rms | 5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2022, 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe
Size

13.8MB
MD5

7092d2964964ec02188ecf9f07aefc88
SHA1

e87994b619b5139e20b14db2a8b2d0a41e36a6e2
SHA256

5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb
SHA512

6da77c955071b7f1a430ce4f559ee655658fdd1392c9136a9359a62e6270d0b1f2bfe616173911ae0cdb331200fa204dce63c5df16db08b6e03a41f9c3215a6c

Score

10^/10

rms aspackv2 evasion rat trojan upx vmprotect

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000022ed8-202.dat	acprotect
behavioral2/files/0x0006000000022ed7-201.dat	acprotect

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022ed6-154.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed6-155.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed6-172.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed6-181.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed6-190.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed5-203.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed5-208.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed5-207.dat	aspack_v212_v242
behavioral2/files/0x0006000000022ed5-228.dat	aspack_v212_v242

Executes dropped EXE 12 IoCs

pid	Process
544	flashplayer32_xa_install.exe
636	svchost.exe
1588	F1.exe
4328	rutserv.exe
4400	rms_id_testfix.exe
4440	rms_id_test.exe
4512	rutserv.exe
4872	rutserv.exe
4988	rutserv.exe
1952	rfusclient.exe
1068	rfusclient.exe
3152	rfusclient.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022ed8-202.dat	upx
behavioral2/files/0x0006000000022ed7-201.dat	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000022e84-136.dat	vmprotect
behavioral2/files/0x0007000000022e84-137.dat	vmprotect
behavioral2/memory/636-138-0x0000000000860000-0x0000000001C93000-memory.dmp	vmprotect
behavioral2/memory/636-162-0x0000000000860000-0x0000000001C93000-memory.dmp	vmprotect
behavioral2/memory/636-169-0x0000000000860000-0x0000000001C93000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	F1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	api.ipify.org
72	api.ipify.org

