29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

Download Submit
C:\Program\rutserv.exe

Filesize
1.7MB

MD5
3d378bcfec79805a04de89d6a2d917b4

SHA1
e47758259358246a8989c6e79a433a91830deb79

SHA256
7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

SHA512
4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

Download Submit
C:\Program\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Program\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
\Program Files\Microsoft Games\pr.exe

Filesize
3.9MB

MD5
a7106656ff2c7f40df421e52ff887e01

SHA1
735932c2ce630e8fd65ed8eb475bcaa24b70d979

SHA256
7216b1f398d9a277db705515ad260d766b9c5719f726987080cf8454fa4e6315

SHA512
a9f56fd5f7550465e1059c28dace97101e6af9235b236cf3de85770ab214159cb6e6f2b6e0e2f1c5eb92555a3dd5a0e3e31521bcf98e4b21bc1f0903207287b0

Download Submit
\Program Files\Server\rfusclient.exe

Filesize
1.5MB

MD5
8b9cd29aa7c2ea3cfaa1080ada962d5a

SHA1
7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

SHA256
15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

SHA512
29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

Download Submit
\Program Files\Server\rfusclient.exe

Filesize
1.5MB

MD5
8b9cd29aa7c2ea3cfaa1080ada962d5a

SHA1
7cf5e9e0efe0fde132a4a0ae1034f4c6442bdcd0

SHA256
15f5556a83e752812f9d9a33e8f3a027a24d435cfc336fd2316f74257ea8721a

SHA512
29c7105ff149ffc5edfa502d2a13c508375ada8c08b9bfece1ef77cf0faa8351a5649b6b694701f65f972dbcfa3c24865941dc9bd83895a3bdd9e1fe8e9427ae

Download Submit
\Program Files\Server\rutserv.exe

Filesize
1.7MB

MD5
3d378bcfec79805a04de89d6a2d917b4

SHA1
e47758259358246a8989c6e79a433a91830deb79

SHA256
7b687c8ce7f8aaa9ab8b955914c0ecd6542be9c34de3f2a3b2c6cbba6ed7b1f2

SHA512
4d20c4332bc7d9b6b16885d1fbf5cd019e46eb4acd7fe2e02db7c727e1e9ebc98a37fdccf8da22331ba04d33febd21a31782a7c3cc03b94ba57d43531a0d93dd

Download Submit
memory/1828-54-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download