rms | e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b

Analysis

max time kernel
191s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe
Size

4.2MB
MD5

183f0ac56267fcfa87570e3533b17dcb
SHA1

0bcb4f0d472ed346ea41f652bc89f770b78d97a2
SHA256

e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b
SHA512

dda8c4a0c3869112085c7d9de249e0de2978e7e3a6bd11e798ece22fd3ea233f72f028b93ca08facd100966fed56092eecafd019ce66859f9e54857e2832111b
SSDEEP

98304:3jJ1gKpqp+z0DKOyZhjt4UpQohV6oby9pr1adb8l:91Rp02Oy7e9oSkSmA

Score

10^/10

rms aspackv2 rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\??\c:\vp8decoder.dll	acprotect
\??\c:\vp8encoder.dll	acprotect

ASPack v2.12-2.42 12 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\rutserv.exe	aspack_v212_v242
\??\c:\rutserv.exe	aspack_v212_v242
C:\rutserv.exe	aspack_v212_v242
C:\rutserv.exe	aspack_v212_v242
C:\rutserv.exe	aspack_v212_v242
C:\rutserv.exe	aspack_v212_v242
C:\rutserv.exe	aspack_v212_v242
C:\rutserv.exe	aspack_v212_v242
\??\c:\rfusclient.exe	aspack_v212_v242
C:\rfusclient.exe	aspack_v212_v242
C:\rfusclient.exe	aspack_v212_v242
C:\rfusclient.exe	aspack_v212_v242

Executes dropped EXE 11 IoCs

Processes:

admi.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	process
2752	admi.exe
1600	rutserv.exe
400	rutserv.exe
3832	rutserv.exe
2800	rutserv.exe
4356	rutserv.exe
4788	rutserv.exe
3144	rutserv.exe
3368	rfusclient.exe
3932	rfusclient.exe
3504	rfusclient.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\??\c:\vp8decoder.dll	upx
\??\c:\vp8encoder.dll	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exeadmi.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	admi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4516 timeout.exe
4924 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1572 taskkill.exe
4380 taskkill.exe
3708 taskkill.exe
1200 taskkill.exe
Modifies registry class 1 IoCs

Processes:

admi.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings admi.exe
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

4928 regedit.exe
4300 regedit.exe

pid	process
4516	timeout.exe
4924	timeout.exe

pid	process
1572	taskkill.exe
4380	taskkill.exe
3708	taskkill.exe
1200	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	admi.exe

pid	process
4928	regedit.exe
4300	regedit.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
1600	rutserv.exe
400	rutserv.exe
1600	rutserv.exe
400	rutserv.exe
1600	rutserv.exe
1600	rutserv.exe
1600	rutserv.exe
1600	rutserv.exe
400	rutserv.exe
400	rutserv.exe
3832	rutserv.exe
3832	rutserv.exe
2800	rutserv.exe
2800	rutserv.exe
4788	rutserv.exe
4788	rutserv.exe
4356	rutserv.exe
4356	rutserv.exe
3144	rutserv.exe
3144	rutserv.exe
3144	rutserv.exe
3144	rutserv.exe
3144	rutserv.exe
3144	rutserv.exe
3932	rfusclient.exe
3932	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

3504 rfusclient.exe

pid	process
3504	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	1600	rutserv.exe
Token: SeDebugPrivilege	400	rutserv.exe
Token: SeDebugPrivilege	4788	rutserv.exe
Token: SeDebugPrivilege	4356	rutserv.exe
Token: SeTakeOwnershipPrivilege	3144	rutserv.exe
Token: SeTcbPrivilege	3144	rutserv.exe
Token: SeTcbPrivilege	3144	rutserv.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid process

