rms | 84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe
Size

8.9MB
MD5

dc586ad2525632b7febeabf20aec7bd7
SHA1

39ff748b2e7549af9c75baf434ff4829fb3bd98b
SHA256

84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add
SHA512

75acebdaa24ce7b1910e710a0d984bf2b942b35a4ca059668841a7b543dcf1b103c053e90288d4b977e9087e0379566b8f0afbb953efaa62e0cfff7d758b171d

Score

10^/10

rms aspackv2 evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ASPack v2.12-2.42 12 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000122fa-72.dat	aspack_v212_v242
behavioral1/files/0x00080000000122fa-73.dat	aspack_v212_v242
behavioral1/files/0x00080000000122fa-75.dat	aspack_v212_v242
behavioral1/files/0x00080000000122fa-84.dat	aspack_v212_v242
behavioral1/files/0x00080000000122fa-93.dat	aspack_v212_v242
behavioral1/files/0x00080000000122fa-100.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122e8-109.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122e8-110.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122e8-112.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122e8-116.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122e8-114.dat	aspack_v212_v242
behavioral1/files/0x000a0000000122e8-136.dat	aspack_v212_v242

Executes dropped EXE 7 IoCs

pid	Process
1896	rutserv.exe
928	rutserv.exe
1692	rutserv.exe
1844	rutserv.exe
1532	rfusclient.exe
1736	rfusclient.exe
828	rfusclient.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe

Loads dropped DLL 3 IoCs

pid	Process
1764	cmd.exe
1844	rutserv.exe
1844	rutserv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1596	timeout.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
1704	taskkill.exe
1068	taskkill.exe
2000	taskkill.exe
1872	taskkill.exe
1348	taskkill.exe
1780	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
628	regedit.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe
1896	rutserv.exe
1896	rutserv.exe
1896	rutserv.exe
1896	rutserv.exe
928	rutserv.exe
928	rutserv.exe
1692	rutserv.exe
1692	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
1532	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
828	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	1896	rutserv.exe
Token: SeDebugPrivilege	1692	rutserv.exe
Token: SeTakeOwnershipPrivilege	1844	rutserv.exe
Token: SeTcbPrivilege	1844	rutserv.exe
Token: SeTcbPrivilege	1844	rutserv.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe
1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe
1896	rutserv.exe
928	rutserv.exe
1692	rutserv.exe
1844	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1764	1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe	28
PID 1836 wrote to memory of 1764	1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe	28
PID 1836 wrote to memory of 1764	1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe	28
PID 1836 wrote to memory of 1764	1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe	28
PID 1836 wrote to memory of 1764	1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe	28
PID 1836 wrote to memory of 1764	1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe	28
PID 1836 wrote to memory of 1764	1836	84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe	28
PID 1764 wrote to memory of 1580	1764	cmd.exe	30
PID 1764 wrote to memory of 1580	1764	cmd.exe	30
PID 1764 wrote to memory of 1580	1764	cmd.exe	30
PID 1764 wrote to memory of 1580	1764	cmd.exe	30
PID 1764 wrote to memory of 1872	1764	cmd.exe	31
PID 1764 wrote to memory of 1872	1764	cmd.exe	31
PID 1764 wrote to memory of 1872	1764	cmd.exe	31
PID 1764 wrote to memory of 1872	1764	cmd.exe	31
PID 1764 wrote to memory of 1348	1764	cmd.exe	33
PID 1764 wrote to memory of 1348	1764	cmd.exe	33
PID 1764 wrote to memory of 1348	1764	cmd.exe	33
PID 1764 wrote to memory of 1348	1764	cmd.exe	33
PID 1764 wrote to memory of 1780	1764	cmd.exe	34
PID 1764 wrote to memory of 1780	1764	cmd.exe	34
PID 1764 wrote to memory of 1780	1764	cmd.exe	34
PID 1764 wrote to memory of 1780	1764	cmd.exe	34
PID 1764 wrote to memory of 1704	1764	cmd.exe	35
PID 1764 wrote to memory of 1704	1764	cmd.exe	35
PID 1764 wrote to memory of 1704	1764	cmd.exe	35
PID 1764 wrote to memory of 1704	1764	cmd.exe	35
PID 1764 wrote to memory of 1068	1764	cmd.exe	36
PID 1764 wrote to memory of 1068	1764	cmd.exe	36
PID 1764 wrote to memory of 1068	1764	cmd.exe	36
PID 1764 wrote to memory of 1068	1764	cmd.exe	36
PID 1764 wrote to memory of 2000	1764	cmd.exe	37
PID 1764 wrote to memory of 2000	1764	cmd.exe	37
PID 1764 wrote to memory of 2000	1764	cmd.exe	37
PID 1764 wrote to memory of 2000	1764	cmd.exe	37
PID 1764 wrote to memory of 1540	1764	cmd.exe	38
PID 1764 wrote to memory of 1540	1764	cmd.exe	38
PID 1764 wrote to memory of 1540	1764	cmd.exe	38
PID 1764 wrote to memory of 1540	1764	cmd.exe	38
PID 1764 wrote to memory of 1132	1764	cmd.exe	39
PID 1764 wrote to memory of 1132	1764	cmd.exe	39
PID 1764 wrote to memory of 1132	1764	cmd.exe	39
PID 1764 wrote to memory of 1132	1764	cmd.exe	39
PID 1764 wrote to memory of 628	1764	cmd.exe	40
PID 1764 wrote to memory of 628	1764	cmd.exe	40
PID 1764 wrote to memory of 628	1764	cmd.exe	40
PID 1764 wrote to memory of 628	1764	cmd.exe	40
PID 1764 wrote to memory of 1596	1764	cmd.exe	41
PID 1764 wrote to memory of 1596	1764	cmd.exe	41
PID 1764 wrote to memory of 1596	1764	cmd.exe	41
PID 1764 wrote to memory of 1596	1764	cmd.exe	41
PID 1764 wrote to memory of 1896	1764	cmd.exe	42
PID 1764 wrote to memory of 1896	1764	cmd.exe	42
PID 1764 wrote to memory of 1896	1764	cmd.exe	42
PID 1764 wrote to memory of 1896	1764	cmd.exe	42
PID 1764 wrote to memory of 928	1764	cmd.exe	43
PID 1764 wrote to memory of 928	1764	cmd.exe	43
PID 1764 wrote to memory of 928	1764	cmd.exe	43
PID 1764 wrote to memory of 928	1764	cmd.exe	43
PID 1764 wrote to memory of 1692	1764	cmd.exe	44
PID 1764 wrote to memory of 1692	1764	cmd.exe	44
PID 1764 wrote to memory of 1692	1764	cmd.exe	44
PID 1764 wrote to memory of 1692	1764	cmd.exe	44
PID 1844 wrote to memory of 1532	1844	rutserv.exe	47

