rms | 8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe
Size

4.8MB
MD5

4a5f2f1f3f38fc6e3c9b6a746e1e0857
SHA1

2d8aaea4b525b475e66679d1b0e498a6c003b72e
SHA256

8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc
SHA512

2d79d6832f54615e57cfeff55d7796626df3f7d4674432fd4396286efcb8e51d8f95e12eef5963c7d03935f1b651ee39e75e6465481e4370d84682ef5644e345

Score

10^/10

rms discovery evasion rat suricata trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata

Executes dropped EXE 14 IoCs

pid	Process
916	DiskServer.exe
1196	OpenDisk.exe
576	File.exe
1940	File2.exe
1944	File3.exe
852	DiskUpdate.exe
1840	DiskUpdate1.exe
1936	sysdisk.exe
1472	sysdisk.exe
360	sysdisk.exe
1696	sysdisk.exe
876	volumedisk.exe
1716	volumedisk.exe
1984	volumedisk.exe

Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000013adf-141.dat	upx
behavioral1/files/0x0007000000013adf-144.dat	upx
behavioral1/files/0x0007000000013adf-142.dat	upx
behavioral1/files/0x0007000000013adf-146.dat	upx
behavioral1/files/0x0007000000013adf-148.dat	upx
behavioral1/files/0x0007000000013adf-156.dat	upx
behavioral1/files/0x0007000000013adf-158.dat	upx
behavioral1/files/0x0007000000013adf-160.dat	upx
behavioral1/files/0x0007000000013a0d-165.dat	upx
behavioral1/files/0x0007000000013a0d-166.dat	upx
behavioral1/files/0x0007000000013a0d-167.dat	upx
behavioral1/files/0x0007000000013a0d-170.dat	upx
behavioral1/files/0x0007000000013a0d-171.dat	upx
behavioral1/files/0x0007000000013a0d-179.dat	upx