1600 rutserv.exe
400 rutserv.exe
3832 rutserv.exe
2800 rutserv.exe
4788 rutserv.exe
4356 rutserv.exe
3144 rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.execmd.exeadmi.execmd.exeWScript.execmd.exerutserv.exe

description	pid	process	target process
PID 1480 wrote to memory of 2924	1480	e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe	cmd.exe
PID 1480 wrote to memory of 2924	1480	e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe	cmd.exe
PID 1480 wrote to memory of 2924	1480	e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe	cmd.exe
PID 2924 wrote to memory of 2752	2924	cmd.exe	admi.exe
PID 2924 wrote to memory of 2752	2924	cmd.exe	admi.exe
PID 2924 wrote to memory of 2752	2924	cmd.exe	admi.exe
PID 2752 wrote to memory of 3688	2752	admi.exe	WScript.exe
PID 2752 wrote to memory of 3688	2752	admi.exe	WScript.exe
PID 2752 wrote to memory of 3688	2752	admi.exe	WScript.exe
PID 2752 wrote to memory of 2860	2752	admi.exe	cmd.exe
PID 2752 wrote to memory of 2860	2752	admi.exe	cmd.exe
PID 2752 wrote to memory of 2860	2752	admi.exe	cmd.exe
PID 2860 wrote to memory of 1572	2860	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 1572	2860	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 1572	2860	cmd.exe	taskkill.exe
PID 3688 wrote to memory of 3968	3688	WScript.exe	cmd.exe
PID 3688 wrote to memory of 3968	3688	WScript.exe	cmd.exe
PID 3688 wrote to memory of 3968	3688	WScript.exe	cmd.exe
PID 3968 wrote to memory of 4380	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 4380	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 4380	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 3708	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 3708	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 3708	3968	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 1200	2860	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 1200	2860	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 1200	2860	cmd.exe	taskkill.exe
PID 2860 wrote to memory of 1296	2860	cmd.exe	reg.exe
PID 2860 wrote to memory of 1296	2860	cmd.exe	reg.exe
PID 2860 wrote to memory of 1296	2860	cmd.exe	reg.exe
PID 3968 wrote to memory of 4688	3968	cmd.exe	reg.exe
PID 3968 wrote to memory of 4688	3968	cmd.exe	reg.exe
PID 3968 wrote to memory of 4688	3968	cmd.exe	reg.exe
PID 2860 wrote to memory of 4928	2860	cmd.exe	regedit.exe
PID 2860 wrote to memory of 4928	2860	cmd.exe	regedit.exe
PID 2860 wrote to memory of 4928	2860	cmd.exe	regedit.exe
PID 3968 wrote to memory of 4300	3968	cmd.exe	regedit.exe
PID 3968 wrote to memory of 4300	3968	cmd.exe	regedit.exe
PID 3968 wrote to memory of 4300	3968	cmd.exe	regedit.exe
PID 2860 wrote to memory of 4516	2860	cmd.exe	timeout.exe
PID 2860 wrote to memory of 4516	2860	cmd.exe	timeout.exe
PID 2860 wrote to memory of 4516	2860	cmd.exe	timeout.exe
PID 3968 wrote to memory of 4924	3968	cmd.exe	timeout.exe
PID 3968 wrote to memory of 4924	3968	cmd.exe	timeout.exe
PID 3968 wrote to memory of 4924	3968	cmd.exe	timeout.exe
PID 3968 wrote to memory of 400	3968	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 400	3968	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 400	3968	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 1600	2860	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 1600	2860	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 1600	2860	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 3832	3968	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 3832	3968	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 3832	3968	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 2800	2860	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 2800	2860	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 2800	2860	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 4356	2860	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 4356	2860	cmd.exe	rutserv.exe
PID 2860 wrote to memory of 4356	2860	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 4788	3968	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 4788	3968	cmd.exe	rutserv.exe
PID 3968 wrote to memory of 4788	3968	cmd.exe	rutserv.exe
PID 3144 wrote to memory of 3932	3144	rutserv.exe	rfusclient.exe

