rms | 1a0066f09f9b09aea075bbd592cc4fb1cc2e56ccdcc31ff4816af4f059e66efd

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume2/Windows/Fonts/win/rat.exe
Size

4.5MB
MD5

6029a73df701b89e8f2e63b81d573f8b
SHA1

4ccc0cf864b754c16cd59e3a91a2b5ffce111ffc
SHA256

a021d50b43316b250731b984a8922f07b688ba02be9d43767c82a382d614309f
SHA512

a4bd3d2dae496935604dcd64c2f23c495f025d4f35d7ce2696f8d619c65371e74a755cd4ea245b41e40fe82545a5ca9eeeed6c6b2f08e7e1bbb653e6ed560473
SSDEEP

98304:Ls5akhSst3Wbbiddqxm3nrktVwImIf3qXgv2/sgOML87xyXmA9faSS:4ayWf4dqxm3rkPwIfqQv2/sgrL87x8mJ

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exe

pid	Process
4704	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rat.exeWinInstall.exeWinMediaInstall.exedrv_install(x86).exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WinInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WinMediaInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	drv_install(x86).exe

Executes dropped EXE 10 IoCs

Processes:

WinInstall.exeWinMediaInstall.exedrv_install(x86).exetaskwow.exetaskwow.exetaskwow.exetaskwow.exesysnetwork.exesysnetwork.exesysnetwork.exe

pid	Process
1516	WinInstall.exe
3988	WinMediaInstall.exe
4648	drv_install(x86).exe
4192	taskwow.exe
4688	taskwow.exe
3172	taskwow.exe
4956	taskwow.exe
2152	sysnetwork.exe
2344	sysnetwork.exe
4476	sysnetwork.exe

Drops file in System32 directory 3 IoCs

Processes:

taskwow.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\symbols\exe\taskwow.pdb	taskwow.exe
File opened for modification	C:\Windows\SysWOW64\taskwow.pdb	taskwow.exe
File opened for modification	C:\Windows\SysWOW64\exe\taskwow.pdb	taskwow.exe

Drops file in Windows directory 30 IoCs

Processes:

rat.exeWinMediaInstall.exedrv_install(x86).exeattrib.exetaskwow.exe

description	ioc	Process
File opened for modification	C:\Windows\INF\BRS	rat.exe
File created	C:\Windows\INF\BRS\vp8decoder.dll	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\russian.lg	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\SystemInstall.bat	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\WinInstall.exe	rat.exe
File created	C:\Windows\INF\BRS\sysnetwork.exe	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\drv_install(x86).exe	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\SystemAPI.dat	drv_install(x86).exe
File opened for modification	C:\Windows\INF\BRS\WinInstall.exe	rat.exe
File opened for modification	C:\Windows\INF\BRS\vp8decoder.dll	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\russian.lg	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\taskwow.exe	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\__tmp_rar_sfx_access_check_240543703	rat.exe
File opened for modification	C:\Windows\INF\BRS\WinInstall.bat	rat.exe
File opened for modification	C:\Windows\INF\BRS\SystemInstall2.bat	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\drv_install(x86).exe	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS	attrib.exe
File opened for modification	C:\Windows\INF\BRS\WinMediaInstall.exe	rat.exe
File created	C:\Windows\INF\BRS\SystemInstall.bat	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\sysnetwork.exe	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\taskwow.pdb	taskwow.exe
File opened for modification	C:\Windows\INF\BRS\vp8encoder.dll	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\SystemInstall2.bat	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\WinMediaInstall.exe	rat.exe
File created	C:\Windows\INF\BRS\WinInstall.bat	rat.exe
File opened for modification	C:\Windows\INF\BRS\drv_set.reg	rat.exe
File created	C:\Windows\INF\BRS\__tmp_rar_sfx_access_check_240552609	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\drv_set.reg	rat.exe
File created	C:\Windows\INF\BRS\vp8encoder.dll	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\taskwow.exe	WinMediaInstall.exe