Loads dropped DLL 20 IoCs

pid	Process
548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe
916	DiskServer.exe
916	DiskServer.exe
916	DiskServer.exe
1196	OpenDisk.exe
1196	OpenDisk.exe
1196	OpenDisk.exe
1196	OpenDisk.exe
1196	OpenDisk.exe
1196	OpenDisk.exe
1196	OpenDisk.exe
852	DiskUpdate.exe
852	DiskUpdate.exe
852	DiskUpdate.exe
1840	DiskUpdate1.exe
1452	cmd.exe
1452	cmd.exe
1452	cmd.exe
1696	sysdisk.exe
1696	sysdisk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
1192	taskkill.exe
1196	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
840	regedit.exe
2016	regedit.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1936	sysdisk.exe
1936	sysdisk.exe
1936	sysdisk.exe
1936	sysdisk.exe
1472	sysdisk.exe
1472	sysdisk.exe
360	sysdisk.exe
360	sysdisk.exe
1696	sysdisk.exe
1696	sysdisk.exe
1696	sysdisk.exe
1696	sysdisk.exe
1716	volumedisk.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	1936	sysdisk.exe
Token: SeDebugPrivilege	360	sysdisk.exe
Token: SeTakeOwnershipPrivilege	1696	sysdisk.exe
Token: SeTcbPrivilege	1696	sysdisk.exe
Token: SeTcbPrivilege	1696	sysdisk.exe
Token: SeDebugPrivilege	1940	File2.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1936	sysdisk.exe
1472	sysdisk.exe
360	sysdisk.exe
1696	sysdisk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 916	548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe	27
PID 548 wrote to memory of 916	548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe	27
PID 548 wrote to memory of 916	548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe	27
PID 548 wrote to memory of 916	548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe	27
PID 548 wrote to memory of 916	548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe	27
PID 548 wrote to memory of 916	548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe	27
PID 548 wrote to memory of 916	548	8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe	27
PID 916 wrote to memory of 1196	916	DiskServer.exe	29
PID 916 wrote to memory of 1196	916	DiskServer.exe	29
PID 916 wrote to memory of 1196	916	DiskServer.exe	29
PID 916 wrote to memory of 1196	916	DiskServer.exe	29
PID 916 wrote to memory of 1196	916	DiskServer.exe	29
PID 916 wrote to memory of 1196	916	DiskServer.exe	29
PID 916 wrote to memory of 1196	916	DiskServer.exe	29
PID 1196 wrote to memory of 576	1196	OpenDisk.exe	30
PID 1196 wrote to memory of 576	1196	OpenDisk.exe	30
PID 1196 wrote to memory of 576	1196	OpenDisk.exe	30
PID 1196 wrote to memory of 576	1196	OpenDisk.exe	30
PID 1196 wrote to memory of 576	1196	OpenDisk.exe	30
PID 1196 wrote to memory of 576	1196	OpenDisk.exe	30
PID 1196 wrote to memory of 576	1196	OpenDisk.exe	30
PID 1196 wrote to memory of 1940	1196	OpenDisk.exe	31
PID 1196 wrote to memory of 1940	1196	OpenDisk.exe	31
PID 1196 wrote to memory of 1940	1196	OpenDisk.exe	31
PID 1196 wrote to memory of 1940	1196	OpenDisk.exe	31
PID 1196 wrote to memory of 1940	1196	OpenDisk.exe	31
PID 1196 wrote to memory of 1940	1196	OpenDisk.exe	31
PID 1196 wrote to memory of 1940	1196	OpenDisk.exe	31
PID 1196 wrote to memory of 1944	1196	OpenDisk.exe	32
PID 1196 wrote to memory of 1944	1196	OpenDisk.exe	32
PID 1196 wrote to memory of 1944	1196	OpenDisk.exe	32
PID 1196 wrote to memory of 1944	1196	OpenDisk.exe	32
PID 1196 wrote to memory of 1944	1196	OpenDisk.exe	32
PID 1196 wrote to memory of 1944	1196	OpenDisk.exe	32
PID 1196 wrote to memory of 1944	1196	OpenDisk.exe	32
PID 1196 wrote to memory of 852	1196	OpenDisk.exe	33
PID 1196 wrote to memory of 852	1196	OpenDisk.exe	33
PID 1196 wrote to memory of 852	1196	OpenDisk.exe	33
PID 1196 wrote to memory of 852	1196	OpenDisk.exe	33
PID 1196 wrote to memory of 852	1196	OpenDisk.exe	33
PID 1196 wrote to memory of 852	1196	OpenDisk.exe	33
PID 1196 wrote to memory of 852	1196	OpenDisk.exe	33
PID 852 wrote to memory of 1840	852	DiskUpdate.exe	34
PID 852 wrote to memory of 1840	852	DiskUpdate.exe	34
PID 852 wrote to memory of 1840	852	DiskUpdate.exe	34
PID 852 wrote to memory of 1840	852	DiskUpdate.exe	34
PID 852 wrote to memory of 1840	852	DiskUpdate.exe	34
PID 852 wrote to memory of 1840	852	DiskUpdate.exe	34
PID 852 wrote to memory of 1840	852	DiskUpdate.exe	34
PID 1840 wrote to memory of 1452	1840	DiskUpdate1.exe	35
PID 1840 wrote to memory of 1452	1840	DiskUpdate1.exe	35
PID 1840 wrote to memory of 1452	1840	DiskUpdate1.exe	35
PID 1840 wrote to memory of 1452	1840	DiskUpdate1.exe	35
PID 1840 wrote to memory of 1452	1840	DiskUpdate1.exe	35
PID 1840 wrote to memory of 1452	1840	DiskUpdate1.exe	35
PID 1840 wrote to memory of 1452	1840	DiskUpdate1.exe	35
PID 1452 wrote to memory of 808	1452	cmd.exe	37
PID 1452 wrote to memory of 808	1452	cmd.exe	37
PID 1452 wrote to memory of 808	1452	cmd.exe	37
PID 1452 wrote to memory of 808	1452	cmd.exe	37
PID 1452 wrote to memory of 808	1452	cmd.exe	37
PID 1452 wrote to memory of 808	1452	cmd.exe	37
PID 1452 wrote to memory of 808	1452	cmd.exe	37
PID 1452 wrote to memory of 1548	1452	cmd.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
808	attrib.exe
1920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe
"C:\Users\Admin\AppData\Local\Temp\8c13bccbda4ac9cd36d52a8205e7068834a51989ed55bd152cacca38ca1ec2fc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548
- C:\ProgramData\WindowsVolume\DiskServer.exe
  "C:\ProgramData\WindowsVolume\DiskServer.exe" -p834784734789789347892898943789787892
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\ProgramData\WindowsVolume\OpenDisk.exe
    "C:\ProgramData\WindowsVolume\OpenDisk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\ProgramData\WindowsVolume\File.exe
      "C:\ProgramData\WindowsVolume\File.exe"
      4⤵
      Executes dropped EXE
      PID:576
  - - C:\ProgramData\WindowsVolume\File2.exe
      "C:\ProgramData\WindowsVolume\File2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\WindowsVolume\File2.exe"
        5⤵
        
