rms | 03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
Size

6.2MB
MD5

24e11f360833c184ac76cde7cc727b0e
SHA1

88438fab6c4a4120c1e09c8abe876ed4108c6906
SHA256

03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f
SHA512

d2d25c1c5d3be123006efb50fb802325004287b0e1aeea7fe656fc6b8d61760d5b257a4460f1b24b410334a61c2a405f36ce6c65f3e93319c763e244f9d6f87e

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1systemsmss.exe, explorer.exe"	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1systemsmss.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
3592	1systemsmss.exe
3632	svnhost.exe
2588	svnhost.exe
1812	svnhost.exe
404	svnhost.exe
4740	systemsmss.exe
2916	systemsmss.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1systemsmss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	1systemsmss.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1systemsmss.exe
File created	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1systemsmss.exe
File created	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1systemsmss.exe
File created	C:\Windows\Zont911\Tupe.bat	1systemsmss.exe
File created	C:\Windows\System64\1systemsmss.exe	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
File opened for modification	C:\Windows\System64\1systemsmss.exe	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
File created	C:\Windows\Zont911\Regedit.reg	1systemsmss.exe
File created	C:\Windows\Zont911\Home.zip	1systemsmss.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1systemsmss.exe
File created	C:\Windows\System64\systemsmss.exe	1systemsmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
4324	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	svnhost.exe
Token: SeDebugPrivilege	1812	svnhost.exe
Token: SeTakeOwnershipPrivilege	404	svnhost.exe
Token: SeTcbPrivilege	404	svnhost.exe
Token: SeTcbPrivilege	404	svnhost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3632	svnhost.exe
2588	svnhost.exe
1812	svnhost.exe
404	svnhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 3592	4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe	86
PID 4656 wrote to memory of 3592	4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe	86
PID 4656 wrote to memory of 3592	4656	03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe	86
PID 3592 wrote to memory of 4324	3592	1systemsmss.exe	88
PID 3592 wrote to memory of 4324	3592	1systemsmss.exe	88
PID 3592 wrote to memory of 4324	3592	1systemsmss.exe	88
PID 3592 wrote to memory of 3764	3592	1systemsmss.exe	91
PID 3592 wrote to memory of 3764	3592	1systemsmss.exe	91
PID 3592 wrote to memory of 3764	3592	1systemsmss.exe	91
PID 3764 wrote to memory of 3664	3764	cmd.exe	93
PID 3764 wrote to memory of 3664	3764	cmd.exe	93
PID 3764 wrote to memory of 3664	3764	cmd.exe	93
PID 3764 wrote to memory of 3632	3764	cmd.exe	94
PID 3764 wrote to memory of 3632	3764	cmd.exe	94
PID 3764 wrote to memory of 3632	3764	cmd.exe	94
PID 3764 wrote to memory of 2588	3764	cmd.exe	95
PID 3764 wrote to memory of 2588	3764	cmd.exe	95
PID 3764 wrote to memory of 2588	3764	cmd.exe	95
PID 3764 wrote to memory of 1812	3764	cmd.exe	96
PID 3764 wrote to memory of 1812	3764	cmd.exe	96
PID 3764 wrote to memory of 1812	3764	cmd.exe	96
PID 404 wrote to memory of 2916	404	svnhost.exe	99
PID 404 wrote to memory of 2916	404	svnhost.exe	99
PID 404 wrote to memory of 2916	404	svnhost.exe	99
PID 404 wrote to memory of 4740	404	svnhost.exe	98
PID 404 wrote to memory of 4740	404	svnhost.exe	98
PID 404 wrote to memory of 4740	404	svnhost.exe	98

C:\Users\Admin\AppData\Local\Temp\03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe
"C:\Users\Admin\AppData\Local\Temp\03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\System64\1systemsmss.exe
  "C:\Windows\System64\1systemsmss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:3664
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3632
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2588
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1812

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  - Executes dropped EXE
  PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1systemsmss.exe

Filesize
6.2MB

MD5
24e11f360833c184ac76cde7cc727b0e

SHA1
88438fab6c4a4120c1e09c8abe876ed4108c6906

SHA256
03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f

SHA512
d2d25c1c5d3be123006efb50fb802325004287b0e1aeea7fe656fc6b8d61760d5b257a4460f1b24b410334a61c2a405f36ce6c65f3e93319c763e244f9d6f87e

Download Submit
C:\Windows\System64\1systemsmss.exe

Filesize
6.2MB

MD5
24e11f360833c184ac76cde7cc727b0e

SHA1
88438fab6c4a4120c1e09c8abe876ed4108c6906

SHA256
03ecfa9e62c6c03568209dcb2976354c0957da79f77bcf1368478c366042cd4f

SHA512
d2d25c1c5d3be123006efb50fb802325004287b0e1aeea7fe656fc6b8d61760d5b257a4460f1b24b410334a61c2a405f36ce6c65f3e93319c763e244f9d6f87e

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
c9d1eb161cc32d0a3a7f00b0fd4b56d8

SHA1
fcb0844d6ed77a158f477f4a682de4a8402ed1cd

SHA256
2cf96e92c92be3c48f93342b0f8e3ef5aa4f2f0aa6f5755cde82152bda56f88d

SHA512
bb25500a74fec3c2e18919d74b033489826b0081b31a6fe71a8ca04e55564bdba23cb729372e9f48976b141164fe009a182abccea7a5e47a630db077d752d112

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
281B

MD5
691f040de6d335962416b319dcd416dc

SHA1
db49109c0917910f7fce8b6de690a1c7e2026226

SHA256
605d0b9c2fd1972c4ee60d8eefd336be636884dcdf54a4e5f2829c46e80fdcea

SHA512
f34ba36bdeaa43a1265ec69acfa0f199f2b4d5d90b4ea890327478f4f48ec7597d660b922dd1e149de3a1ff9b48c79e4c9c53e8a482b4cb5842bc0976f93bf89

Download Submit