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/636-138-0x0000000000860000-0x0000000001C93000-memory.dmp	autoit_exe
behavioral2/memory/636-162-0x0000000000860000-0x0000000001C93000-memory.dmp	autoit_exe
behavioral2/files/0x0006000000022ed0-164.dat	autoit_exe
behavioral2/files/0x0007000000022e85-166.dat	autoit_exe
behavioral2/files/0x0007000000022e85-167.dat	autoit_exe
behavioral2/files/0x0006000000022ed0-168.dat	autoit_exe
behavioral2/memory/636-169-0x0000000000860000-0x0000000001C93000-memory.dmp	autoit_exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1396	sc.exe
4348	sc.exe
4492	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4308	timeout.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	F1.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\MIME\Database	rms_id_testfix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	rms_id_testfix.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	rms_id_testfix.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\MIME\Database	rms_id_test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	rms_id_test.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	rms_id_test.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4252	regedit.exe
4280	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
636	svchost.exe
636	svchost.exe
636	svchost.exe
636	svchost.exe
4328	rutserv.exe
4328	rutserv.exe
4328	rutserv.exe
4328	rutserv.exe
4328	rutserv.exe
4328	rutserv.exe
4512	rutserv.exe
4512	rutserv.exe
4872	rutserv.exe
4872	rutserv.exe
4988	rutserv.exe
4988	rutserv.exe
4988	rutserv.exe
4988	rutserv.exe
4988	rutserv.exe
4988	rutserv.exe
1952	rfusclient.exe
1952	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
3152	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	rutserv.exe
Token: SeDebugPrivilege	4872	rutserv.exe
Token: SeTakeOwnershipPrivilege	4988	rutserv.exe
Token: SeTcbPrivilege	4988	rutserv.exe
Token: SeTcbPrivilege	4988	rutserv.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4400	rms_id_testfix.exe
4400	rms_id_testfix.exe
4400	rms_id_testfix.exe
4440	rms_id_test.exe
4440	rms_id_test.exe
4440	rms_id_test.exe
4440	rms_id_test.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
4400	rms_id_testfix.exe
4400	rms_id_testfix.exe
4400	rms_id_testfix.exe
4440	rms_id_test.exe
4440	rms_id_test.exe
4440	rms_id_test.exe
4440	rms_id_test.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
544	flashplayer32_xa_install.exe
544	flashplayer32_xa_install.exe
544	flashplayer32_xa_install.exe
544	flashplayer32_xa_install.exe
4328	rutserv.exe
4512	rutserv.exe
4872	rutserv.exe
4988	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 544	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	84
PID 2848 wrote to memory of 544	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	84
PID 2848 wrote to memory of 544	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	84
PID 2848 wrote to memory of 636	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	86
PID 2848 wrote to memory of 636	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	86
PID 2848 wrote to memory of 636	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	86
PID 636 wrote to memory of 1588	636	svchost.exe	90
PID 636 wrote to memory of 1588	636	svchost.exe	90
PID 636 wrote to memory of 1588	636	svchost.exe	90
PID 1588 wrote to memory of 4116	1588	F1.exe	91
PID 1588 wrote to memory of 4116	1588	F1.exe	91
PID 1588 wrote to memory of 4116	1588	F1.exe	91
PID 4116 wrote to memory of 4200	4116	WScript.exe	92
PID 4116 wrote to memory of 4200	4116	WScript.exe	92
PID 4116 wrote to memory of 4200	4116	WScript.exe	92
PID 4200 wrote to memory of 4252	4200	cmd.exe	94
PID 4200 wrote to memory of 4252	4200	cmd.exe	94
PID 4200 wrote to memory of 4252	4200	cmd.exe	94
PID 4200 wrote to memory of 4280	4200	cmd.exe	95
PID 4200 wrote to memory of 4280	4200	cmd.exe	95
PID 4200 wrote to memory of 4280	4200	cmd.exe	95
PID 4200 wrote to memory of 4308	4200	cmd.exe	96
PID 4200 wrote to memory of 4308	4200	cmd.exe	96
PID 4200 wrote to memory of 4308	4200	cmd.exe	96
PID 4200 wrote to memory of 4328	4200	cmd.exe	97
PID 4200 wrote to memory of 4328	4200	cmd.exe	97
PID 4200 wrote to memory of 4328	4200	cmd.exe	97
PID 636 wrote to memory of 4400	636	svchost.exe	98
PID 636 wrote to memory of 4400	636	svchost.exe	98
PID 636 wrote to memory of 4400	636	svchost.exe	98
PID 2848 wrote to memory of 4440	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	99
PID 2848 wrote to memory of 4440	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	99
PID 2848 wrote to memory of 4440	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	99
PID 4200 wrote to memory of 4512	4200	cmd.exe	100
PID 4200 wrote to memory of 4512	4200	cmd.exe	100
PID 4200 wrote to memory of 4512	4200	cmd.exe	100
PID 4200 wrote to memory of 4872	4200	cmd.exe	102
PID 4200 wrote to memory of 4872	4200	cmd.exe	102
PID 4200 wrote to memory of 4872	4200	cmd.exe	102
PID 2848 wrote to memory of 4960	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	103
PID 2848 wrote to memory of 4960	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	103
PID 2848 wrote to memory of 4960	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	103
PID 2848 wrote to memory of 4980	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	114
PID 2848 wrote to memory of 4980	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	114
PID 2848 wrote to memory of 4980	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	114
PID 2848 wrote to memory of 5032	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	113
PID 2848 wrote to memory of 5032	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	113
PID 2848 wrote to memory of 5032	2848	5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe	113
PID 4960 wrote to memory of 1064	4960	net.exe	108
PID 4960 wrote to memory of 1064	4960	net.exe	108
PID 4960 wrote to memory of 1064	4960	net.exe	108
PID 4980 wrote to memory of 4160	4980	net.exe	110
PID 4980 wrote to memory of 4160	4980	net.exe	110
PID 4980 wrote to memory of 4160	4980	net.exe	110
PID 5032 wrote to memory of 4176	5032	net.exe	109
PID 5032 wrote to memory of 4176	5032	net.exe	109
PID 5032 wrote to memory of 4176	5032	net.exe	109
PID 4988 wrote to memory of 1068	4988	rutserv.exe	111
PID 4988 wrote to memory of 1068	4988	rutserv.exe	111
PID 4988 wrote to memory of 1068	4988	rutserv.exe	111
PID 4988 wrote to memory of 1952	4988	rutserv.exe	112
PID 4988 wrote to memory of 1952	4988	rutserv.exe	112
PID 4988 wrote to memory of 1952	4988	rutserv.exe	112
PID 4200 wrote to memory of 2032	4200	cmd.exe	117