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1580	attrib.exe
812	attrib.exe
1524	attrib.exe
1696	attrib.exe
768	attrib.exe
1756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe
"C:\Users\Admin\AppData\Local\Temp\84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\ProgramData\App\install.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\attrib.exe
    attrib -r -a -s -h "C:\ProgramData\App\install.bat" /S /D
    3⤵
    - Views/modifies file attributes
    PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rutserv.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im rfusclient.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SYSTEM\System Corporation Update" /f
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:628
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1596
- - C:\ProgramData\App\rutserv.exe
    rutserv.exe /silentinstall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1896
- - C:\ProgramData\App\rutserv.exe
    rutserv.exe /firewall
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:928
- - C:\ProgramData\App\rutserv.exe
    rutserv.exe /start
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Windows\SysWOW64\sc.exe
    sc config RManService start= auto
    3⤵
    PID:964
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +a +s +h "C:\ProgramData\App" /S /D
    3⤵
    - Views/modifies file attributes
    PID:812
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +a +s +h "C:\ProgramData\App\rutserv.exe" /S /D
    3⤵
    - Views/modifies file attributes
    PID:1524
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +a +s +h "C:\ProgramData\App\rfusclient.exe" /S /D
    3⤵
    - Views/modifies file attributes
    PID:1696
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +a +s +h "C:\ProgramData\App\vp8decoder.dll" /S /D
    3⤵
    - Views/modifies file attributes
    PID:768
- - C:\Windows\SysWOW64\attrib.exe
    attrib +r +a +s +h "C:\ProgramData\App\vp8encoder.dll" /S /D
    3⤵
    - Views/modifies file attributes
    PID:1756

C:\ProgramData\App\rutserv.exe
C:\ProgramData\App\rutserv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844
- C:\ProgramData\App\rfusclient.exe
  C:\ProgramData\App\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\ProgramData\App\rfusclient.exe
  C:\ProgramData\App\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- - C:\ProgramData\App\rfusclient.exe
    C:\ProgramData\App\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\App\install.bat

Filesize
857B

MD5
6ec51eea8e8ca78d0086df72e0b10228

SHA1
b7c5a2e76841bb1100a846490f79b5de5f90f128

SHA256
6d13d9ad28789125fb70e0fdbfa7ee0e1a1c99c7161c0cbeddeb25eb1d7f1498

SHA512
6cfefcedd2433afed69f02abc4d2259fd124730ddcb74444d41c1be827bc385ff89e1d8c4646615c73d0d2fa6681045100d2da3f03320628894310e4a7e6a105

Download Submit
C:\ProgramData\App\regedit.reg

Filesize
11KB

MD5
64c927360c077b3e766b1a4a9bdf8f3a

SHA1
0bb94ae83d4d4223f5908269a1ab6fdf79405a66

SHA256
f8abc166a4efc51f2c6066d7f989c34eb1bdfe95adda8a6c3766e8a956ab6fb9

SHA512
3cf275d0c741615b75197dc257d4b1d851ade9fa848eae64eeeb4412d431bd43c3fac21aa1ade8941f1b6d2d765d2413f97e2fd209b141dc2fe721f5fae97cd1

