rms | c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6

Analysis

max time kernel
157s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-05-2022 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
Size

6.9MB
MD5

4d6acaebfb4796437e1d47ed47181077
SHA1

3c10a174e0c343cefbeaa5f034d6a83c70143f2c
SHA256

c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6
SHA512

7653185adbf7345a541b5833b4c6cf3906fd1624b7c66c18fb8e1e48e9e8947b87cca07d35b07cb408324c75ab7be292bd79c08a374a22b1fa80ab9fffb590ca

Score

10^/10

rms aspackv2 rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000231d0-179.dat	acprotect
behavioral2/files/0x00060000000231d6-178.dat	acprotect

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00060000000231d5-149.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d5-150.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d5-158.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d5-166.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d5-172.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d4-180.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d4-184.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d4-183.dat	aspack_v212_v242
behavioral2/files/0x00060000000231d4-197.dat	aspack_v212_v242

Executes dropped EXE 9 IoCs

pid	Process
4560	Desktop.sfx.exe
4496	Desktop.exe
3240	rutserv.exe
4172	rutserv.exe
1880	rutserv.exe
3996	rutserv.exe
4280	rfusclient.exe
3820	rfusclient.exe
3304	rfusclient.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000231d0-179.dat	upx
behavioral2/files/0x00060000000231d6-178.dat	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Desktop.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\project1.exe	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
File created	C:\Program Files\install.vbs	Desktop.exe
File created	C:\Program Files\rfusclient.exe	Desktop.exe
File opened for modification	C:\Program Files\123.bat	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
File opened for modification	C:\Program Files\Desktop.sfx.exe	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
File created	C:\Program Files\rutserv.exe	Desktop.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_240578093	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
File created	C:\Program Files\project1.exe	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_240599390	Desktop.exe
File created	C:\Program Files\vp8encoder.dll	Desktop.exe
File created	C:\Program Files\install.bat	Desktop.exe
File opened for modification	C:\Program Files\install.bat	Desktop.exe
File opened for modification	C:\Program Files\install.vbs	Desktop.exe
File opened for modification	C:\Program Files\regedit.reg	Desktop.exe
File created	C:\Program Files\Desktop.sfx.exe	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
File created	C:\Program Files\vp8decoder.dll	Desktop.exe
File opened for modification	C:\Program Files\rfusclient.exe	Desktop.exe
File opened for modification	C:\Program Files\vp8encoder.dll	Desktop.exe
File created	C:\Program Files\regedit.reg	Desktop.exe
File opened for modification	C:\Program Files\rutserv.exe	Desktop.exe
File opened for modification	C:\Program Files\vp8decoder.dll	Desktop.exe
File created	C:\Program Files\123.bat	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5020	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1440	taskkill.exe
4652	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	Desktop.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3984	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3240	rutserv.exe
3240	rutserv.exe
3240	rutserv.exe
3240	rutserv.exe
3240	rutserv.exe
3240	rutserv.exe
4172	rutserv.exe
4172	rutserv.exe
1880	rutserv.exe
1880	rutserv.exe
3996	rutserv.exe
3996	rutserv.exe
3996	rutserv.exe
3996	rutserv.exe
3996	rutserv.exe
3996	rutserv.exe
4280	rfusclient.exe
4280	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	3240	rutserv.exe
Token: SeDebugPrivilege	1880	rutserv.exe
Token: SeTakeOwnershipPrivilege	3996	rutserv.exe
Token: SeTcbPrivilege	3996	rutserv.exe
Token: SeTcbPrivilege	3996	rutserv.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3240	rutserv.exe
4172	rutserv.exe
1880	rutserv.exe
3996	rutserv.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 4836	352	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe	83
PID 352 wrote to memory of 4836	352	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe	83
PID 352 wrote to memory of 4836	352	c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe	83
PID 4836 wrote to memory of 4560	4836	cmd.exe	86
PID 4836 wrote to memory of 4560	4836	cmd.exe	86
PID 4836 wrote to memory of 4560	4836	cmd.exe	86
PID 4560 wrote to memory of 4496	4560	Desktop.sfx.exe	87
PID 4560 wrote to memory of 4496	4560	Desktop.sfx.exe	87
PID 4560 wrote to memory of 4496	4560	Desktop.sfx.exe	87
PID 4496 wrote to memory of 4316	4496	Desktop.exe	88
PID 4496 wrote to memory of 4316	4496	Desktop.exe	88
PID 4496 wrote to memory of 4316	4496	Desktop.exe	88
PID 4316 wrote to memory of 4772	4316	WScript.exe	89
PID 4316 wrote to memory of 4772	4316	WScript.exe	89
PID 4316 wrote to memory of 4772	4316	WScript.exe	89
PID 4772 wrote to memory of 1440	4772	cmd.exe	91
PID 4772 wrote to memory of 1440	4772	cmd.exe	91
PID 4772 wrote to memory of 1440	4772	cmd.exe	91
PID 4772 wrote to memory of 4652	4772	cmd.exe	92
PID 4772 wrote to memory of 4652	4772	cmd.exe	92
PID 4772 wrote to memory of 4652	4772	cmd.exe	92
PID 4772 wrote to memory of 64	4772	cmd.exe	93
PID 4772 wrote to memory of 64	4772	cmd.exe	93
PID 4772 wrote to memory of 64	4772	cmd.exe	93
PID 4772 wrote to memory of 3984	4772	cmd.exe	94
PID 4772 wrote to memory of 3984	4772	cmd.exe	94
PID 4772 wrote to memory of 3984	4772	cmd.exe	94
PID 4772 wrote to memory of 5020	4772	cmd.exe	95
PID 4772 wrote to memory of 5020	4772	cmd.exe	95
PID 4772 wrote to memory of 5020	4772	cmd.exe	95
PID 4772 wrote to memory of 3240	4772	cmd.exe	96
PID 4772 wrote to memory of 3240	4772	cmd.exe	96
PID 4772 wrote to memory of 3240	4772	cmd.exe	96
PID 4772 wrote to memory of 4172	4772	cmd.exe	97
PID 4772 wrote to memory of 4172	4772	cmd.exe	97
PID 4772 wrote to memory of 4172	4772	cmd.exe	97
PID 4772 wrote to memory of 1880	4772	cmd.exe	98
PID 4772 wrote to memory of 1880	4772	cmd.exe	98
PID 4772 wrote to memory of 1880	4772	cmd.exe	98
PID 3996 wrote to memory of 4280	3996	rutserv.exe	101
PID 3996 wrote to memory of 4280	3996	rutserv.exe	101
PID 3996 wrote to memory of 4280	3996	rutserv.exe	101
PID 3996 wrote to memory of 3820	3996	rutserv.exe	100
PID 3996 wrote to memory of 3820	3996	rutserv.exe	100
PID 3996 wrote to memory of 3820	3996	rutserv.exe	100
PID 4280 wrote to memory of 3304	4280	rfusclient.exe	102
PID 4280 wrote to memory of 3304	4280	rfusclient.exe	102
PID 4280 wrote to memory of 3304	4280	rfusclient.exe	102