Launches sc.exe 12 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
3136	sc.exe
3244	sc.exe
4804	sc.exe
1048	sc.exe
1892	sc.exe
4360	sc.exe
692	sc.exe
3896	sc.exe
3576	sc.exe
4188	sc.exe
4712	sc.exe
2844	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 5 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
3036	timeout.exe
3224	timeout.exe
1876	timeout.exe
3396	timeout.exe
1976	timeout.exe

Kills process with taskkill 4 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4812	taskkill.exe
4056	taskkill.exe
4332	taskkill.exe
3680	taskkill.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid	Process
3008	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

taskwow.exetaskwow.exetaskwow.exetaskwow.exesysnetwork.exe

pid	Process
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4688	taskwow.exe
4688	taskwow.exe
3172	taskwow.exe
3172	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
2152	sysnetwork.exe
2152	sysnetwork.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysnetwork.exe

pid	Process
4476	sysnetwork.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskwow.exetaskwow.exetaskwow.exe

description	pid	Process
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	4192	taskwow.exe
Token: SeDebugPrivilege	3172	taskwow.exe
Token: SeTakeOwnershipPrivilege	4956	taskwow.exe
Token: SeTcbPrivilege	4956	taskwow.exe
Token: SeTcbPrivilege	4956	taskwow.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WinInstall.exeWinMediaInstall.exedrv_install(x86).execmd.exetaskwow.exetaskwow.exetaskwow.exetaskwow.exe

pid	Process
1516	WinInstall.exe
3988	WinMediaInstall.exe
4648	drv_install(x86).exe
3812	cmd.exe
4192	taskwow.exe
4192	taskwow.exe
4688	taskwow.exe
4688	taskwow.exe
3172	taskwow.exe
3172	taskwow.exe
4956	taskwow.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rat.exeWinInstall.execmd.exeWinMediaInstall.exedrv_install(x86).execmd.exe

description	pid	Process	procid_target
PID 4484 wrote to memory of 1516	4484	rat.exe	82
PID 4484 wrote to memory of 1516	4484	rat.exe	82
PID 4484 wrote to memory of 1516	4484	rat.exe	82
PID 1516 wrote to memory of 3076	1516	WinInstall.exe	87
PID 1516 wrote to memory of 3076	1516	WinInstall.exe	87
PID 1516 wrote to memory of 3076	1516	WinInstall.exe	87
PID 3076 wrote to memory of 3988	3076	cmd.exe	89
PID 3076 wrote to memory of 3988	3076	cmd.exe	89
PID 3076 wrote to memory of 3988	3076	cmd.exe	89
PID 3988 wrote to memory of 4648	3988	WinMediaInstall.exe	91
PID 3988 wrote to memory of 4648	3988	WinMediaInstall.exe	91
PID 3988 wrote to memory of 4648	3988	WinMediaInstall.exe	91
PID 4648 wrote to memory of 3812	4648	drv_install(x86).exe	94
PID 4648 wrote to memory of 3812	4648	drv_install(x86).exe	94
PID 4648 wrote to memory of 3812	4648	drv_install(x86).exe	94
PID 3812 wrote to memory of 4704	3812	cmd.exe	96
PID 3812 wrote to memory of 4704	3812	cmd.exe	96
PID 3812 wrote to memory of 4704	3812	cmd.exe	96
PID 3812 wrote to memory of 1892	3812	cmd.exe	97
PID 3812 wrote to memory of 1892	3812	cmd.exe	97
PID 3812 wrote to memory of 1892	3812	cmd.exe	97
PID 3812 wrote to memory of 4712	3812	cmd.exe	98
PID 3812 wrote to memory of 4712	3812	cmd.exe	98
PID 3812 wrote to memory of 4712	3812	cmd.exe	98
PID 3812 wrote to memory of 2844	3812	cmd.exe	99
PID 3812 wrote to memory of 2844	3812	cmd.exe	99
PID 3812 wrote to memory of 2844	3812	cmd.exe	99
PID 3812 wrote to memory of 692	3812	cmd.exe	100
PID 3812 wrote to memory of 692	3812	cmd.exe	100
PID 3812 wrote to memory of 692	3812	cmd.exe	100
PID 3812 wrote to memory of 4360	3812	cmd.exe	101
PID 3812 wrote to memory of 4360	3812	cmd.exe	101
PID 3812 wrote to memory of 4360	3812	cmd.exe	101
PID 3812 wrote to memory of 3036	3812	cmd.exe	102
PID 3812 wrote to memory of 3036	3812	cmd.exe	102
PID 3812 wrote to memory of 3036	3812	cmd.exe	102
PID 3812 wrote to memory of 3896	3812	cmd.exe	103
PID 3812 wrote to memory of 3896	3812	cmd.exe	103
PID 3812 wrote to memory of 3896	3812	cmd.exe	103
PID 3812 wrote to memory of 3136	3812	cmd.exe	104
PID 3812 wrote to memory of 3136	3812	cmd.exe	104
PID 3812 wrote to memory of 3136	3812	cmd.exe	104
PID 3812 wrote to memory of 3244	3812	cmd.exe	105
PID 3812 wrote to memory of 3244	3812	cmd.exe	105
PID 3812 wrote to memory of 3244	3812	cmd.exe	105
PID 3812 wrote to memory of 3576	3812	cmd.exe	106
PID 3812 wrote to memory of 3576	3812	cmd.exe	106
PID 3812 wrote to memory of 3576	3812	cmd.exe	106
PID 3812 wrote to memory of 4188	3812	cmd.exe	107
PID 3812 wrote to memory of 4188	3812	cmd.exe	107
PID 3812 wrote to memory of 4188	3812	cmd.exe	107
PID 3812 wrote to memory of 3224	3812	cmd.exe	108
PID 3812 wrote to memory of 3224	3812	cmd.exe	108
PID 3812 wrote to memory of 3224	3812	cmd.exe	108
PID 3812 wrote to memory of 4812	3812	cmd.exe	109
PID 3812 wrote to memory of 4812	3812	cmd.exe	109
PID 3812 wrote to memory of 4812	3812	cmd.exe	109
PID 3812 wrote to memory of 4056	3812	cmd.exe	110
PID 3812 wrote to memory of 4056	3812	cmd.exe	110
PID 3812 wrote to memory of 4056	3812	cmd.exe	110
PID 3812 wrote to memory of 4332	3812	cmd.exe	111
PID 3812 wrote to memory of 4332	3812	cmd.exe	111
PID 3812 wrote to memory of 4332	3812	cmd.exe	111
PID 3812 wrote to memory of 3680	3812	cmd.exe	112

