rms | 1a0066f09f9b09aea075bbd592cc4fb1cc2e56ccdcc31ff4816af4f059e66efd

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume2/Windows/Fonts/win/rat.exe
Size

4.5MB
MD5

6029a73df701b89e8f2e63b81d573f8b
SHA1

4ccc0cf864b754c16cd59e3a91a2b5ffce111ffc
SHA256

a021d50b43316b250731b984a8922f07b688ba02be9d43767c82a382d614309f
SHA512

a4bd3d2dae496935604dcd64c2f23c495f025d4f35d7ce2696f8d619c65371e74a755cd4ea245b41e40fe82545a5ca9eeeed6c6b2f08e7e1bbb653e6ed560473
SSDEEP

98304:Ls5akhSst3Wbbiddqxm3nrktVwImIf3qXgv2/sgOML87xyXmA9faSS:4ayWf4dqxm3rkPwIfqQv2/sgrL87x8mJ

Score

10^/10

rms evasion rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4704 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4704	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rat.exeWinInstall.exeWinMediaInstall.exedrv_install(x86).exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	rat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WinInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WinMediaInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	drv_install(x86).exe

Executes dropped EXE 10 IoCs

Processes:

WinInstall.exeWinMediaInstall.exedrv_install(x86).exetaskwow.exetaskwow.exetaskwow.exetaskwow.exesysnetwork.exesysnetwork.exesysnetwork.exe

pid	process
1516	WinInstall.exe
3988	WinMediaInstall.exe
4648	drv_install(x86).exe
4192	taskwow.exe
4688	taskwow.exe
3172	taskwow.exe
4956	taskwow.exe
2152	sysnetwork.exe
2344	sysnetwork.exe
4476	sysnetwork.exe

Drops file in System32 directory 3 IoCs

Processes:

taskwow.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\symbols\exe\taskwow.pdb	taskwow.exe
File opened for modification	C:\Windows\SysWOW64\taskwow.pdb	taskwow.exe
File opened for modification	C:\Windows\SysWOW64\exe\taskwow.pdb	taskwow.exe

Drops file in Windows directory 30 IoCs

Processes:

rat.exeWinMediaInstall.exedrv_install(x86).exeattrib.exetaskwow.exe

description	ioc	process
File opened for modification	C:\Windows\INF\BRS	rat.exe
File created	C:\Windows\INF\BRS\vp8decoder.dll	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\russian.lg	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\SystemInstall.bat	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\WinInstall.exe	rat.exe
File created	C:\Windows\INF\BRS\sysnetwork.exe	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\drv_install(x86).exe	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\SystemAPI.dat	drv_install(x86).exe
File opened for modification	C:\Windows\INF\BRS\WinInstall.exe	rat.exe
File opened for modification	C:\Windows\INF\BRS\vp8decoder.dll	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\russian.lg	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\taskwow.exe	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\__tmp_rar_sfx_access_check_240543703	rat.exe
File opened for modification	C:\Windows\INF\BRS\WinInstall.bat	rat.exe
File opened for modification	C:\Windows\INF\BRS\SystemInstall2.bat	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\drv_install(x86).exe	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS	attrib.exe
File opened for modification	C:\Windows\INF\BRS\WinMediaInstall.exe	rat.exe
File created	C:\Windows\INF\BRS\SystemInstall.bat	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\sysnetwork.exe	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\taskwow.pdb	taskwow.exe
File opened for modification	C:\Windows\INF\BRS\vp8encoder.dll	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\SystemInstall2.bat	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\WinMediaInstall.exe	rat.exe
File created	C:\Windows\INF\BRS\WinInstall.bat	rat.exe
File opened for modification	C:\Windows\INF\BRS\drv_set.reg	rat.exe
File created	C:\Windows\INF\BRS\__tmp_rar_sfx_access_check_240552609	WinMediaInstall.exe
File created	C:\Windows\INF\BRS\drv_set.reg	rat.exe
File created	C:\Windows\INF\BRS\vp8encoder.dll	WinMediaInstall.exe
File opened for modification	C:\Windows\INF\BRS\taskwow.exe	WinMediaInstall.exe

Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3136 sc.exe
3244 sc.exe
4804 sc.exe
1048 sc.exe
1892 sc.exe
4360 sc.exe
692 sc.exe
3896 sc.exe
3576 sc.exe
4188 sc.exe
4712 sc.exe
2844 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3036 timeout.exe
3224 timeout.exe
1876 timeout.exe
3396 timeout.exe
1976 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4812 taskkill.exe
4056 taskkill.exe
4332 taskkill.exe
3680 taskkill.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

3008 regedit.exe

pid	process
3136	sc.exe
3244	sc.exe
4804	sc.exe
1048	sc.exe
1892	sc.exe
4360	sc.exe
692	sc.exe
3896	sc.exe
3576	sc.exe
4188	sc.exe
4712	sc.exe
2844	sc.exe

pid	process
3036	timeout.exe
3224	timeout.exe
1876	timeout.exe
3396	timeout.exe
1976	timeout.exe

pid	process
4812	taskkill.exe
4056	taskkill.exe
4332	taskkill.exe
3680	taskkill.exe

pid	process
3008	regedit.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

taskwow.exetaskwow.exetaskwow.exetaskwow.exesysnetwork.exe

pid	process
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4192	taskwow.exe
4688	taskwow.exe
4688	taskwow.exe
3172	taskwow.exe
3172	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
4956	taskwow.exe
2152	sysnetwork.exe
2152	sysnetwork.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysnetwork.exe

pid process

4476 sysnetwork.exe

pid	process
4476	sysnetwork.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskwow.exetaskwow.exetaskwow.exe

description	pid	process
Token: SeDebugPrivilege	4812	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	4192	taskwow.exe
Token: SeDebugPrivilege	3172	taskwow.exe
Token: SeTakeOwnershipPrivilege	4956	taskwow.exe
Token: SeTcbPrivilege	4956	taskwow.exe
Token: SeTcbPrivilege	4956	taskwow.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

WinInstall.exeWinMediaInstall.exedrv_install(x86).execmd.exetaskwow.exetaskwow.exetaskwow.exetaskwow.exe

pid	process
1516	WinInstall.exe
3988	WinMediaInstall.exe
4648	drv_install(x86).exe
3812	cmd.exe
4192	taskwow.exe
4192	taskwow.exe
4688	taskwow.exe
4688	taskwow.exe
3172	taskwow.exe
3172	taskwow.exe
4956	taskwow.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rat.exeWinInstall.execmd.exeWinMediaInstall.exedrv_install(x86).execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 1516	4484	rat.exe	WinInstall.exe
PID 4484 wrote to memory of 1516	4484	rat.exe	WinInstall.exe
PID 4484 wrote to memory of 1516	4484	rat.exe	WinInstall.exe
PID 1516 wrote to memory of 3076	1516	WinInstall.exe	cmd.exe
PID 1516 wrote to memory of 3076	1516	WinInstall.exe	cmd.exe
PID 1516 wrote to memory of 3076	1516	WinInstall.exe	cmd.exe
PID 3076 wrote to memory of 3988	3076	cmd.exe	WinMediaInstall.exe
PID 3076 wrote to memory of 3988	3076	cmd.exe	WinMediaInstall.exe
PID 3076 wrote to memory of 3988	3076	cmd.exe	WinMediaInstall.exe
PID 3988 wrote to memory of 4648	3988	WinMediaInstall.exe	drv_install(x86).exe
PID 3988 wrote to memory of 4648	3988	WinMediaInstall.exe	drv_install(x86).exe
PID 3988 wrote to memory of 4648	3988	WinMediaInstall.exe	drv_install(x86).exe
PID 4648 wrote to memory of 3812	4648	drv_install(x86).exe	cmd.exe
PID 4648 wrote to memory of 3812	4648	drv_install(x86).exe	cmd.exe
PID 4648 wrote to memory of 3812	4648	drv_install(x86).exe	cmd.exe
PID 3812 wrote to memory of 4704	3812	cmd.exe	attrib.exe
PID 3812 wrote to memory of 4704	3812	cmd.exe	attrib.exe
PID 3812 wrote to memory of 4704	3812	cmd.exe	attrib.exe
PID 3812 wrote to memory of 1892	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 1892	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 1892	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4712	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4712	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4712	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 2844	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 2844	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 2844	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 692	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 692	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 692	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4360	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4360	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4360	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3036	3812	cmd.exe	timeout.exe
PID 3812 wrote to memory of 3036	3812	cmd.exe	timeout.exe
PID 3812 wrote to memory of 3036	3812	cmd.exe	timeout.exe
PID 3812 wrote to memory of 3896	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3896	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3896	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3136	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3136	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3136	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3244	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3244	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3244	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3576	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3576	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3576	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4188	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4188	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 4188	3812	cmd.exe	sc.exe
PID 3812 wrote to memory of 3224	3812	cmd.exe	timeout.exe
PID 3812 wrote to memory of 3224	3812	cmd.exe	timeout.exe
PID 3812 wrote to memory of 3224	3812	cmd.exe	timeout.exe
PID 3812 wrote to memory of 4812	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4812	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4812	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4056	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4056	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4056	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4332	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4332	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 4332	3812	cmd.exe	taskkill.exe
PID 3812 wrote to memory of 3680	3812	cmd.exe	taskkill.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4704 attrib.exe