C:\Users\Admin\AppData\Local\Temp\c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe
"C:\Users\Admin\AppData\Local\Temp\c064d09a297505651165e233a9e2d2334a8d17dc704c04ef1c94c00e9210b5f6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\program files\123.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4836
- - \??\c:\program files\Desktop.sfx.exe
    Desktop.sfx.exe -p123 -dc:\program files
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\program\Desktop.exe
      "C:\program\Desktop.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\program files\install.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files\install.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rutserv.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im rfusclient.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
        7⤵
        
        PID:64
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "regedit.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3984
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:5020
        
        \??\c:\program files\rutserv.exe
        
        rutserv.exe /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3240
        
        \??\c:\program files\rutserv.exe
        
        rutserv.exe /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4172
        
        \??\c:\program files\rutserv.exe
        
        rutserv.exe /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1880

\??\c:\program files\rutserv.exe
"c:\program files\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996
- \??\c:\program files\rfusclient.exe
  "c:\program files\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:3820
- \??\c:\program files\rfusclient.exe
  "c:\program files\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4280
- - \??\c:\program files\rfusclient.exe
    "c:\program files\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    PID:3304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Desktop.sfx.exe

Filesize
4.1MB

MD5
2d157e473a83bed3e9d3eb1ab6c75514

SHA1
a7adbb33ed69508fd976f952ccc79d2682e17546

SHA256
5629fd7964bd330b70489beef86f61e46a238b6acad1ca9c4ec2a69ed85c24b8

SHA512
f11970a4676525bae9765b37e34ce8a8a35631b65f90a7d706b32f35a4c11354844a09e9bd5e296f4b51abe6704375ff2940845c49000775a08530e6038bd5de

