rms | 8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a

Analysis

max time kernel
189s
max time network
200s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-05-2022 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe
Size

4.9MB
MD5

81d472b1ad8873c3176bebf595c3fb2e
SHA1

f6cc8fb9e7c0036af01bcf75f26c980204c5d828
SHA256

8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a
SHA512

a4526ea17240482d6e9f07a47ecabd80fa7959364c5a041dcb3d2de50eaff7f6fac3c002ea5228da8306c3c5cf7021d4132c869a004e5095154ba72c1393ae75

Score

10^/10

rms discovery evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 14 IoCs

pid	Process
2272	DiskServer.exe
1628	OpenDisk.exe
3260	File.exe
1800	File2.exe
1308	File3.exe
260	DiskUpdate.exe
3752	DiskUpdate1.exe
4624	sysdisk.exe
2752	sysdisk.exe
4548	sysdisk.exe
2836	sysdisk.exe
3156	volumedisk.exe
752	volumedisk.exe
3524	volumedisk.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	DiskServer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	OpenDisk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	DiskUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	DiskUpdate1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
4236	taskkill.exe
4140	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4200	regedit.exe
3972	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4624	sysdisk.exe
4624	sysdisk.exe
4624	sysdisk.exe
4624	sysdisk.exe
4624	sysdisk.exe
4624	sysdisk.exe
2752	sysdisk.exe
2752	sysdisk.exe
4548	sysdisk.exe
4548	sysdisk.exe
2836	sysdisk.exe
2836	sysdisk.exe
2836	sysdisk.exe
2836	sysdisk.exe
2836	sysdisk.exe
2836	sysdisk.exe
752	volumedisk.exe
752	volumedisk.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3524	volumedisk.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	4624	sysdisk.exe
Token: SeDebugPrivilege	4548	sysdisk.exe
Token: SeTakeOwnershipPrivilege	2836	sysdisk.exe
Token: SeTcbPrivilege	2836	sysdisk.exe
Token: SeTcbPrivilege	2836	sysdisk.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1628	OpenDisk.exe
3260	File.exe
1800	File2.exe
1308	File3.exe
260	DiskUpdate.exe
3752	DiskUpdate1.exe
4000	cmd.exe
4624	sysdisk.exe
4624	sysdisk.exe
2752	sysdisk.exe
2752	sysdisk.exe
4548	sysdisk.exe
4548	sysdisk.exe
2836	sysdisk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 2272	4788	8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe	81
PID 4788 wrote to memory of 2272	4788	8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe	81
PID 4788 wrote to memory of 2272	4788	8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe	81
PID 2272 wrote to memory of 1628	2272	DiskServer.exe	83
PID 2272 wrote to memory of 1628	2272	DiskServer.exe	83
PID 2272 wrote to memory of 1628	2272	DiskServer.exe	83
PID 1628 wrote to memory of 3260	1628	OpenDisk.exe	85
PID 1628 wrote to memory of 3260	1628	OpenDisk.exe	85