        PID:800
      - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1840
  - - C:\ProgramData\WindowsVolume\File3.exe
      "C:\ProgramData\WindowsVolume\File3.exe"
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\ProgramData\WindowsVolume\DiskUpdate.exe
      "C:\ProgramData\WindowsVolume\DiskUpdate.exe" -p78347834893489894237834783478785788989543536
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\ProgramData\WindowsVolume\DiskUpdate1.exe
        
        "C:\ProgramData\WindowsVolume\DiskUpdate1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\ProgramData\WindowsVolume\DiskInstall.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\WindowsVolume"
        7⤵
        Views/modifies file attributes
        
        PID:808
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        7⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VolumeDisk0
        7⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VDeviceCard
        7⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NPackStereo
        7⤵
        
        PID:672
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ServiceWork
        7⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop IntelDriver
        7⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AMIHardware
        7⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        7⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VolumeDisk0
        7⤵
        
        PID:876
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VDeviceCard
        7⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NPackStereo
        7⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ServiceWork
        7⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete IntelDriver
        7⤵
        
        PID:596
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AMIHardware
        7⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\SystemVolume0\SysHardDisk" /f
        7⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:2016
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1936
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1472
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\WindowsVolume\config_set.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:840
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure VolumeDisk0 reset= 0 actions= restart/500/restart/500/restart/500
        7⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VolumeDisk0 obj= LocalSystem type= interact type= own
        7⤵
        
        PID:1568
        
        C:\ProgramData\WindowsVolume\sysdisk.exe
        
        "C:\ProgramData\WindowsVolume\sysdisk.exe" /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\WindowsVolume\*.*"
        7⤵
        Views/modifies file attributes
        
        PID:1920

C:\ProgramData\WindowsVolume\sysdisk.exe
C:\ProgramData\WindowsVolume\sysdisk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696
- C:\ProgramData\WindowsVolume\volumedisk.exe
  C:\ProgramData\WindowsVolume\volumedisk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1716
- - C:\ProgramData\WindowsVolume\volumedisk.exe
    C:\ProgramData\WindowsVolume\volumedisk.exe /tray
    3⤵
    - Executes dropped EXE
    PID:1984
- C:\ProgramData\WindowsVolume\volumedisk.exe
  C:\ProgramData\WindowsVolume\volumedisk.exe /tray
  2⤵
  - Executes dropped EXE
  PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsVolume\DiskInstall.bat

Filesize
1KB

MD5
a46bdedc1e6587433dc98119f338d175

SHA1
01334536e159f71bc5bc1e7b7a0e75490c169c36

SHA256
604b240dd5e0ae92578c785bf46888b93307588f00af62cf6296b2f1c86eeb50

SHA512
e8010ea23bb01e707342fab42fb3b73fc6f82d0abfdd0354f01ed68e7e05aafaed3991f7deb9bc368de3c36deec7dbc7e4fa4e1178134d9e941f0c77cb52a394