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2032	attrib.exe
2784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe
"C:\Users\Admin\AppData\Local\Temp\5ca050af396a615d9f342b12ad4cb5ca1413b8ae8687bfd8f80bf83a859479bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\ProgramData\Microsoft\Install\flashplayer32_xa_install.exe
  C:\ProgramData\Microsoft\Install\flashplayer32_xa_install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:544
- C:\ProgramData\Microsoft\Install\svchost.exe
  C:\ProgramData\Microsoft\Install\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\ProgramData\Microsoft\Install\F1.exe
    C:\ProgramData\Microsoft\Install\F1.exe -pklark
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Programdata\Windows\install.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        6⤵
        UAC bypass
        Windows security bypass
        Runs .reg file with regedit
        
        PID:4252
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        6⤵
        Runs .reg file with regedit
        
        PID:4280
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        6⤵
        Delays execution with timeout.exe
        
        PID:4308
      - C:\Programdata\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4328
      - C:\Programdata\Windows\rutserv.exe
        
        rutserv.exe /firewall
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4512
      - C:\Programdata\Windows\rutserv.exe
        
        rutserv.exe /start
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4872
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        6⤵
        Views/modifies file attributes
        
        PID:2032
      - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        6⤵
        Views/modifies file attributes
        
        PID:2784
      - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        6⤵
        Launches sc.exe
        
        PID:4348
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        6⤵
        Launches sc.exe
        
        PID:4492
      - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        6⤵
        Launches sc.exe
        
        PID:1396
- - C:\ProgramData\Microsoft\Install\rms_id_testfix.exe
    C:\ProgramData\Microsoft\Install\rms_id_testfix.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4400
- C:\ProgramData\Microsoft\Install\rms_id_test.exe
  C:\ProgramData\Microsoft\Install\rms_id_test.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4440
- C:\Windows\SysWOW64\net.exe
  net user guest 1ASDqweasdqwe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 user guest 1ASDqweasdqwe
    3⤵
    PID:1064
- C:\Windows\SysWOW64\net.exe
  net localgroup administrators guest /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5032
- C:\Windows\SysWOW64\net.exe
  net user guest /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980

C:\Programdata\Windows\rutserv.exe
C:\Programdata\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Programdata\Windows\rfusclient.exe
  C:\Programdata\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Programdata\Windows\rfusclient.exe
  C:\Programdata\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- - C:\Programdata\Windows\rfusclient.exe
    C:\Programdata\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3152

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators guest /add
1⤵
PID:4176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user guest /active:yes
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Install\F1.exe

Filesize
4.0MB

MD5
4ed728f59cacce5dfc9d82b024920021

SHA1
f1d69f3d09faeac47b1996703fc9b38d02ca1fd9

SHA256
ef8cfe8aaed90636577db12e75afa89f0ea4fd78ea87b0d809c49cb375b0bd1f

SHA512
bf9d2fd98b6a93a9714547ca603f852829a027de9ab485173669de7e63bd2010e42263c4c9bf4794c80feb0f047c561ad846e3493be9a9602251943e6d609f97

Download Submit
C:\ProgramData\Microsoft\Install\F1.exe

Filesize
4.0MB

MD5
4ed728f59cacce5dfc9d82b024920021

SHA1
f1d69f3d09faeac47b1996703fc9b38d02ca1fd9

SHA256
ef8cfe8aaed90636577db12e75afa89f0ea4fd78ea87b0d809c49cb375b0bd1f

SHA512
bf9d2fd98b6a93a9714547ca603f852829a027de9ab485173669de7e63bd2010e42263c4c9bf4794c80feb0f047c561ad846e3493be9a9602251943e6d609f97