PID 1628 wrote to memory of 3260	1628	OpenDisk.exe	85
PID 1628 wrote to memory of 1800	1628	OpenDisk.exe	86
PID 1628 wrote to memory of 1800	1628	OpenDisk.exe	86
PID 1628 wrote to memory of 1800	1628	OpenDisk.exe	86
PID 1628 wrote to memory of 1308	1628	OpenDisk.exe	87
PID 1628 wrote to memory of 1308	1628	OpenDisk.exe	87
PID 1628 wrote to memory of 1308	1628	OpenDisk.exe	87
PID 1628 wrote to memory of 260	1628	OpenDisk.exe	88
PID 1628 wrote to memory of 260	1628	OpenDisk.exe	88
PID 1628 wrote to memory of 260	1628	OpenDisk.exe	88
PID 260 wrote to memory of 3752	260	DiskUpdate.exe	89
PID 260 wrote to memory of 3752	260	DiskUpdate.exe	89
PID 260 wrote to memory of 3752	260	DiskUpdate.exe	89
PID 3752 wrote to memory of 4000	3752	DiskUpdate1.exe	90
PID 3752 wrote to memory of 4000	3752	DiskUpdate1.exe	90
PID 3752 wrote to memory of 4000	3752	DiskUpdate1.exe	90
PID 4000 wrote to memory of 5020	4000	cmd.exe	94
PID 4000 wrote to memory of 5020	4000	cmd.exe	94
PID 4000 wrote to memory of 5020	4000	cmd.exe	94
PID 4000 wrote to memory of 2296	4000	cmd.exe	95
PID 4000 wrote to memory of 2296	4000	cmd.exe	95
PID 4000 wrote to memory of 2296	4000	cmd.exe	95
PID 4000 wrote to memory of 4852	4000	cmd.exe	96
PID 4000 wrote to memory of 4852	4000	cmd.exe	96
PID 4000 wrote to memory of 4852	4000	cmd.exe	96
PID 4000 wrote to memory of 1208	4000	cmd.exe	97
PID 4000 wrote to memory of 1208	4000	cmd.exe	97
PID 4000 wrote to memory of 1208	4000	cmd.exe	97
PID 4000 wrote to memory of 2676	4000	cmd.exe	98
PID 4000 wrote to memory of 2676	4000	cmd.exe	98
PID 4000 wrote to memory of 2676	4000	cmd.exe	98
PID 4000 wrote to memory of 4484	4000	cmd.exe	99
PID 4000 wrote to memory of 4484	4000	cmd.exe	99
PID 4000 wrote to memory of 4484	4000	cmd.exe	99
PID 4000 wrote to memory of 4456	4000	cmd.exe	100
PID 4000 wrote to memory of 4456	4000	cmd.exe	100
PID 4000 wrote to memory of 4456	4000	cmd.exe	100
PID 4000 wrote to memory of 2704	4000	cmd.exe	101
PID 4000 wrote to memory of 2704	4000	cmd.exe	101
PID 4000 wrote to memory of 2704	4000	cmd.exe	101
PID 4000 wrote to memory of 4024	4000	cmd.exe	102
PID 4000 wrote to memory of 4024	4000	cmd.exe	102
PID 4000 wrote to memory of 4024	4000	cmd.exe	102
PID 4000 wrote to memory of 4228	4000	cmd.exe	103
PID 4000 wrote to memory of 4228	4000	cmd.exe	103
PID 4000 wrote to memory of 4228	4000	cmd.exe	103
PID 4000 wrote to memory of 4980	4000	cmd.exe	104
PID 4000 wrote to memory of 4980	4000	cmd.exe	104
PID 4000 wrote to memory of 4980	4000	cmd.exe	104
PID 4000 wrote to memory of 2972	4000	cmd.exe	105
PID 4000 wrote to memory of 2972	4000	cmd.exe	105
PID 4000 wrote to memory of 2972	4000	cmd.exe	105
PID 4000 wrote to memory of 3424	4000	cmd.exe	106
PID 4000 wrote to memory of 3424	4000	cmd.exe	106
PID 4000 wrote to memory of 3424	4000	cmd.exe	106
PID 4000 wrote to memory of 3924	4000	cmd.exe	107

