rms | 151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-07-2022 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
Size

6.2MB
MD5

474fd12f9e7e6321528226b0c5c7a555
SHA1

328b8face61784a1e39718c8426b8a3195cda41d
SHA256

151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083
SHA512

5b87863ab34dd62cb246df734e36c0261420fc352ebad7c7dd83419cf3d8c2e9d0bd19b071c42262f9c821c8fb05aa28b127b73136e12fc534450c1d5fd55a50

Score

10^/10

rms persistence rat trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\System64\\1rfusclient.exe, explorer.exe"	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	1rfusclient.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 7 IoCs

pid	Process
3812	1rfusclient.exe
4808	svnhost.exe
3836	svnhost.exe
2752	svnhost.exe
968	svnhost.exe
4980	systemsmss.exe
3368	systemsmss.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	1rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	1rfusclient.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\System64\vp8decoder.dll	1rfusclient.exe
File opened for modification	C:\Windows\System64\vp8decoder.dll	1rfusclient.exe
File created	C:\Windows\System64\svnhost.exe	1rfusclient.exe
File created	C:\Windows\Zont911\Tupe.bat	1rfusclient.exe
File opened for modification	C:\Windows\System64\1rfusclient.exe	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
File created	C:\Windows\Zont911\Regedit.reg	1rfusclient.exe
File created	C:\Windows\Zont911\Home.zip	1rfusclient.exe
File opened for modification	C:\Windows\System64\svnhost.exe	1rfusclient.exe
File created	C:\Windows\System64\systemsmss.exe	1rfusclient.exe
File opened for modification	C:\Windows\System64\systemsmss.exe	1rfusclient.exe
File created	C:\Windows\System64\1rfusclient.exe	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
File created	C:\Windows\System64\vp8encoder.dll	1rfusclient.exe
File opened for modification	C:\Windows\System64\vp8encoder.dll	1rfusclient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 1 IoCs

pid	Process
1520	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	svnhost.exe
Token: SeDebugPrivilege	2752	svnhost.exe
Token: SeTakeOwnershipPrivilege	968	svnhost.exe
Token: SeTcbPrivilege	968	svnhost.exe
Token: SeTcbPrivilege	968	svnhost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4808	svnhost.exe
3836	svnhost.exe
2752	svnhost.exe
968	svnhost.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3812	5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe	83
PID 5012 wrote to memory of 3812	5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe	83
PID 5012 wrote to memory of 3812	5012	151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe	83
PID 3812 wrote to memory of 1520	3812	1rfusclient.exe	85
PID 3812 wrote to memory of 1520	3812	1rfusclient.exe	85
PID 3812 wrote to memory of 1520	3812	1rfusclient.exe	85
PID 3812 wrote to memory of 1432	3812	1rfusclient.exe	87
PID 3812 wrote to memory of 1432	3812	1rfusclient.exe	87
PID 3812 wrote to memory of 1432	3812	1rfusclient.exe	87
PID 1432 wrote to memory of 4296	1432	cmd.exe	90
PID 1432 wrote to memory of 4296	1432	cmd.exe	90
PID 1432 wrote to memory of 4296	1432	cmd.exe	90
PID 1432 wrote to memory of 4808	1432	cmd.exe	91
PID 1432 wrote to memory of 4808	1432	cmd.exe	91
PID 1432 wrote to memory of 4808	1432	cmd.exe	91
PID 1432 wrote to memory of 3836	1432	cmd.exe	92
PID 1432 wrote to memory of 3836	1432	cmd.exe	92
PID 1432 wrote to memory of 3836	1432	cmd.exe	92
PID 1432 wrote to memory of 2752	1432	cmd.exe	93
PID 1432 wrote to memory of 2752	1432	cmd.exe	93
PID 1432 wrote to memory of 2752	1432	cmd.exe	93
PID 968 wrote to memory of 4980	968	svnhost.exe	96
PID 968 wrote to memory of 4980	968	svnhost.exe	96
PID 968 wrote to memory of 4980	968	svnhost.exe	96
PID 968 wrote to memory of 3368	968	svnhost.exe	95
PID 968 wrote to memory of 3368	968	svnhost.exe	95
PID 968 wrote to memory of 3368	968	svnhost.exe	95