Download Submit
C:\ProgramData\Microsoft\Install\flashplayer32_xa_install.exe

Filesize
1.2MB

MD5
0f439339fcfe0a061cc0a439780447cc

SHA1
817f3f7673d8a30055ffe51ff330d57a184ec37c

SHA256
9960befb3589fcb51036e9d8a268d8eb29aac214a68f57e85ef317b76dcd9455

SHA512
d4e749b02c7ad9dbe045a6d63da0b7d2ae7f66e7b30136fb31d47575447ae8cd6ba86f2737175db551b838d769dbb6aecaff3d9dc6b4243e64e3060d79bf01a3

Download Submit
C:\ProgramData\Microsoft\Install\flashplayer32_xa_install.exe

Filesize
1.2MB

MD5
0f439339fcfe0a061cc0a439780447cc

SHA1
817f3f7673d8a30055ffe51ff330d57a184ec37c

SHA256
9960befb3589fcb51036e9d8a268d8eb29aac214a68f57e85ef317b76dcd9455

SHA512
d4e749b02c7ad9dbe045a6d63da0b7d2ae7f66e7b30136fb31d47575447ae8cd6ba86f2737175db551b838d769dbb6aecaff3d9dc6b4243e64e3060d79bf01a3

Download Submit
C:\ProgramData\Microsoft\Install\rms_id_test.exe

Filesize
953KB

MD5
ff8374d9020f7c253fc7afcd7afaeaa6

SHA1
2bac0ea740314a5e4226805928b90d2454e03314

SHA256
92cc98b2b6f08351e8a5c88bf7a4b2e0d6ae6633c0c6658dbf81ce3fe83205a0

SHA512
356bf9e1d8971ef0064b1e13593ebd3f8fd39a0025eb963ce4e2d2a97251001d7d5b2fd50439c839e2760ac144e3ee3cde9276a52ff80b17762f612887372e3c

Download Submit
C:\ProgramData\Microsoft\Install\rms_id_test.exe

Filesize
953KB

MD5
ff8374d9020f7c253fc7afcd7afaeaa6

SHA1
2bac0ea740314a5e4226805928b90d2454e03314

SHA256
92cc98b2b6f08351e8a5c88bf7a4b2e0d6ae6633c0c6658dbf81ce3fe83205a0

SHA512
356bf9e1d8971ef0064b1e13593ebd3f8fd39a0025eb963ce4e2d2a97251001d7d5b2fd50439c839e2760ac144e3ee3cde9276a52ff80b17762f612887372e3c

Download Submit
C:\ProgramData\Microsoft\Install\rms_id_testfix.exe

Filesize
941KB

MD5
c462ce1548ba2b204e79812fff243fe0

SHA1
61573b94e1a79687a4cf2476ddf467b6e92dbc58

SHA256
7ac7f765ee24129c8126e540fea2148d8ecc2c7f5b5df6fe19c5c5d8cdeba862

SHA512
50b7feadbf6865da7529ce5137e8f8d25e42282e9c4a1c8c574cb3b32eed9f7900dd9b98fe67ca90eb13d4bc60f96f8eb5bfb6fa1ca8835bb8e42f562a9158fd

Download Submit
C:\ProgramData\Microsoft\Install\rms_id_testfix.exe

Filesize
941KB

MD5
c462ce1548ba2b204e79812fff243fe0

SHA1
61573b94e1a79687a4cf2476ddf467b6e92dbc58

SHA256
7ac7f765ee24129c8126e540fea2148d8ecc2c7f5b5df6fe19c5c5d8cdeba862

SHA512
50b7feadbf6865da7529ce5137e8f8d25e42282e9c4a1c8c574cb3b32eed9f7900dd9b98fe67ca90eb13d4bc60f96f8eb5bfb6fa1ca8835bb8e42f562a9158fd

Download Submit
C:\ProgramData\Microsoft\Install\svchost.exe

Filesize
11.0MB

MD5
a69ef2467201431a7f23ae06fc794daf

SHA1
3e5d1c316a8dfd91137fc173b19119cefc929a53

SHA256
275daab4d7e4bd0a307b9c3324e18c7c335fe072ee4ae922b20a4f12209aef74

SHA512
5e5bcf0faa165df250db0c68b4c01f99c5994802ee4a58af41438a3f362b78280c007c02fa5431393e06698798a0a8512f511623f204e24b5ae7a871f97c6af4