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5020	attrib.exe
5092	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe
"C:\Users\Admin\AppData\Local\Temp\8035a915e75f6190d976db518ffc0ff6c9585950584e2c8de6c5a2416f36958a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788
- C:\ProgramData\WindowsVolume\DiskServer.exe
  "C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\ProgramData\WindowsVolume\OpenDisk.exe
    "C:\ProgramData\WindowsVolume\OpenDisk.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\ProgramData\WindowsVolume\File.exe
      "C:\ProgramData\WindowsVolume\File.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3260
  - - C:\ProgramData\WindowsVolume\File2.exe
      "C:\ProgramData\WindowsVolume\File2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1800
  - - C:\ProgramData\WindowsVolume\File3.exe
      "C:\ProgramData\WindowsVolume\File3.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1308
  - - C:\ProgramData\WindowsVolume\DiskUpdate.exe
      "C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:260
    - - C:\ProgramData\WindowsVolume\DiskUpdate1.exe
        
        "C:\ProgramData\WindowsVolume\DiskUpdate1.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "
        6⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\WindowsVolume"
        7⤵
        Views/modifies file attributes
        
        PID:5020
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        7⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VolumeDisk0
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VDeviceCard
        7⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NPackStereo
        7⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ServiceWork
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop IntelDriver
        7⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AMIHardware
        7⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        7⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VolumeDisk0
        7⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VDeviceCard
        7⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NPackStereo
        7⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ServiceWork
        7⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete IntelDriver
        7⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AMIHardware
        7⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f
        7⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:4200
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4624
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3972
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4548
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VolumeDisk0 obj= LocalSystem type= interact type= own
        7⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500
        7⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\WindowsVolume\*.*"
        7⤵
        Views/modifies file attributes
        
        PID:5092

C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\sysdisk.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2836
- C:\ProgramData\WindowsVolume\volumedisk.exe
  C:\ProgramData\WindowsVolume\volumedisk.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\ProgramData\WindowsVolume\volumedisk.exe
  C:\ProgramData\WindowsVolume\volumedisk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:752
- - C:\ProgramData\WindowsVolume\volumedisk.exe
    C:\ProgramData\WindowsVolume\volumedisk.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsVolume\DiskInstall.bat

Filesize
1KB

MD5
a46bdedc1e6587433dc98119f338d175

SHA1
01334536e159f71bc5bc1e7b7a0e75490c169c36

SHA256
604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50

SHA512
e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394

Download Submit
C:\ProgramData\WindowsVolume\DiskInstall2.bat

Filesize
283B

MD5
52d57e611e45ceae3107a9606c798df8

SHA1
a559ee95833113e022c4e5116508641847e31dd3

SHA256
1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7

SHA512
1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306

Download Submit
C:\ProgramData\WindowsVolume\DiskServer.exe

Filesize
4.6MB

MD5
cd3d8619a4459d3de5478349c9d35920

SHA1
6e2845d980365b8e0a9c2285906a5591218c94b7

SHA256
91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530

SHA512
f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4

Download Submit
C:\ProgramData\WindowsVolume\DiskServer.exe

Filesize
4.6MB

MD5
cd3d8619a4459d3de5478349c9d35920

SHA1
6e2845d980365b8e0a9c2285906a5591218c94b7

SHA256
91f9a2c5a2ae5f84712fd1108fd27cfe113618d797f7771a279d4d084e56e530

SHA512
f8ce6e48b99ab0823bbbf1fc8c0e6b36d81cda51bae54a96ab6e7591098b35f26eabbda694ab40a2117f9b6814d3d6efa82e943441447ff5eba66fa5467d15b4

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate.exe

Filesize
4.3MB

MD5
8dc6ab416cb22c454630a92a3782b147

SHA1
104fee8238f185ab289f89b14978f4e59b2ffed1

SHA256
1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e

SHA512
a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate.exe

Filesize
4.3MB

MD5
8dc6ab416cb22c454630a92a3782b147

SHA1
104fee8238f185ab289f89b14978f4e59b2ffed1

SHA256
1c8af7e421f07bd2c8fc9b2924d9fce6530352d5c9405d70ce1288aed965c45e

SHA512
a298627a3ac822b83722093f359abf25e3b71063a7a8a8fee92096631185516d08d06b4792f2b1f45bea0a3c2e7caa9a8b17b15a7ed73b516bc05a7d4c5f5eb0

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
384KB

MD5
01fce99ef71f219c297b99252ea31abb

SHA1
8f45a949b777f04aa47fc4db77eebdb24a2bcfb6

SHA256
9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64

SHA512
57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
384KB

MD5
01fce99ef71f219c297b99252ea31abb

SHA1
8f45a949b777f04aa47fc4db77eebdb24a2bcfb6

SHA256
9ae4979cdec81bcd0dd3de8fad9df24e8bb110faf34a61194db56d476f85ea64

SHA512
57b26d1c2a9bd49319e67ab75afdb753006c371ec27632b56abbd2ba5a2a88ac134d659360832e4d5a0ab963909eaca19024a2d5415eeb7ade3adc1f97dd8f71