Download Submit
C:\ProgramData\WindowsVolume\DiskInstall2.bat

Filesize
283B

MD5
52d57e611e45ceae3107a9606c798df8

SHA1
a559ee95833113e022c4e5116508641847e31dd3

SHA256
1511fc19a2f4a670f7ced8ff7980bb0f8eb5ef840c0c116fc96ec3b241a588e7

SHA512
1c86c712988c97fab61461dfd6cc67912d11e1816af8e96f7a2432a591097e1182b179be0555c80cfbedb9441beeac526398b54fac4f49af1fed7dde75030306

Download Submit
C:\ProgramData\WindowsVolume\DiskServer.exe

Filesize
4.6MB

MD5
54836054da86cdf2c6faf9902c999a19

SHA1
2e4b2e3807d7db4dfbee403931dd200140ac5538

SHA256
3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419

SHA512
96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7

Download Submit
C:\ProgramData\WindowsVolume\DiskServer.exe

Filesize
4.6MB

MD5
54836054da86cdf2c6faf9902c999a19

SHA1
2e4b2e3807d7db4dfbee403931dd200140ac5538

SHA256
3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419

SHA512
96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate.exe

Filesize
4.3MB

MD5
b8d1cbe50014041985bf44c08c0482bb

SHA1
87dea8cac12c16f2ed17126560611ba1a0dfe7fe

SHA256
3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66

SHA512
495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate.exe

Filesize
4.3MB

MD5
b8d1cbe50014041985bf44c08c0482bb

SHA1
87dea8cac12c16f2ed17126560611ba1a0dfe7fe

SHA256
3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66

SHA512
495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
441KB

MD5
6b1d852d23d46bae7b63a9407b24d78b

SHA1
3ddb8cfea4ace01bf9aabed72c8653247455ec60

SHA256
5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d

SHA512
b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

Download Submit
C:\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
441KB

MD5
6b1d852d23d46bae7b63a9407b24d78b

SHA1
3ddb8cfea4ace01bf9aabed72c8653247455ec60

SHA256
5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d

SHA512
b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

Download Submit
C:\ProgramData\WindowsVolume\Diskpart.dat

Filesize
365B

MD5
1a18270fb3fd76df0d01087e99dddcc6

SHA1
26732b781736ed80654e3a41839b50e3d2e36db5

SHA256
fb9b9ae62c41448d117cbc468b2bf4eebb0665605cb864f28822f2b71f78dbda

SHA512
63d260f4972c6a403af97c3c6e371f516a5d3fbc1090bfe2b41b4dd88ff900b98217fb2225b53948fc480c33d1b9753bbf1e4a4df1613069f0f211a556a95f19

Download Submit
C:\ProgramData\WindowsVolume\File.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File2.exe

Filesize
11KB

MD5
e4c489dba5c6a05ec636053388ff70c1

SHA1
ad2268260bc7370b39efc4a080b7a55c4d467942

SHA256
86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f

SHA512
e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185

Download Submit
C:\ProgramData\WindowsVolume\File2.exe

Filesize
11KB

MD5
e4c489dba5c6a05ec636053388ff70c1

SHA1
ad2268260bc7370b39efc4a080b7a55c4d467942

SHA256
86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f

SHA512
e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185

Download Submit
C:\ProgramData\WindowsVolume\File3.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\File3.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
C:\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
499KB

MD5
229c8ccea94ef0b27d3c183733abdc18

SHA1
df2da0ba2e2c1a0a8ef9827469268484e5c02a33

SHA256
071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa

SHA512
a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

Download Submit
C:\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
499KB

MD5
229c8ccea94ef0b27d3c183733abdc18

SHA1
df2da0ba2e2c1a0a8ef9827469268484e5c02a33

SHA256
071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa

SHA512
a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

Download Submit
C:\ProgramData\WindowsVolume\config_set.reg

Filesize
11KB

MD5
414c6b489ecaf832f3e457d8cb916cf2

SHA1
ece8a342cfb3912cfc823e1866f73fc56bbe542d

SHA256
9b0ec9a5173c9835629d497478d29f9bea792b7a5da55c343faa8347c55d6034

SHA512
d858b2a1e8fb42298e9dab6287a7c6c7418adfcc19961d70c0dd07b5f65d6c5d9a3472699aaea7021c957afd181b114ff02d9a52f1373d9c12413ce5f0b6eacd