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exe

pid	Process
4704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Windows\Fonts\win\rat.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Windows\Fonts\win\rat.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\INF\BRS\WinInstall.exe
  "C:\Windows\INF\BRS\WinInstall.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\INF\BRS\WinInstall.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\INF\BRS\WinMediaInstall.exe
      WinMediaInstall.exe -p8435748345902389057896849090582398548969335785378899258745792
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\INF\BRS\drv_install(x86).exe
        
        "C:\Windows\INF\BRS\drv_install(x86).exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Windows\INF\BRS\SystemInstall.bat" "
        6⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\INF\BRS"
        7⤵
        Sets file to hidden
        Drops file in Windows directory
        Views/modifies file attributes
        
        PID:4704
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AdobeReader
        7⤵
        Launches sc.exe
        
        PID:1892
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        7⤵
        Launches sc.exe
        
        PID:4712
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop XPSHardware
        7⤵
        Launches sc.exe
        
        PID:2844
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop TaskOwnHost
        7⤵
        Launches sc.exe
        
        PID:692
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop TaskNetHost
        7⤵
        Launches sc.exe
        
        PID:4360
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:3036
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeReader
        7⤵
        Launches sc.exe
        
        PID:3896
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        7⤵
        Launches sc.exe
        
        PID:3136
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete XPSHardware
        7⤵
        Launches sc.exe
        
        PID:3244
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete TaskOwnHost
        7⤵
        Launches sc.exe
        
        PID:3576
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete TaskNetHost
        7⤵
        Launches sc.exe
        
        PID:4188
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:3224
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im WUDLicense.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im xpsrchv.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Hardware Service\SysWOW64" /f
        7⤵
        