C:\Users\Admin\AppData\Local\Temp\e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe
"C:\Users\Admin\AppData\Local\Temp\e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\tests.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

\??\c:\admi.exe
admi.exe -p12345 -dc:\
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\install.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\install.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
6⤵
PID:4688

C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
6⤵
- Runs .reg file with regedit
PID:4300

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:4924

\??\c:\rutserv.exe
rutserv.exe /silentinstall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:400

\??\c:\rutserv.exe
rutserv.exe /firewall
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3832

\??\c:\rutserv.exe
rutserv.exe /start
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\install.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
5⤵
PID:1296

C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
5⤵
- Runs .reg file with regedit
PID:4928

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:4516

\??\c:\rutserv.exe
rutserv.exe /silentinstall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1600

\??\c:\rutserv.exe
rutserv.exe /firewall
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800

\??\c:\rutserv.exe
rutserv.exe /start
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4356

\??\c:\rutserv.exe
c:\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3144

\??\c:\rfusclient.exe
c:\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:3368

\??\c:\rfusclient.exe
c:\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3932

\??\c:\rfusclient.exe
c:\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\admi.exe
Filesize
4.1MB

MD5
66c240a84a50ff544a5ca49d714c76d4

SHA1
99173116f3c04acadbd943a69a68a030d6513bf1

SHA256
f4da4eb7c0b7e6bbb98162a7fdf558aac39aaf9caf52531cbe2fe41bb46fec2d

SHA512
075a5afbe16ba014b339de380c9689514628c84bbcb8a89321a2a6b41eb9733d48db73b702f03d0cdf4f641c060f2ca7d8e39a059cd70ff382e6e85a58e17943

Download Submit
C:\install.bat
Filesize
289B

MD5
a60d06edbd2b022c5009b0606c1e7481

SHA1
300432e9ebf424dd8e97f405ea2d64c0388c8749

SHA256
b7bdf067aca5eb9fd2b83b2b17195022fb4c684680bcdb278d158e9f77db10a2

SHA512
ded38d51fc5dd90f38a76613646111eb6a44f7d7db01b3e17debff4c779d0f222d7b99820785af1b1d13fa2954557ded03e11a441277668d9dfe729fe824028d

Download Submit
C:\install.vbs
Filesize
117B

MD5
65fc32766a238ff3e95984e325357dbb

SHA1
3ac16a2648410be8aa75f3e2817fbf69bb0e8922

SHA256
a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420

SHA512
621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608

Download Submit
C:\rfusclient.exe
Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\rfusclient.exe
Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\rfusclient.exe
Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
C:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
C:\tests.bat
Filesize
22B

MD5
d4b0e840fe4def0621f001fde561e5b9

SHA1
ddb72ac6c5a5eb438ba1c978e48922f9ea30d50f

SHA256
afa70763c180373e6a669f3e5ad09141f5baa03e3d1a40e65e8ba36694c82d66

SHA512
4a1c440735af0db34eabe8698a3e28ab8658d62ecced39aeee2dfeee4a75653221ef91c0362311eb92d9752efe1d24aaf49d0fd191289eb75758ed201bd3f3b6

Download Submit
\??\c:\admi.exe
Filesize
4.1MB

MD5
66c240a84a50ff544a5ca49d714c76d4

SHA1
99173116f3c04acadbd943a69a68a030d6513bf1

SHA256
f4da4eb7c0b7e6bbb98162a7fdf558aac39aaf9caf52531cbe2fe41bb46fec2d

SHA512
075a5afbe16ba014b339de380c9689514628c84bbcb8a89321a2a6b41eb9733d48db73b702f03d0cdf4f641c060f2ca7d8e39a059cd70ff382e6e85a58e17943