Download Submit
C:\ProgramData\WindowsVolume\russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
C:\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
1.5MB

MD5
c51216743d2fddc2e8c67f092b7f862d

SHA1
04fd9048253180784459592f5ebe6442f46898f1

SHA256
101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94

SHA512
b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
1.5MB

MD5
c51216743d2fddc2e8c67f092b7f862d

SHA1
04fd9048253180784459592f5ebe6442f46898f1

SHA256
101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94

SHA512
b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
1.5MB

MD5
c51216743d2fddc2e8c67f092b7f862d

SHA1
04fd9048253180784459592f5ebe6442f46898f1

SHA256
101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94

SHA512
b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

Download Submit
C:\ProgramData\WindowsVolume\volumedisk.exe

Filesize
1.5MB

MD5
c51216743d2fddc2e8c67f092b7f862d

SHA1
04fd9048253180784459592f5ebe6442f46898f1

SHA256
101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94

SHA512
b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

Download Submit
C:\ProgramData\WindowsVolume\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\ProgramData\WindowsVolume\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
\ProgramData\WindowsVolume\DiskServer.exe

Filesize
4.6MB

MD5
54836054da86cdf2c6faf9902c999a19

SHA1
2e4b2e3807d7db4dfbee403931dd200140ac5538

SHA256
3419e24d04e32b7cb750b03f7de1fade3cba8ce93a7ac91597db6a3f43eb7419

SHA512
96b4441abb02bd671694d4989785a82ebbdab7c8bba026b30905982f0fe764aca3c0de736132d43c66c1ca9b758873a687d315f69187c775f09971f60d62d5e7

Download Submit
\ProgramData\WindowsVolume\DiskUpdate.exe

Filesize
4.3MB

MD5
b8d1cbe50014041985bf44c08c0482bb

SHA1
87dea8cac12c16f2ed17126560611ba1a0dfe7fe

SHA256
3be527e7c6ef1ee1f42320b713743b697de8492af356f49bd69946a1fd14ea66

SHA512
495c7914b20abe50f7b72a1a5e64c86ff3a7d22831141ca8b12507e2937f279e29b27a25b88b7fbcf1d6d78b5b200e102523fa9c685d5d80ca2c806b629d89e9

Download Submit
\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
441KB

MD5
6b1d852d23d46bae7b63a9407b24d78b

SHA1
3ddb8cfea4ace01bf9aabed72c8653247455ec60

SHA256
5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d

SHA512
b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

Download Submit
\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
441KB

MD5
6b1d852d23d46bae7b63a9407b24d78b

SHA1
3ddb8cfea4ace01bf9aabed72c8653247455ec60

SHA256
5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d

SHA512
b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

Download Submit
\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
441KB

MD5
6b1d852d23d46bae7b63a9407b24d78b

SHA1
3ddb8cfea4ace01bf9aabed72c8653247455ec60

SHA256
5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d

SHA512
b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

Download Submit
\ProgramData\WindowsVolume\DiskUpdate1.exe

Filesize
441KB

MD5
6b1d852d23d46bae7b63a9407b24d78b

SHA1
3ddb8cfea4ace01bf9aabed72c8653247455ec60

SHA256
5c042a873d6a914151ab65ad7c692f35dd78956a5507565560e01f884bcd2c2d

SHA512
b8b34141414547673c812380b7aca11562ed9a15758b7677e84a8962234b5cc6f204386325c09025a537b465bfd46bb98b5b7a5c31497984b33bd8ba76ad875d

Download Submit
\ProgramData\WindowsVolume\File.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
\ProgramData\WindowsVolume\File.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
\ProgramData\WindowsVolume\File2.exe