        PID:1636
        
        C:\Windows\INF\BRS\taskwow.exe
        
        "C:\Windows\INF\BRS\taskwow.exe" /silentinstall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4192
        
        C:\Windows\INF\BRS\taskwow.exe
        
        "C:\Windows\INF\BRS\taskwow.exe" /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4688
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\Windows\INF\BRS\drv_set.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:3008
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1876
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure TaskNetHost reset= 0 actions= restart/1000/restart/1000/restart/1000
        7⤵
        Launches sc.exe
        
        PID:4804
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:3396
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config TaskNetHost obj= LocalSystem type= interact type= own
        7⤵
        Launches sc.exe
        
        PID:1048
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1976
        
        C:\Windows\INF\BRS\taskwow.exe
        
        "C:\Windows\INF\BRS\taskwow.exe" /start
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3172

C:\Windows\INF\BRS\taskwow.exe
C:\Windows\INF\BRS\taskwow.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4956
- C:\Windows\INF\BRS\sysnetwork.exe
  C:\Windows\INF\BRS\sysnetwork.exe /tray
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\INF\BRS\sysnetwork.exe
  C:\Windows\INF\BRS\sysnetwork.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- - C:\Windows\INF\BRS\sysnetwork.exe
    C:\Windows\INF\BRS\sysnetwork.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\BRS\SystemInstall.bat

Filesize
941B

MD5
2dbff946fe1700a5acf205cc3abd7810

SHA1
1062bc639c9023ee5e3e54f70bcb378e0d41743e

SHA256
e890094a2f813d69d21c1ea8e030914ce8f124f931ad4eb730b20164f2088497

SHA512
6eea2271a4dcd8651248ff42c66777b5dc40ba9cc7ed357d9ddf6f95331738e2d96f3b8f30604bc0eaa1963cf598c86c549467b036fd76d40285757a840de0f0

Download Submit
C:\Windows\INF\BRS\WinInstall.bat

Filesize
102B

MD5
06346e26022153e79a781bf4486e8222

SHA1
aa9004bf77314d930d6c86ae92170508fef38886

SHA256
3fa543e5cf1e4c3e52da162942af77317b9f120ea5f2f3f5da7402538b3c4038

SHA512
51c94eada1222fbd1478895e3a67c4e9699756a71ea48117b0018a619d060f4d08ee590be14f3e95dd9dc9b2dc27e0da3c149fe9b07a7dfec95ef6f2d3a1a7b7

Download Submit
C:\Windows\INF\BRS\WinInstall.exe

Filesize
407KB

MD5
f8eb3df4f37fda6de206d22d4040d959

SHA1
0f5b163a8ff6d654505044f1f64c9fe079467e0d

SHA256
6dc52fe1075cef92784a5faf7ec334fc506267c285c28641b834264297bced3f

SHA512
219758971c378f13e039f6aea8857b6942e8244edbf651c46742cda062c712ff678f7a3c15621f301832282c6a3dec147f1bfe1333328c17fb2b340abeda08e3

Download Submit
C:\Windows\INF\BRS\WinInstall.exe

Filesize
407KB

MD5
f8eb3df4f37fda6de206d22d4040d959

SHA1
0f5b163a8ff6d654505044f1f64c9fe079467e0d

SHA256
6dc52fe1075cef92784a5faf7ec334fc506267c285c28641b834264297bced3f

SHA512
219758971c378f13e039f6aea8857b6942e8244edbf651c46742cda062c712ff678f7a3c15621f301832282c6a3dec147f1bfe1333328c17fb2b340abeda08e3

Download Submit
C:\Windows\INF\BRS\WinInstall.exe

Filesize
407KB

MD5
f8eb3df4f37fda6de206d22d4040d959

SHA1
0f5b163a8ff6d654505044f1f64c9fe079467e0d

SHA256
6dc52fe1075cef92784a5faf7ec334fc506267c285c28641b834264297bced3f

SHA512
219758971c378f13e039f6aea8857b6942e8244edbf651c46742cda062c712ff678f7a3c15621f301832282c6a3dec147f1bfe1333328c17fb2b340abeda08e3