Download Submit
C:\ProgramData\App\rfusclient.exe

Filesize
1.4MB

MD5
0930e28f2efa09ff724051b0ffee2517

SHA1
97180a268f10d37c4e331edb0201a03ad9de6083

SHA256
a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e

SHA512
e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

Download Submit
C:\ProgramData\App\rfusclient.exe

Filesize
1.4MB

MD5
0930e28f2efa09ff724051b0ffee2517

SHA1
97180a268f10d37c4e331edb0201a03ad9de6083

SHA256
a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e

SHA512
e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

Download Submit
C:\ProgramData\App\rfusclient.exe

Filesize
1.4MB

MD5
0930e28f2efa09ff724051b0ffee2517

SHA1
97180a268f10d37c4e331edb0201a03ad9de6083

SHA256
a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e

SHA512
e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

Download Submit
C:\ProgramData\App\rfusclient.exe

Filesize
1.4MB

MD5
0930e28f2efa09ff724051b0ffee2517

SHA1
97180a268f10d37c4e331edb0201a03ad9de6083

SHA256
a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e

SHA512
e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

Download Submit
C:\ProgramData\App\rutserv.exe

Filesize
1.7MB

MD5
5c4b2152e37d7c74df6e5267a8d0dd61

SHA1
711ab9242b93cf065aa19f79388f090d07ee35b4

SHA256
200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5

SHA512
743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

Download Submit
C:\ProgramData\App\rutserv.exe

Filesize
1.7MB

MD5
5c4b2152e37d7c74df6e5267a8d0dd61

SHA1
711ab9242b93cf065aa19f79388f090d07ee35b4

SHA256
200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5

SHA512
743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

Download Submit
C:\ProgramData\App\rutserv.exe

Filesize
1.7MB

MD5
5c4b2152e37d7c74df6e5267a8d0dd61

SHA1
711ab9242b93cf065aa19f79388f090d07ee35b4

SHA256
200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5

SHA512
743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

Download Submit
C:\ProgramData\App\rutserv.exe

Filesize
1.7MB

MD5
5c4b2152e37d7c74df6e5267a8d0dd61

SHA1
711ab9242b93cf065aa19f79388f090d07ee35b4

SHA256
200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5

SHA512
743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

Download Submit
C:\ProgramData\App\rutserv.exe

Filesize
1.7MB

MD5
5c4b2152e37d7c74df6e5267a8d0dd61

SHA1
711ab9242b93cf065aa19f79388f090d07ee35b4

SHA256
200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5

SHA512
743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

Download Submit
C:\ProgramData\App\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\ProgramData\App\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
\ProgramData\App\rfusclient.exe

Filesize
1.4MB

MD5
0930e28f2efa09ff724051b0ffee2517

SHA1
97180a268f10d37c4e331edb0201a03ad9de6083

SHA256
a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e

SHA512
e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

Download Submit
\ProgramData\App\rfusclient.exe

Filesize
1.4MB

MD5
0930e28f2efa09ff724051b0ffee2517

SHA1
97180a268f10d37c4e331edb0201a03ad9de6083

SHA256
a506b37e9f01a908481f685ef1f75feb7cb3270abe2deede292299ad0829a14e

SHA512
e46982c6abf5328faa447065f532b7b6e1dddb53f31856da9b174a1f483f6b7b6f2c2bc19257dfa3148d3bbb55f2c02b095b6ef1318a1a7f952ae55f63837a0f

Download Submit
\ProgramData\App\rutserv.exe

Filesize
1.7MB

MD5
5c4b2152e37d7c74df6e5267a8d0dd61

SHA1
711ab9242b93cf065aa19f79388f090d07ee35b4

SHA256
200693ef7ea77607661536c9f1193ce6d9f77d3a949fbbdd3e7163dbc66ebdf5

SHA512
743ca60ebffe70bc7fc52eceacc01c887d377e8a8259bac39d1877e83e86eb9dc4e519a986d08db9e07438ca858e7b9f1c930f89642f06788b93c603437e2b0a

Download Submit
memory/828-138-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/828-139-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/828-140-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/828-141-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/828-142-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/828-143-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/928-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/928-86-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/928-87-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/928-88-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/928-89-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/928-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1532-122-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1532-128-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1532-124-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1532-126-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1532-129-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1692-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1692-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1692-95-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1692-96-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1692-118-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1692-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1736-120-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1736-121-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1736-123-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1736-127-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1736-125-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1836-54-0x0000000076011000-0x0000000076013000-memory.dmp

Filesize
8KB

Download
memory/1836-71-0x0000000000400000-0x0000000001718000-memory.dmp

Filesize
19.1MB

Download
memory/1836-70-0x0000000077DC0000-0x0000000077F40000-memory.dmp

Filesize
1.5MB

Download
memory/1844-105-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1844-104-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1844-102-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1844-103-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1844-106-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1896-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1896-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1896-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1896-79-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1896-78-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1896-80-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download