C:\Users\Admin\AppData\Local\Temp\151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe
"C:\Users\Admin\AppData\Local\Temp\151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\System64\1rfusclient.exe
  "C:\Windows\System64\1rfusclient.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3812
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s "C:\Windows\Zont911\Regedit.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Zont911\Tupe.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\SysWOW64\chcp.com
      Chcp 1251
      4⤵
      PID:4296
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4808
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3836
  - - C:\Windows\System64\svnhost.exe
      "C:\Windows\System64\svnhost.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2752

C:\Windows\System64\svnhost.exe
C:\Windows\System64\svnhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System64\systemsmss.exe
  C:\Windows\System64\systemsmss.exe
  2⤵
  - Executes dropped EXE
  PID:4980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System64\1rfusclient.exe

Filesize
6.2MB

MD5
474fd12f9e7e6321528226b0c5c7a555

SHA1
328b8face61784a1e39718c8426b8a3195cda41d

SHA256
151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083

SHA512
5b87863ab34dd62cb246df734e36c0261420fc352ebad7c7dd83419cf3d8c2e9d0bd19b071c42262f9c821c8fb05aa28b127b73136e12fc534450c1d5fd55a50

Download Submit
C:\Windows\System64\1rfusclient.exe

Filesize
6.2MB

MD5
474fd12f9e7e6321528226b0c5c7a555

SHA1
328b8face61784a1e39718c8426b8a3195cda41d

SHA256
151da688aa59bda8a48941559f15d6b61e11d4d62f7af1537ac5bc149fb4a083

SHA512
5b87863ab34dd62cb246df734e36c0261420fc352ebad7c7dd83419cf3d8c2e9d0bd19b071c42262f9c821c8fb05aa28b127b73136e12fc534450c1d5fd55a50

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\svnhost.exe

Filesize
6.0MB

MD5
e437e8730f2163cba2552a5a374a885a

SHA1
514497f668ae7b80a698bd8cda6de2dcf104e450

SHA256
dde1cc7b34ad434fb515b4b315c2ec22a74e3b1b4d50fe83421fab4d6055b3a6

SHA512
e924929176c60f00bfd45f0ec991279d4bbb96be4f5f270e636594d4faad681c318cbc9374dd2126170e18f7b4e9db54b193c147b452655c2806921d8c76c445

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\systemsmss.exe

Filesize
5.1MB

MD5
bd458a26931f960f13958510e88a61a8

SHA1
be9fff29f269d649688e941e97ac03e669571837

SHA256
d295538301a5513d3e605e43586e48504ec22f87666a31ef06f697b5c9b611f3

SHA512
afe9e6209ade2846f31efb7b9977d42b28cd082eb0a4b9c4ba4b9c91d528afbc7efe748be0c78c938d042dc9d200c23d2f0552a7498ab23becac828df53245e7

Download Submit
C:\Windows\System64\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\System64\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\Windows\Zont911\Regedit.reg

Filesize
11KB

MD5
47421bf41df43736b2f3fb3451dc1c62

SHA1
4d03f8a9b35bb602da9ec81da2b4c02438acd823

SHA256
ca79c960df420d52950686dc1843c729cd0195c2729e7b6771254d63a22108e8

SHA512
8caf39e4a790ee77056708bb76c5d7c91ae9dc4b6a75b332b9ba0b79a8ec87a9973e2774dee5c7dacb6ce2d5369034b7bfd9ed5a14f8a3bd182177e55f1a4197

Download Submit
C:\Windows\Zont911\Tupe.bat

Filesize
281B

MD5
020d7ae318d01b6d0d92aa48ef198e82

SHA1
709c08b071bd6cf789ed6667b4f7c957338e81aa

SHA256
6fbce5a6530fe597afa45f71efba019f881765e26eeaa964d653c266e609593e

SHA512
b1ac136d59539f72773d9d3aa190e2d87e9ed8d909e6e8c3c5a6e8feb737543855e72a592429ef4372edb3cdd1fc67537b8e058da56b8d7517d8a57e753fcef0

Download Submit