Download Submit
C:\ProgramData\Microsoft\Install\svchost.exe

Filesize
11.0MB

MD5
a69ef2467201431a7f23ae06fc794daf

SHA1
3e5d1c316a8dfd91137fc173b19119cefc929a53

SHA256
275daab4d7e4bd0a307b9c3324e18c7c335fe072ee4ae922b20a4f12209aef74

SHA512
5e5bcf0faa165df250db0c68b4c01f99c5994802ee4a58af41438a3f362b78280c007c02fa5431393e06698798a0a8512f511623f204e24b5ae7a871f97c6af4

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\ProgramData\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Programdata\Windows\install.bat

Filesize
418B

MD5
db76c882184e8d2bac56865c8e88f8fd

SHA1
fc6324751da75b665f82a3ad0dcc36bf4b91dfac

SHA256
e3db831cdb021d6221be26a36800844e9af13811bac9e4961ac21671dff9207a

SHA512
da3ca7a3429bb9250cc8b6e33f25b5335a5383d440b16940e4b6e6aca82f2b673d8a01419606746a8171106f31c37bfcdb5c8e33e57fce44c8edb475779aea92

Download Submit
C:\Programdata\Windows\install.vbs

Filesize
140B

MD5
5e36713ab310d29f2bdd1c93f2f0cad2

SHA1
7e768cca6bce132e4e9132e8a00a1786e6351178

SHA256
cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931

SHA512
8e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1

Download Submit
C:\Programdata\Windows\reg1.reg

Filesize
13KB

MD5
0bfedf7b7c27597ca9d98914f44ccffe

SHA1
e4243e470e96ac4f1e22bf6dcf556605c88faaa9

SHA256
7e9541d21f44024bc88b9dc0437b18753b9d9f22b0cf6e01bb7e9bf5b32add9e

SHA512
d7669937f24b3dbb0fdfd19c67d9cdbd4f90779539107bd4b84d48eab25293ef03661a256fe5c662e73041b1436baff0570ace763fa3effa7c71d954378cbc2d

Download Submit
C:\Programdata\Windows\reg2.reg

Filesize
1KB

MD5
6a5d2192b8ad9e96a2736c8b0bdbd06e

SHA1
235a78495192fc33f13af3710d0fe44e86a771c9

SHA256
4ae04a85412ec3daa0fb33f21ed4eb3c4864c3668b95712be9ec36ef7658422a

SHA512
411204a0a1cdbe610830fb0be09fd86c579bb5cccf46e2e74d075a5693fe7924e1e2ba121aa824af66c7521fcc452088b2301321d9d7eb163bee322f2f58640d

Download Submit
C:\Programdata\Windows\rfusclient.exe

Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\Programdata\Windows\rutserv.exe

Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\Programdata\Windows\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
C:\Programdata\Windows\vp8encoder.dll

Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
memory/544-209-0x00000000000A0000-0x00000000004D4000-memory.dmp

Filesize
4.2MB

Download
memory/544-134-0x0000000000A10000-0x0000000000A13000-memory.dmp

Filesize
12KB

Download
memory/544-133-0x00000000000A0000-0x00000000004D4000-memory.dmp

Filesize
4.2MB

Download
memory/636-169-0x0000000000860000-0x0000000001C93000-memory.dmp

Filesize
20.2MB

Download
memory/636-138-0x0000000000860000-0x0000000001C93000-memory.dmp

Filesize
20.2MB

Download
memory/636-162-0x0000000000860000-0x0000000001C93000-memory.dmp

Filesize
20.2MB

Download
memory/1068-218-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1068-212-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1068-214-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1068-217-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1068-211-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1068-220-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-221-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-219-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-213-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-216-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-215-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1952-210-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3152-234-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3152-233-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3152-232-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3152-235-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3152-231-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3152-230-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4328-157-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4328-156-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4328-158-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4328-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4328-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4328-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4328-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4512-179-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4512-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4512-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4512-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4512-176-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4512-178-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4512-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4872-206-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4872-187-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4872-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4872-184-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4872-183-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4872-185-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4872-186-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4988-191-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4988-194-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4988-196-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4988-195-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4988-197-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download