Download Submit
\??\c:\regedit.reg
Filesize
11KB

MD5
54b11bea17cfd51834a5e6cc265f1637

SHA1
1aa9823410a37e8e9a11b81b9b33f9e03f310ad7

SHA256
12af76d157ec14db12588aa0e97d2b0e69f822e2e83ba5909fdfd201f90c6378

SHA512
8b534df7d61c8ba1a55d2b51c4aae9074278a22a82a732ce199e08871fc0ff2b50c0db352ab52b3e1abcf9c5efc473ab33180a2df01423ec28203aa561fcbaf2

Download Submit
\??\c:\rfusclient.exe
Filesize
1.5MB

MD5
b8667a1e84567fcf7821bcefb6a444af

SHA1
9c1f91fe77ad357c8f81205d65c9067a270d61f0

SHA256
dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9

SHA512
ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852

Download Submit
\??\c:\rutserv.exe
Filesize
1.7MB

MD5
37a8802017a212bb7f5255abc7857969

SHA1
cb10c0d343c54538d12db8ed664d0a1fa35b6109

SHA256
1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6

SHA512
4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0

Download Submit
\??\c:\vp8decoder.dll
Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
\??\c:\vp8encoder.dll
Filesize
593KB

MD5
6298c0af3d1d563834a218a9cc9f54bd

SHA1
0185cd591e454ed072e5a5077b25c612f6849dc9

SHA256
81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172

SHA512
389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe

Download Submit
memory/400-159-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/400-164-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/400-153-0x0000000000000000-mapping.dmp

Download
memory/400-169-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/400-168-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/400-166-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/400-162-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1200-145-0x0000000000000000-mapping.dmp

Download
memory/1296-146-0x0000000000000000-mapping.dmp

Download
memory/1572-141-0x0000000000000000-mapping.dmp

Download
memory/1600-165-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1600-163-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1600-161-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1600-154-0x0000000000000000-mapping.dmp

Download
memory/1600-160-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1600-167-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1600-170-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1600-158-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2752-134-0x0000000000000000-mapping.dmp

Download
memory/2800-185-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2800-183-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2800-188-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2800-182-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2800-184-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2800-176-0x0000000000000000-mapping.dmp

Download
memory/2800-181-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2860-138-0x0000000000000000-mapping.dmp

Download
memory/2924-132-0x0000000000000000-mapping.dmp

Download
memory/3144-209-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3144-208-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3144-207-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3144-205-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3144-204-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3368-222-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3368-214-0x0000000000000000-mapping.dmp

Download
memory/3368-224-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3368-225-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3368-220-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3368-228-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3368-218-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3504-236-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3504-237-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3504-238-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3504-230-0x0000000000000000-mapping.dmp

Download
memory/3504-232-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3504-233-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3504-234-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3504-235-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3688-137-0x0000000000000000-mapping.dmp

Download
memory/3708-144-0x0000000000000000-mapping.dmp

Download
memory/3832-173-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3832-180-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3832-186-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3832-171-0x0000000000000000-mapping.dmp

Download
memory/3832-174-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3832-175-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3832-177-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3832-178-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/3932-221-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3932-219-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3932-213-0x0000000000000000-mapping.dmp

Download
memory/3932-229-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3932-227-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3932-226-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3932-223-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/3968-142-0x0000000000000000-mapping.dmp

Download
memory/4300-149-0x0000000000000000-mapping.dmp

Download
memory/4356-200-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4356-196-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4356-198-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4356-194-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4356-206-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4356-187-0x0000000000000000-mapping.dmp

Download
memory/4356-201-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4380-143-0x0000000000000000-mapping.dmp

Download
memory/4516-151-0x0000000000000000-mapping.dmp

Download
memory/4688-147-0x0000000000000000-mapping.dmp

Download
memory/4788-217-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4788-197-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4788-199-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4788-195-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4788-193-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4788-192-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4788-190-0x0000000000000000-mapping.dmp

Download
memory/4788-202-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4924-152-0x0000000000000000-mapping.dmp

Download
memory/4928-148-0x0000000000000000-mapping.dmp

Download