Download Submit
C:\Windows\INF\BRS\WinMediaInstall.exe

Filesize
4.2MB

MD5
2bd83564eada3e9b2fa3bf2f36f70b47

SHA1
66b05f8903ac378aa814cce12904c137900e45e5

SHA256
5a1178e9ca0dbc637f477b175e276d65805d8dd007b1018fc9d1bb2f26a480fb

SHA512
82669bb6bfa6b9bbef3dbc22eab760c14d79d32cc2d3340a214531de2d36184a8f4379caae8ed0145955c1a0754fb2a15a3dd24e6ec798af67194798cd5a432d

Download Submit
C:\Windows\INF\BRS\WinMediaInstall.exe

Filesize
4.2MB

MD5
2bd83564eada3e9b2fa3bf2f36f70b47

SHA1
66b05f8903ac378aa814cce12904c137900e45e5

SHA256
5a1178e9ca0dbc637f477b175e276d65805d8dd007b1018fc9d1bb2f26a480fb

SHA512
82669bb6bfa6b9bbef3dbc22eab760c14d79d32cc2d3340a214531de2d36184a8f4379caae8ed0145955c1a0754fb2a15a3dd24e6ec798af67194798cd5a432d

Download Submit
C:\Windows\INF\BRS\drv_install(x86).exe

Filesize
401KB

MD5
480facdf7e8261db9641e576639734b1

SHA1
78dd51e3d2cdb938b03354b2a67b01b5f9889d29

SHA256
beb5201115673a694cdd6f94ffe7c59c4d0b75fa04f02257b1195b828b2efbf3

SHA512
7b5a26770d70f011c0cf686d7028a4657ffbcb4deea5fb3fb875e2fbccb7ff4ce54db8911bbbe973bdc3f3674e18bb1611ed7efc577289c46bef09f084491546

Download Submit
C:\Windows\INF\BRS\drv_install(x86).exe

Filesize
401KB

MD5
480facdf7e8261db9641e576639734b1

SHA1
78dd51e3d2cdb938b03354b2a67b01b5f9889d29

SHA256
beb5201115673a694cdd6f94ffe7c59c4d0b75fa04f02257b1195b828b2efbf3

SHA512
7b5a26770d70f011c0cf686d7028a4657ffbcb4deea5fb3fb875e2fbccb7ff4ce54db8911bbbe973bdc3f3674e18bb1611ed7efc577289c46bef09f084491546

Download Submit
C:\Windows\INF\BRS\drv_install(x86).exe

Filesize
401KB

MD5
480facdf7e8261db9641e576639734b1

SHA1
78dd51e3d2cdb938b03354b2a67b01b5f9889d29

SHA256
beb5201115673a694cdd6f94ffe7c59c4d0b75fa04f02257b1195b828b2efbf3

SHA512
7b5a26770d70f011c0cf686d7028a4657ffbcb4deea5fb3fb875e2fbccb7ff4ce54db8911bbbe973bdc3f3674e18bb1611ed7efc577289c46bef09f084491546

Download Submit
C:\Windows\INF\BRS\drv_set.reg

Filesize
11KB

MD5
fac6ee7d0341aa30335558767c617f85

SHA1
03149a9b48735cdee2b23025d00c6e2f9db795b7

SHA256
41cfe9ea3021559b8c867b9796f9795cd64ea21009b744b457d676c62429ef83

SHA512
d7e9b32f802a181874555111edf5290b577ab7b0b7e9a0476deab48942f50bdaef1db6dfa19ebd34c831af1d1e2f3c4b7b000e9be02c2f6c3ffc29493bfcdb27

Download Submit
C:\Windows\INF\BRS\russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe

Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe

Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe

Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe

Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\taskwow.exe

Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe

Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe

Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe

Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe

Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\INF\BRS\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
memory/1516-148-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1516-149-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1516-151-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2152-216-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2152-204-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2152-207-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2152-213-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-223-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-219-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-203-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-240-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-208-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2344-214-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-230-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3172-193-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3172-202-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/3172-192-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4192-244-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4192-186-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4476-211-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4476-210-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4648-178-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4648-179-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4648-182-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4688-188-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-221-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-212-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-201-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4956-224-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-228-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-217-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-238-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-199-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-215-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4956-249-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download