rms | 0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
16-05-2022 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
Size

6.3MB
MD5

f9c019b6a0f1ce8802a8aaeea86e496d
SHA1

7f854b600823ec15cd6bb5c912ea3a28f64da16a
SHA256

0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae
SHA512

5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1svnhost.exe, explorer.exe"	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1svnhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
1956	1svnhost.exe
4860	svnhost.exe
3492	svnhost.exe
4148	svnhost.exe
688	svnhost.exe
1172	systemsmss.exe
3948	systemsmss.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	1svnhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	1svnhost.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System64\svnhost.exe	1svnhost.exe
File created	C:\Windows\System64\systemsmss.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1svnhost.exe
File opened for modification	C:\Windows\System64\1svnhost.exe	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
File created	C:\Windows\Zont911\Regedit.reg	1svnhost.exe
File created	C:\Windows\Zont911\Home.zip	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\Zont911\Tupe.bat	1svnhost.exe
File created	C:\Windows\System64\1svnhost.exe	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
File created	C:\Windows\System64\vp8decoder.dll	1svnhost.exe
File created	C:\Windows\System64\vp8encoder.dll	1svnhost.exe
File created	C:\Windows\System64\svnhost.exe	1svnhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
4200	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	svnhost.exe
Token: SeDebugPrivilege	4148	svnhost.exe
Token: SeTakeOwnershipPrivilege	688	svnhost.exe
Token: SeTcbPrivilege	688	svnhost.exe
Token: SeTcbPrivilege	688	svnhost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4860	svnhost.exe
3492	svnhost.exe
4148	svnhost.exe
688	svnhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 1956	5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe	82
PID 5000 wrote to memory of 1956	5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe	82
PID 5000 wrote to memory of 1956	5000	0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe	82
PID 1956 wrote to memory of 4200	1956	1svnhost.exe	83
PID 1956 wrote to memory of 4200	1956	1svnhost.exe	83
PID 1956 wrote to memory of 4200	1956	1svnhost.exe	83
PID 1956 wrote to memory of 4156	1956	1svnhost.exe	84
PID 1956 wrote to memory of 4156	1956	1svnhost.exe	84
PID 1956 wrote to memory of 4156	1956	1svnhost.exe	84
PID 4156 wrote to memory of 4692	4156	cmd.exe	86
PID 4156 wrote to memory of 4692	4156	cmd.exe	86
PID 4156 wrote to memory of 4692	4156	cmd.exe	86
PID 4156 wrote to memory of 4860	4156	cmd.exe	87
PID 4156 wrote to memory of 4860	4156	cmd.exe	87
PID 4156 wrote to memory of 4860	4156	cmd.exe	87
PID 4156 wrote to memory of 3492	4156	cmd.exe	88
PID 4156 wrote to memory of 3492	4156	cmd.exe	88
PID 4156 wrote to memory of 3492	4156	cmd.exe	88
PID 4156 wrote to memory of 4148	4156	cmd.exe	89
PID 4156 wrote to memory of 4148	4156	cmd.exe	89
PID 4156 wrote to memory of 4148	4156	cmd.exe	89
PID 688 wrote to memory of 3948	688	svnhost.exe	92
PID 688 wrote to memory of 3948	688	svnhost.exe	92
PID 688 wrote to memory of 3948	688	svnhost.exe	92
PID 688 wrote to memory of 1172	688	svnhost.exe	91
PID 688 wrote to memory of 1172	688	svnhost.exe	91
PID 688 wrote to memory of 1172	688	svnhost.exe	91

C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe
"C:\Users\Admin\AppData\Local\Temp\0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\System64\1svnhost.exe
  "C:\Windows\System64\1svnhost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:4692
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4860
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3492
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4148

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  - Executes dropped EXE
  PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1svnhost.exe

Filesize
6.3MB

MD5
f9c019b6a0f1ce8802a8aaeea86e496d

SHA1
7f854b600823ec15cd6bb5c912ea3a28f64da16a

SHA256
0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae

SHA512
5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

Download Submit
C:\Windows\System64\1svnhost.exe

Filesize
6.3MB

MD5
f9c019b6a0f1ce8802a8aaeea86e496d

SHA1
7f854b600823ec15cd6bb5c912ea3a28f64da16a

SHA256
0f2164f4d235938313afcfbd8c660804b219066e6b25b80943fe8d9a2817b8ae

SHA512
5cb690fc9524678998ad9b022cde4c9ee09e7863e7af52d1d6dab854a30036edb883b9ebe8b7613777aee6d0132a365d17697ae516fd10f88f1162c527b2afae

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
44e6200c79b9f46a3d07ad377f5518e9

SHA1
242c27b3e44bec53a770baba126fc8ec1dd0c066

SHA256
2bbb7428d9666fd7fbfa86d01c7c1512016c72eb1a05bf5d6a4589f1c1de1700

SHA512
33e4504feacceab47a159123f9d241ff128676dbfd20ce51eae94c12a82faae52566008fc45dd02bc71d5477ca7cd8b6349986e8d727594d52a2f9cb9c75effb

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
278B

MD5
bc3fb74a6cbcbb208a35ef91ef1eddf9

SHA1
b9e97c0863038d2506123ae53534d2803954a89d

SHA256
e351c2afdfe0a3555ce0da5b09913ed353a331e2454cbe0cb9b3ebe3c6fd8f69

SHA512
4e91e3ac2bc312a2fe76296012626a2d580848a67f8f358cf78a2d8c29d65d3961f62867d113ba109f138af91209d163f589556e1d291a98fe672ff13d8ab674

Download Submit