Filesize
11KB

MD5
e4c489dba5c6a05ec636053388ff70c1

SHA1
ad2268260bc7370b39efc4a080b7a55c4d467942

SHA256
86abf05a8baf4a901b76070a2380c0e429953c88e8c3a5edb9659ba10556087f

SHA512
e188274f004dd2215d33b68e45e4a889f85f09ebc4be67fde489b87744daf434559f82375f432c23f25bc8316af189b85d90085a2fd58446e5c6e846f2170185

Download Submit
\ProgramData\WindowsVolume\File3.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
\ProgramData\WindowsVolume\File3.exe

Filesize
373KB

MD5
114f5bfb83d3c1a44dbf04aed9c458b5

SHA1
dc1fee3135992a572cd46896ffe68f9f9f4a4e86

SHA256
69d346bf43ef4dabf122cfb94f037fb659156159b6b5b41395185df2289a265e

SHA512
e2b3296ceebcaa5dac6d52e437316d6ae3b887f6c4312e43d0217c509688303f47aa77aac63d7c8ac4288d66e87bc0d91488d809ca867b767a99333263cf5289

Download Submit
\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
499KB

MD5
229c8ccea94ef0b27d3c183733abdc18

SHA1
df2da0ba2e2c1a0a8ef9827469268484e5c02a33

SHA256
071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa

SHA512
a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

Download Submit
\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
499KB

MD5
229c8ccea94ef0b27d3c183733abdc18

SHA1
df2da0ba2e2c1a0a8ef9827469268484e5c02a33

SHA256
071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa

SHA512
a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

Download Submit
\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
499KB

MD5
229c8ccea94ef0b27d3c183733abdc18

SHA1
df2da0ba2e2c1a0a8ef9827469268484e5c02a33

SHA256
071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa

SHA512
a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

Download Submit
\ProgramData\WindowsVolume\OpenDisk.exe

Filesize
499KB

MD5
229c8ccea94ef0b27d3c183733abdc18

SHA1
df2da0ba2e2c1a0a8ef9827469268484e5c02a33

SHA256
071d129408cc3753ddc186708972be1f78df79e560631f27c06eef43914847fa

SHA512
a5803951d81a8f8490676e182588a5539ba6076a5f355c9c2ac0d1e35f1d5e36e852d3b7070d6d94c2b5a1c799effe538953267b916f2b438ccda1e3d4d097c2

Download Submit
\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
\ProgramData\WindowsVolume\sysdisk.exe

Filesize
1.8MB

MD5
4e5d6b099b69fb935da7e0e7a4df8b26

SHA1
5643d2dbde01664012a6022725982f59973e12fb

SHA256
95ded19857c297d099f511353ef3ac1ea87a7cbacf875eea17d897b092745e4b

SHA512
758af77fbb5144a173109ccadb781a43d662fdfd3f2c084eb2a7c4aa46aaaa87cd85b3f27ac6bd4f0808d8e4a370a5b10f4dd404960c438f7872fc7ed1e7b550

Download Submit
\ProgramData\WindowsVolume\volumedisk.exe

Filesize
1.5MB

MD5
c51216743d2fddc2e8c67f092b7f862d

SHA1
04fd9048253180784459592f5ebe6442f46898f1

SHA256
101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94

SHA512
b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

Download Submit
\ProgramData\WindowsVolume\volumedisk.exe

Filesize
1.5MB

MD5
c51216743d2fddc2e8c67f092b7f862d

SHA1
04fd9048253180784459592f5ebe6442f46898f1

SHA256
101fd99a66cfe6b41762962f91517d00df85d60eb65fb4a013f52260e6219a94

SHA512
b26b3e376ea03c53ad0a36b99ee672bbd5c4c1c9f0e77d8af6a492d6cf2df5a2090e64b155a171ced7ea12b4c5d8895828f174f9434394400bd95368e144e2e4

Download Submit
memory/548-54-0x0000000075D21000-0x0000000075D23000-memory.dmp

Filesize
8KB

Download
memory/1940-90-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download