Download Submit
C:\Program Files\install.bat

Filesize
290B

MD5
9dc2286281a11ee72985dd2041a58ee3

SHA1
de55198aa0f697ed77e98e3e61deb4cb70ba3b03

SHA256
67f0f1704add831bd00a4977a185a2c97198cc4b3299233f62c3a0820716268a

SHA512
ce4443ec8482cdce28bae0169b0d7df688190a596b914df0bbf62ae2598312c9bfc703ffd2d9b6c548e170bf4cb60cef9d4f9494b0e6391cd8cf6d45affa05f6

Download Submit
C:\Program Files\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Program Files\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Program Files\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Program Files\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Program Files\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\program files\123.bat

Filesize
40B

MD5
8dd9210e4db90cd9d000bed7267de41f

SHA1
828588108c3644d38013c14d9dd19a4dca549c7d

SHA256
905791935230dacf500e391360e38b00ce4b83c43fa06e219e1dad93d6a5b35a

SHA512
aeaafa120748b76939656914e6e562a75050a96cc829ab0e2c441289ebc888b95727633c6084130a12f954e428346e87c8985d4a505445cfce8512656a848122

Download Submit
C:\program files\install.vbs

Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\program\Desktop.exe

Filesize
4.0MB

MD5
c602e5b792efc7997c3eb86acdbc491f

SHA1
28fb12f0a5e4aa951d3bd804ace9a1166b257655

SHA256
bd6b46818c154e40219779392e7250639df85b5a17a6b93f49d5ee8f135ffb40

SHA512
6f03e6c7d25964736b795908014874f638000f81530cf5ee52ca0fad0832c055e6b4043278e5e23e0caf8fd1e6659637d420ec928eee8082160bdaab272405a7

Download Submit
C:\program\Desktop.exe

Filesize
4.0MB

MD5
c602e5b792efc7997c3eb86acdbc491f

SHA1
28fb12f0a5e4aa951d3bd804ace9a1166b257655

SHA256
bd6b46818c154e40219779392e7250639df85b5a17a6b93f49d5ee8f135ffb40

SHA512
6f03e6c7d25964736b795908014874f638000f81530cf5ee52ca0fad0832c055e6b4043278e5e23e0caf8fd1e6659637d420ec928eee8082160bdaab272405a7

Download Submit
\??\c:\program files\Desktop.sfx.exe

Filesize
4.1MB

MD5
2d157e473a83bed3e9d3eb1ab6c75514

SHA1
a7adbb33ed69508fd976f952ccc79d2682e17546

SHA256
5629fd7964bd330b70489beef86f61e46a238b6acad1ca9c4ec2a69ed85c24b8

SHA512
f11970a4676525bae9765b37e34ce8a8a35631b65f90a7d706b32f35a4c11354844a09e9bd5e296f4b51abe6704375ff2940845c49000775a08530e6038bd5de

Download Submit
\??\c:\program files\regedit.reg

Filesize
11KB

MD5
48efeb8d380ed44fc66e11ef5beaa634

SHA1
c613021b079298b17ddc3bfe39bc47fac00a2b22

SHA256
428b84bf045208753d81b18cc5d14f103bb9c6001d2a4922f820a422f3413d8f

SHA512
d24f99fea66585278d05a8f8687b64507b29082584380a527e2eb0cafe081ed6a10664e70b88c264abf82be89935c792c5daba5bebf35e64504b5d0bcfd843cd

Download Submit
\??\c:\program files\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
\??\c:\program files\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\??\c:\program files\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
\??\c:\program files\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
memory/1880-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1880-171-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1880-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1880-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1880-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1880-185-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3240-152-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3240-151-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3240-153-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3240-154-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3240-155-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3240-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3304-199-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3304-203-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3304-198-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3304-202-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3304-200-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3304-201-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-194-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-195-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-192-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-189-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3820-187-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3996-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3996-204-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3996-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3996-176-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3996-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3996-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4172-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4172-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4172-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4172-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4172-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4172-164-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4280-193-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4280-191-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4280-190-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4280-188-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4280-186-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download