pid	process
4704	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Windows\Fonts\win\rat.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Windows\Fonts\win\rat.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\INF\BRS\WinInstall.exe
"C:\Windows\INF\BRS\WinInstall.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\INF\BRS\WinInstall.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\INF\BRS\WinMediaInstall.exe
WinMediaInstall.exe -p8435748345902389057896849090582398548969335785378899258745792
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\INF\BRS\drv_install(x86).exe
"C:\Windows\INF\BRS\drv_install(x86).exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\INF\BRS\SystemInstall.bat" "
6⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\INF\BRS"
7⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4704

C:\Windows\SysWOW64\sc.exe
sc stop AdobeReader
7⤵
- Launches sc.exe
PID:1892

C:\Windows\SysWOW64\sc.exe
sc stop RManService
7⤵
- Launches sc.exe
PID:4712

C:\Windows\SysWOW64\sc.exe
sc stop XPSHardware
7⤵
- Launches sc.exe
PID:2844

C:\Windows\SysWOW64\sc.exe
sc stop TaskOwnHost
7⤵
- Launches sc.exe
PID:692

C:\Windows\SysWOW64\sc.exe
sc stop TaskNetHost
7⤵
- Launches sc.exe
PID:4360

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:3036

C:\Windows\SysWOW64\sc.exe
sc delete AdobeReader
7⤵
- Launches sc.exe
PID:3896

C:\Windows\SysWOW64\sc.exe
sc delete RManService
7⤵
- Launches sc.exe
PID:3136

C:\Windows\SysWOW64\sc.exe
sc delete XPSHardware
7⤵
- Launches sc.exe
PID:3244

C:\Windows\SysWOW64\sc.exe
sc delete TaskOwnHost
7⤵
- Launches sc.exe
PID:3576

C:\Windows\SysWOW64\sc.exe
sc delete TaskNetHost
7⤵
- Launches sc.exe
PID:4188

C:\Windows\SysWOW64\timeout.exe
timeout 2
7⤵
- Delays execution with timeout.exe
PID:3224

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rfusclient.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\SysWOW64\taskkill.exe
taskkill /im rutserv.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\SysWOW64\taskkill.exe
taskkill /im WUDLicense.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\SysWOW64\taskkill.exe
taskkill /im xpsrchv.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Hardware Service\SysWOW64" /f
7⤵
PID:1636

C:\Windows\INF\BRS\taskwow.exe
"C:\Windows\INF\BRS\taskwow.exe" /silentinstall
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Windows\INF\BRS\taskwow.exe
"C:\Windows\INF\BRS\taskwow.exe" /firewall
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\Windows\INF\BRS\drv_set.reg"
7⤵
- Runs .reg file with regedit
PID:3008

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1876

C:\Windows\SysWOW64\sc.exe
sc failure TaskNetHost reset= 0 actions= restart/1000/restart/1000/restart/1000
7⤵
- Launches sc.exe
PID:4804

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:3396

C:\Windows\SysWOW64\sc.exe
sc config TaskNetHost obj= LocalSystem type= interact type= own
7⤵
- Launches sc.exe
PID:1048

C:\Windows\SysWOW64\timeout.exe
timeout 1
7⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\INF\BRS\taskwow.exe
"C:\Windows\INF\BRS\taskwow.exe" /start
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Windows\INF\BRS\taskwow.exe
C:\Windows\INF\BRS\taskwow.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\INF\BRS\sysnetwork.exe
C:\Windows\INF\BRS\sysnetwork.exe /tray
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\INF\BRS\sysnetwork.exe
C:\Windows\INF\BRS\sysnetwork.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2152

C:\Windows\INF\BRS\sysnetwork.exe
C:\Windows\INF\BRS\sysnetwork.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:4476

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\INF\BRS\SystemInstall.bat
Filesize
941B

MD5
2dbff946fe1700a5acf205cc3abd7810

SHA1
1062bc639c9023ee5e3e54f70bcb378e0d41743e

SHA256
e890094a2f813d69d21c1ea8e030914ce8f124f931ad4eb730b20164f2088497

SHA512
6eea2271a4dcd8651248ff42c66777b5dc40ba9cc7ed357d9ddf6f95331738e2d96f3b8f30604bc0eaa1963cf598c86c549467b036fd76d40285757a840de0f0

Download Submit
C:\Windows\INF\BRS\WinInstall.bat
Filesize
102B

MD5
06346e26022153e79a781bf4486e8222

SHA1
aa9004bf77314d930d6c86ae92170508fef38886

SHA256
3fa543e5cf1e4c3e52da162942af77317b9f120ea5f2f3f5da7402538b3c4038

SHA512
51c94eada1222fbd1478895e3a67c4e9699756a71ea48117b0018a619d060f4d08ee590be14f3e95dd9dc9b2dc27e0da3c149fe9b07a7dfec95ef6f2d3a1a7b7

Download Submit
C:\Windows\INF\BRS\WinInstall.exe
Filesize
407KB

MD5
f8eb3df4f37fda6de206d22d4040d959

SHA1
0f5b163a8ff6d654505044f1f64c9fe079467e0d

SHA256
6dc52fe1075cef92784a5faf7ec334fc506267c285c28641b834264297bced3f

SHA512
219758971c378f13e039f6aea8857b6942e8244edbf651c46742cda062c712ff678f7a3c15621f301832282c6a3dec147f1bfe1333328c17fb2b340abeda08e3

Download Submit
C:\Windows\INF\BRS\WinInstall.exe
Filesize
407KB

MD5
f8eb3df4f37fda6de206d22d4040d959

SHA1
0f5b163a8ff6d654505044f1f64c9fe079467e0d

SHA256
6dc52fe1075cef92784a5faf7ec334fc506267c285c28641b834264297bced3f

SHA512
219758971c378f13e039f6aea8857b6942e8244edbf651c46742cda062c712ff678f7a3c15621f301832282c6a3dec147f1bfe1333328c17fb2b340abeda08e3

Download Submit
C:\Windows\INF\BRS\WinInstall.exe
Filesize
407KB

MD5
f8eb3df4f37fda6de206d22d4040d959

SHA1
0f5b163a8ff6d654505044f1f64c9fe079467e0d

SHA256
6dc52fe1075cef92784a5faf7ec334fc506267c285c28641b834264297bced3f

SHA512
219758971c378f13e039f6aea8857b6942e8244edbf651c46742cda062c712ff678f7a3c15621f301832282c6a3dec147f1bfe1333328c17fb2b340abeda08e3

Download Submit
C:\Windows\INF\BRS\WinMediaInstall.exe
Filesize
4.2MB

MD5
2bd83564eada3e9b2fa3bf2f36f70b47

SHA1
66b05f8903ac378aa814cce12904c137900e45e5

SHA256
5a1178e9ca0dbc637f477b175e276d65805d8dd007b1018fc9d1bb2f26a480fb

SHA512
82669bb6bfa6b9bbef3dbc22eab760c14d79d32cc2d3340a214531de2d36184a8f4379caae8ed0145955c1a0754fb2a15a3dd24e6ec798af67194798cd5a432d

Download Submit
C:\Windows\INF\BRS\WinMediaInstall.exe
Filesize
4.2MB

MD5
2bd83564eada3e9b2fa3bf2f36f70b47

SHA1
66b05f8903ac378aa814cce12904c137900e45e5

SHA256
5a1178e9ca0dbc637f477b175e276d65805d8dd007b1018fc9d1bb2f26a480fb

SHA512
82669bb6bfa6b9bbef3dbc22eab760c14d79d32cc2d3340a214531de2d36184a8f4379caae8ed0145955c1a0754fb2a15a3dd24e6ec798af67194798cd5a432d

Download Submit
C:\Windows\INF\BRS\drv_install(x86).exe
Filesize
401KB

MD5
480facdf7e8261db9641e576639734b1

SHA1
78dd51e3d2cdb938b03354b2a67b01b5f9889d29

SHA256
beb5201115673a694cdd6f94ffe7c59c4d0b75fa04f02257b1195b828b2efbf3

SHA512
7b5a26770d70f011c0cf686d7028a4657ffbcb4deea5fb3fb875e2fbccb7ff4ce54db8911bbbe973bdc3f3674e18bb1611ed7efc577289c46bef09f084491546

Download Submit
C:\Windows\INF\BRS\drv_install(x86).exe
Filesize
401KB

MD5
480facdf7e8261db9641e576639734b1

SHA1
78dd51e3d2cdb938b03354b2a67b01b5f9889d29

SHA256
beb5201115673a694cdd6f94ffe7c59c4d0b75fa04f02257b1195b828b2efbf3

SHA512
7b5a26770d70f011c0cf686d7028a4657ffbcb4deea5fb3fb875e2fbccb7ff4ce54db8911bbbe973bdc3f3674e18bb1611ed7efc577289c46bef09f084491546

Download Submit
C:\Windows\INF\BRS\drv_install(x86).exe
Filesize
401KB

MD5
480facdf7e8261db9641e576639734b1

SHA1
78dd51e3d2cdb938b03354b2a67b01b5f9889d29

SHA256
beb5201115673a694cdd6f94ffe7c59c4d0b75fa04f02257b1195b828b2efbf3

SHA512
7b5a26770d70f011c0cf686d7028a4657ffbcb4deea5fb3fb875e2fbccb7ff4ce54db8911bbbe973bdc3f3674e18bb1611ed7efc577289c46bef09f084491546

Download Submit
C:\Windows\INF\BRS\drv_set.reg
Filesize
11KB

MD5
fac6ee7d0341aa30335558767c617f85

SHA1
03149a9b48735cdee2b23025d00c6e2f9db795b7

SHA256
41cfe9ea3021559b8c867b9796f9795cd64ea21009b744b457d676c62429ef83

SHA512
d7e9b32f802a181874555111edf5290b577ab7b0b7e9a0476deab48942f50bdaef1db6dfa19ebd34c831af1d1e2f3c4b7b000e9be02c2f6c3ffc29493bfcdb27

Download Submit
C:\Windows\INF\BRS\russian.lg
Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe
Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe
Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe
Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\sysnetwork.exe
Filesize
5.1MB

MD5
541f31868dbaa3f2d561a099f6ea948c

SHA1
9102092f569eab2395202438d55d77667dcebb81

SHA256
19ef95b96cfbcc359b62ce09a843b240e0f32d97ac738dde4dc7c895053ae6bb

SHA512
c52077233241764bfc939730d0f9a8c590e0b93f1c2e61c2867bcb176586669493b95bf8fa570f233f4f7f7032e45c0122c4e3fe930e390748cabc947a4908a3

Download Submit
C:\Windows\INF\BRS\taskwow.exe
Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe
Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe
Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe
Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\taskwow.exe
Filesize
6.0MB

MD5
fcf84c57a6e7b59ae4fb1e4b2f4ae683

SHA1
78475df7b944d352aaea9f5442bf9b40b63b596b

SHA256
e24127654aa4b8ead239d26e8b19e617f8b2a4982b615d6adff1e8f252000c3b

SHA512
901e10fa0e15db7b056c38744a64753e2839b217c8f47bc7ad705073eb97d189584a05c8e64c257b580864afe49d4f9c394956c78beed2d0a7b23c76365f4db1

Download Submit
C:\Windows\INF\BRS\vp8decoder.dll
Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\Windows\INF\BRS\vp8encoder.dll
Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
memory/1516-148-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1516-149-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/1516-151-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2152-216-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2152-204-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2152-207-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2152-213-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-223-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-219-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-203-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-240-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-208-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2344-214-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2344-230-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3172-193-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/3172-202-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/3172-192-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4192-244-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4192-186-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4476-211-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4476-210-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4648-178-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4648-179-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4648-182-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4688-188-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-221-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-212-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-201-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4956-224-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-228-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-217-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-238-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-199-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4956-215-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4956-249-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download