Download Submit
C:\ProgramData\WindowsVolume\Diskpart.dat

Filesize
365B

MD5
1a18270fb3fd76df0d01087e99dddcc6

SHA1
26732b781736ed80654e3a41839b50e3d2e36db5

SHA256
fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda

SHA512
63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19

Download Submit
C:\ProgramData\WindowsVolume\File.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File2.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File2.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File3.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File3.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
375KB

MD5
33fe1f9da3970f862da541a2547e8a57

SHA1
17f09e35174d44cdb8c38833f497d4f51368ac01

SHA256
7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06

SHA512
0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

Download Submit
C:\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
375KB

MD5
33fe1f9da3970f862da541a2547e8a57

SHA1
17f09e35174d44cdb8c38833f497d4f51368ac01

SHA256
7b02abfefdc990f7381f3db107a8169d21582735959ba8e764a195ab5edfee06

SHA512
0a745059fea9d90735e30f7876b104c35d062f928f8108d502ec2fb00ef4660d26c284a9428460296125a703655bfed5822dcb27c39f17f902c7291ebd8e8e4a

Download Submit
C:\ProgramData\WindowsVolume\config_set.reg

Filesize
11KB

MD5
7b6fccac74add3d64ebe50a809ee6ae8

SHA1
15468dc1ca0b54fa9b0db13fcbaa02702389b0c9

SHA256
9f8d92e21eb41be9d2467c2b56e3c4f215d0c51ac8632014685321d70345d3a6

SHA512
3e383f0d0ecd661857b01dc8e0aedcbf2f6fd8fdeb834653255e5c2d6637a6a53bb511d71178830589a425a5a6defe430457649ac75f19514f64809602bf16f1

Download Submit
C:\ProgramData\WindowsVolume\russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
6.0MB

MD5
dfc2c02caefa842853b59e6f5fa490f0

SHA1
1e96717a40ee9600bd379085510a2e74a70c46b6

SHA256
56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8

SHA512
068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
6.0MB

MD5
dfc2c02caefa842853b59e6f5fa490f0

SHA1
1e96717a40ee9600bd379085510a2e74a70c46b6

SHA256
56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8

SHA512
068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
6.0MB

MD5
dfc2c02caefa842853b59e6f5fa490f0

SHA1
1e96717a40ee9600bd379085510a2e74a70c46b6

SHA256
56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8

SHA512
068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
6.0MB

MD5
dfc2c02caefa842853b59e6f5fa490f0

SHA1
1e96717a40ee9600bd379085510a2e74a70c46b6

SHA256
56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8

SHA512
068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
6.0MB

MD5
dfc2c02caefa842853b59e6f5fa490f0

SHA1
1e96717a40ee9600bd379085510a2e74a70c46b6

SHA256
56cc390cd96687595d795481bf288a6a697d270f5fc1504436703a71871568b8

SHA512
068bcd909d0af118290e4de42ee5eb19fcde40d2228db416237044efa20844267707613a3099cd64b8dac7cceb83bd6a6c5b0f04cf90129e1ab7e6f2798c30e5

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
5.1MB

MD5
8969782b82398387c46fb9887bf9850d

SHA1
9f927e2acfb6282f24f7221ce5451055f930b47f

SHA256
32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051

SHA512
1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
5.1MB

MD5
8969782b82398387c46fb9887bf9850d

SHA1
9f927e2acfb6282f24f7221ce5451055f930b47f

SHA256
32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051

SHA512
1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
5.1MB

MD5
8969782b82398387c46fb9887bf9850d

SHA1
9f927e2acfb6282f24f7221ce5451055f930b47f

SHA256
32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051

SHA512
1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
5.1MB

MD5
8969782b82398387c46fb9887bf9850d

SHA1
9f927e2acfb6282f24f7221ce5451055f930b47f

SHA256
32d376d67fde458455e83272e7cef91ad39917a3f568b045f8975ca0ade33051

SHA512
1790c2d4874584bb24f865dfd57f9f090142e4007b4ad659d1320b918879cc4dc9e05e68cf8ba8cb17a2b87aa232f70bcfd2597404a5c4a5c80497e4d4100c21

Download Submit
C:\ProgramData\WindowsVolume\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\ProgramData\WindowsVolume\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit