Overview

overview

10

Static

static

3

091514afc2...18.exe

windows7-x64

10

091514afc2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 05:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    091514afc2cc22adc585d371023168e0_JaffaCakes118.exe

  • Size

    7.8MB

  • MD5

    091514afc2cc22adc585d371023168e0

  • SHA1

    0d78ec5778da2c23a98088c32a7a0e5eae623378

  • SHA256

    d0d8a654babd62cd2520aa253c985da6881d61596ede83c07cb0b3a64db2b974

  • SHA512

    1e6495d2b88af9eec27c2616186cdbd6e9ed36985e3ba930ddb0ca3b3680f4e1a78c8bb12605a61ae691bf27d5bbea6e2e73a06f8cd5a158a3e9e72b8887ddd9

  • SSDEEP

    196608:X4XPVswZNIDXizs5zE2Ont7Z8u7LVkjKdDCwF/:I75qg5nv57LajKdWy

Score
10/10
rmsdiscoveryevasionrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 17 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 17 IoCs
  • Drops file in Windows directory 11 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: SetClipboardViewer 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\091514afc2cc22adc585d371023168e0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\091514afc2cc22adc585d371023168e0_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3384
    • C:\Users\Admin\AppData\Local\Temp\ukaz.exe
      "C:\Users\Admin\AppData\Local\Temp\ukaz.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im rutserv.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3476
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1460
        • C:\Windows\SysWOW64\msiexec.exe
          MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
        • C:\Windows\SysWOW64\msiexec.exe
          MsiExec /x {A5DB67DC-DB0E-4491-B9F7-F258A02EE03C} /qn REBOOT=ReallySuppress
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4848
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec /x {5B1EC627-A9CA-4BE8-966E-5FCB90ECD770} /qn REBOOT=ReallySuppress
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2568
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec /x {54D1AB84-6B0B-445D-B7AB-E2B2FEEC3A4F} /qn REBOOT=ReallySuppress
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4084
        • C:\Windows\SysWOW64\msiexec.exe
          msiexec /x {AB7AA605-500F-4153-8207-FB5563419112} /qn REBOOT=ReallySuppress
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4520
        • C:\Windows\SysWOW64\msiexec.exe
          MsiExec /x {B04BFE4C-7F11-49D8-ADFE-867939D886FA} /qn REBOOT=ReallySuppress
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4524
        • C:\Windows\SysWOW64\msiexec.exe
          MsiExec /x {2B0A2EED-E2C8-40CE-A701-95B211A39B34} /qn REBOOT=ReallySuppress
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1584
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3236
        • C:\Windows\SysWOW64\msiexec.exe
          MsiExec /I "rms.msi" /qn
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4688
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\Windows\System32\sysfiles"
          4⤵
          • Sets file to hidden
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:4312
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4860
        • C:\Windows\SysWOW64\sc.exe
          sc config "RManService" start= auto displayname= "Windows Media"
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2296
        • C:\Windows\SysWOW64\sc.exe
          sc description "RManService" "Authorization and authentication for signed Windows Media files"
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:1500
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4692
    • C:\Users\Admin\AppData\Local\Temp\Portable ResHack.3.6.0.92.exe
      "C:\Users\Admin\AppData\Local\Temp\Portable ResHack.3.6.0.92.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ResHacker.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ResHacker.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4804
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\Portable ResHack.3.6.0.92.exe" "C:\Users\Admin\AppData\Local\Temp\091514afc2cc22adc585d371023168e0_JaffaCakes118.exe" >> NUL
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2500
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 3 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2416
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 601CDD0783CBE3248017672DAAFE28DA
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1036
    • C:\Windows\SysWOW64\sysfiles\rutserv.exe
      "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /silentinstall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3016
    • C:\Windows\SysWOW64\sysfiles\rutserv.exe
      "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /firewall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4336
    • C:\Windows\SysWOW64\sysfiles\rutserv.exe
      "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /printerinstall
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3080
    • C:\Windows\SysWOW64\sysfiles\rutserv.exe
      "C:\Windows\SysWOW64\sysfiles\rutserv.exe" /start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3328
  • C:\Windows\SysWOW64\sysfiles\rutserv.exe
    C:\Windows\SysWOW64\sysfiles\rutserv.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4740
    • C:\Windows\SysWOW64\sysfiles\rfusclient.exe
      C:\Windows\SysWOW64\sysfiles\rfusclient.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: SetClipboardViewer
      PID:4404
      • C:\Windows\SysWOW64\sysfiles\rfusclient.exe
        C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: SetClipboardViewer
        PID:4084
    • C:\Windows\SysWOW64\sysfiles\rfusclient.exe
      C:\Windows\SysWOW64\sysfiles\rfusclient.exe /tray
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57e2a2.rbs
    Filesize

    15KB

    MD5

    6d949970629f10d2b6904c8afa1d2f4b

    SHA1

    0c34e2f1f701844972dd542b015047923d584815

    SHA256

    b4d58c6d29807e995218e4e417465b65b6aad4e7129076acb55702dcc48a191b

    SHA512

    c23784c1d5dd039aba958da3c8a5c4e2054307de99164d9652506f6ec2c9aad63c37d45cff44073482c48ea778e95ef04847d4f087a02a341e8759a63410a951

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
    Filesize

    180B

    MD5

    5b696a4c80c7387f8738e84957996621

    SHA1

    b00c193de4c090a2693a245209caa908dbd159fc

    SHA256

    26dfe148379eb89830f88d3e825814e5bddf37723c4b7e14a05c2a2112eacff2

    SHA512

    5f7b281d9c944120a65e1c465a783122a24d1ecbc5572d69b5e5d489e28214437c44a445734240ae8a2f94008e687143f5218a96d37c05ca373db371897eea46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd
    Filesize

    1KB

    MD5

    2bacb6c19ca680c0f1d433c4f2d49da0

    SHA1

    17ee70c213364a44063aeddda7a70f7454638897

    SHA256

    1ae96bbea336e4007ec90d312ed428cfbe99500cd6b086cedd26454c57265377

    SHA512

    32de39bcedc524205d978a77ce725128e25c8179ef688137f581736b4a295da3ebef1e111963e917f01ab80901f88debf3b3aead4e0c45740d95738c1388f408

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.msi
    Filesize

    7.3MB

    MD5

    5e097106784f360591183ef4285a45bd

    SHA1

    07f66eeb3f6aa232e72913a408f8f3a91597582d

    SHA256

    855e463d709ba6877176c7c4f2dad1b877c38aaac28552eef2160238d0ba4a3a

    SHA512

    1c8ed9512765b26743d83bc4cfcfe1844c55d683c5d7e35512bd259b30ffba077add85042bfd8d7f8925cff14b94b2e3be01f090c8184bbd78433bad6cf9dad2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Portable ResHack.3.6.0.92.exe
    Filesize

    1.7MB

    MD5

    884e388a05181ee17bb24734546286cd

    SHA1

    a403f9a427796cb730bd47d148b9195deedd4079

    SHA256

    ce773f795bc8f3a103900398be4f191cf578869dadaf36f5563daebc17164db1

    SHA512

    4df3b33426d619e0f005ef743d3aec05e384f11603c08ea77d715febed436617178db8bc9a20609077e07c95c6bc177455e7a14eda1267b4496f62bc6a00a931

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ResHacker.exe
    Filesize

    996KB

    MD5

    2ccce120782c5c7f9cb3c9a1164cdef9

    SHA1

    75f9c98cef5b2be80fdf3c6a504b03f6a21435de

    SHA256

    99b2e230a13e55bab0fc69aee3b57ee85277982d381e7c48e15996db7e33ab16

    SHA512

    a03ce0330212d73ec6f3155291e79474ebd327c1ba25f34139466983e0208beac321bcef8bcb08ea76600a50a4892078dac90ad6ace2cd0f767c5889e80e6c7c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ResHacker.ini
    Filesize

    190B

    MD5

    e21f569dc8dd467a2fa57470362d593e

    SHA1

    15787dc0eb0e2878418b2ed88a7c272d5693a179

    SHA256

    a9b92d676b3ce449ecf4ab804ceb506e1428639ad4407c80b8d1a6b5e7d184a7

    SHA512

    1aeed01d7b326d6cb274265f8a9d290ed25ba75e3b528565e41c9afdc4c615dcac3723bb7859b6ee4ba063071997e4ff3b7c8cc3029223ac0866e05d2a2b589c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ukaz.exe
    Filesize

    6.8MB

    MD5

    12b5bf115940cfbbe1efbf68373bb88f

    SHA1

    43147029229dcddd4178fa689b504b094332bc97

    SHA256

    d06ad103ff1bc69d055f1eba87a2f306593dad39d65c9de82d5f37ac0d9ff9f4

    SHA512

    ac37633128bc72e9acdeef06f411c2d06cbda37a241d768b7613f291a6fb107e03b063da0d9cb53bda43c6a80864d88f9396de915bf946de610fc8025a64caaa

    Download Submit

  • C:\Windows\Installer\MSIE33C.tmp
    Filesize

    125KB

    MD5

    b0bcc622f1fff0eec99e487fa1a4ddd9

    SHA1

    49aa392454bd5869fa23794196aedc38e8eea6f5

    SHA256

    b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

    SHA512

    1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\MSVCR100.dll
    Filesize

    755KB

    MD5

    0e37fbfa79d349d672456923ec5fbbe3

    SHA1

    4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    SHA256

    8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    SHA512

    2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\RIPCServer.dll
    Filesize

    145KB

    MD5

    501d1108baff017b9c7d7054995082e3

    SHA1

    ce7408993f25d615785835067bfc7c6731cb7d85

    SHA256

    be88c1319f8741842f3ce7b7606615efb96f0f46fad9321a2b995239ccf826e3

    SHA512

    8dd404d56cf9285e32069c1b774a565269223d30089f0d5b3a100f316cdfd96ff7246d8cc1337dc74b9f970dddc9023fa21c7059185af972d3fcda2204c0a9f8

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\RWLN.dll
    Filesize

    359KB

    MD5

    6d692f1ae8653afb6e478427cacefe1e

    SHA1

    de53d27feeedf1c08e0dc911905c57a383da2626

    SHA256

    fe1aa78691da4a8a944ee9e922e49a1712d620fb728faab135dabe081c088834

    SHA512

    0bbb21f5515eec44aea414d17123eb2275b78db788e927878652fe876bb17f706c395f6a20309c4c7aaef6bce9c280890bce38693a9a1858f7bac9665759af6b

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\dsfVorbisDecoder.dll
    Filesize

    234KB

    MD5

    8e3f59b8c9dfc933fca30edefeb76186

    SHA1

    37a78089d5936d1bc3b60915971604c611a94dbd

    SHA256

    528c0656751b336c10cb4c49b703eae9c3863f7f416d0e09b198b082cc54aeb8

    SHA512

    3224c20c30556774fd4bed78909f451b9a5a46aa59271b5e88b1e0e60145d217802a8f1fda3d3fabcd8546ca7783e0c70f0c419a28efe6c5160a102553a3c91d

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\dsfVorbisEncoder.dll
    Filesize

    1.6MB

    MD5

    ff622a8812d8b1eff8f8d1a32087f9d2

    SHA1

    910615c9374b8734794ac885707ff5370db42ef1

    SHA256

    1b8fe11c0bdcbf1f4503c478843de02177c606912c89e655e482adec787c2ebf

    SHA512

    1a7c49f172691bf071df0d47d6ee270afbfa889afb8d5bd893496277fd816630ecd7b50c978b53d88228922ba6070f382b959ffc389394e0f08daab107369931

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\gdiplus.dll
    Filesize

    1.6MB

    MD5

    871c903a90c45ca08a9d42803916c3f7

    SHA1

    d962a12bc15bfb4c505bb63f603ca211588958db

    SHA256

    f1da32183b3da19f75fa4ef0974a64895266b16d119bbb1da9fe63867dba0645

    SHA512

    985b0b8b5e3d96acfd0514676d9f0c5d2d8f11e31f01acfa0f7da9af3568e12343ca77f541f55edda6a0e5c14fe733bda5dc1c10bb170d40d15b7a60ad000145

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\msimg32.dll
    Filesize

    2KB

    MD5

    dba2e3508dc352c198a8dcba5569896d

    SHA1

    dba71b5230b6bd4c5b15fc947d678c1cc2911a03

    SHA256

    1cc834e1d54f9e4983f03854fb82281298f82c7cfb44c49b4da807ffc3b536bd

    SHA512

    f639785d5a90b229c77a23fc4986d22d8f252f5b00891750a89a056e6c975fa695f8d4dae5aa373f949952332d0e5278856051fed653523e33cdef53bba62ff0

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\msvcp90.dll
    Filesize

    556KB

    MD5

    b2eee3dee31f50e082e9c720a6d7757d

    SHA1

    3322840fef43c92fb55dc31e682d19970daf159d

    SHA256

    4608beedd8cf9c3fc5ab03716b4ab6f01c7b7d65a7c072af04f514ffb0e02d01

    SHA512

    8b1854e80045001e7ab3a978fb4aa1de19a3c9fc206013d7bc43aec919f45e46bb7555f667d9f7d7833ab8baa55c9098af8872006ff277fc364a5e6f99ee25d3

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\msvcr90.dll
    Filesize

    637KB

    MD5

    7538050656fe5d63cb4b80349dd1cfe3

    SHA1

    f825c40fee87cc9952a61c8c34e9f6eee8da742d

    SHA256

    e16bc9b66642151de612ee045c2810ca6146975015bd9679a354567f56da2099

    SHA512

    843e22630254d222dfd12166c701f6cd1dca4a8dc216c7a8c9c0ab1afc90189cfa8b6499bbc46408008a1d985394eb8a660b1fa1991059a65c09e8d6481a3af8

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\rfusclient.exe
    Filesize

    3.9MB

    MD5

    513d3828bc98285a8e62e37fea23b3ee

    SHA1

    fefe2ed4462959257b1767c54bc9536d5947984f

    SHA256

    db670c9f6e71bd81dbd6185d14f1024b61d7a6c4496e6e4025c12626a52374db

    SHA512

    f2af4cc4642b112b91ae647e4914bec0c1160e6b3ecc8113c45b060ddffac59d41dfe96b097368040e8a2a932c511cf3eaf7f3dff86159dc954a97c5a43698a6

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\rutserv.exe
    Filesize

    5.1MB

    MD5

    aa338b60904d0b664ca4915ea771536d

    SHA1

    ebaa17ae80d9ddf1866875fc069766026a10f917

    SHA256

    69ff969e4d9b31cbbd83b2457a6f769660a465a17e97c72be9e6214c0dd17a66

    SHA512

    9e914539d78928f451cc6bd2fc3489578103d1fd9c390ea027cbffd4f2e083693809a1392912aa731677f23dcd115700dc4decc977407e2d3385a6cfe3948da3

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\vp8decoder.dll
    Filesize

    403KB

    MD5

    6f6bfe02e84a595a56b456f72debd4ee

    SHA1

    90bad3ae1746c7a45df2dbf44cd536eb1bf3c8e2

    SHA256

    5e59b566eda7bb36f3f5d6dd39858bc9d6cf2c8d81deca4ea3c409804247da51

    SHA512

    ed2a7402699a6d00d1eac52b0f2dea4475173be3320dfbad5ca58877f06638769533229bc12bce6650726d3166c0e5ebac2dad7171b77b29186d4d5e65818c50

    Download Submit

  • C:\Windows\SysWOW64\sysfiles\vp8encoder.dll
    Filesize

    685KB

    MD5

    c638bca1a67911af7f9ed67e7b501154

    SHA1

    0fd74d2f1bd78f678b897a776d8bce36742c39b7

    SHA256

    519078219f7f6db542f747702422f902a21bfc3aef8c6e6c3580e1c5e88162b8

    SHA512

    ca8133399f61a1f339a14e3fad3bfafc6fe3657801fd66df761c88c18b2dc23ceb02ba6faa536690986972933bec2808254ef143c2c22f881285facb4364659f

    Download Submit

  • memory/3016-94-0x00000000737C0000-0x00000000737C3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3016-89-0x00000000737C0000-0x00000000737C3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3016-93-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3080-103-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3328-133-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4084-146-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/4176-158-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/4176-149-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/4176-153-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/4176-167-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/4336-99-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4336-98-0x00000000737C0000-0x00000000737C3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4404-148-0x0000000000400000-0x0000000000872000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/4740-193-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4740-147-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4740-156-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4740-160-0x0000000000400000-0x00000000009B9000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4804-138-0x0000000000400000-0x0000000000502000-memory.dmp

    Filesize

    1.0MB

    Download