rms | fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe
Size

7.3MB
MD5

6b6702acef95453426afa2f1d2520bb2
SHA1

47293a57769289aa4070f04f22f7d9fcc77c9682
SHA256

fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3
SHA512

e93652d097c7cb45c46acb5926cf59ad87741ee9a795c4294d4bbed43827aecde27e34520102da717073d4a197b6c5d4addd581ee2ae7c4020f5415cb93f9c5c
SSDEEP

196608:W15XKNCDOtv1BCkrxlpJ8EAnOsjnkrciwzSQ2Y:WrXov6sxDiEAOsjo2X2Y

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	1052	msiexec.exe
4	1052	msiexec.exe
7	1052	msiexec.exe
8	1052	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
1324	rutserv.exe
692	rutserv.exe
1748	rutserv.exe
1396	srvinst_x64.exe
1716	srvinst_x64.exe
1660	setupdrv.exe

Loads dropped DLL 11 IoCs

pid	Process
1148	MsiExec.exe
1324	rutserv.exe
692	rutserv.exe
1748	rutserv.exe
1192	cmd.exe
1192	cmd.exe
1192	cmd.exe
1192	cmd.exe
1192	cmd.exe
888	Process not Found
888	Process not Found

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Microsoft.VC90.CRT.manifest	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcr90.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\msvcp90.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisEncoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\dsfVorbisDecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\gdiplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\6c350a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\6c3506.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c3506.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB208.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9297.tmp	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\6c3508.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rutserv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rutserv.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\PackageCode = "CA621BAB2625C4F47B0824566FC192D8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductIcon = "C:\\Windows\\Installer\\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\PackageName = "rms.host5.5ru.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Version = "100603060"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2016	PING.EXE
1784	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1052	msiexec.exe
1052	msiexec.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
1324	rutserv.exe
692	rutserv.exe
692	rutserv.exe
1748	rutserv.exe
1748	rutserv.exe
1748	rutserv.exe
1748	rutserv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2000	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	1052	msiexec.exe
Token: SeTakeOwnershipPrivilege	1052	msiexec.exe
Token: SeSecurityPrivilege	1052	msiexec.exe
Token: SeCreateTokenPrivilege	2000	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2000	msiexec.exe
Token: SeLockMemoryPrivilege	2000	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2000	msiexec.exe
Token: SeMachineAccountPrivilege	2000	msiexec.exe
Token: SeTcbPrivilege	2000	msiexec.exe
Token: SeSecurityPrivilege	2000	msiexec.exe
Token: SeTakeOwnershipPrivilege	2000	msiexec.exe
Token: SeLoadDriverPrivilege	2000	msiexec.exe
Token: SeSystemProfilePrivilege	2000	msiexec.exe
Token: SeSystemtimePrivilege	2000	msiexec.exe
Token: SeProfSingleProcessPrivilege	2000	msiexec.exe
Token: SeIncBasePriorityPrivilege	2000	msiexec.exe
Token: SeCreatePagefilePrivilege	2000	msiexec.exe
Token: SeCreatePermanentPrivilege	2000	msiexec.exe
Token: SeBackupPrivilege	2000	msiexec.exe
Token: SeRestorePrivilege	2000	msiexec.exe
Token: SeShutdownPrivilege	2000	msiexec.exe
Token: SeDebugPrivilege	2000	msiexec.exe
Token: SeAuditPrivilege	2000	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2000	msiexec.exe
Token: SeChangeNotifyPrivilege	2000	msiexec.exe
Token: SeRemoteShutdownPrivilege	2000	msiexec.exe
Token: SeUndockPrivilege	2000	msiexec.exe
Token: SeSyncAgentPrivilege	2000	msiexec.exe
Token: SeEnableDelegationPrivilege	2000	msiexec.exe
Token: SeManageVolumePrivilege	2000	msiexec.exe
Token: SeImpersonatePrivilege	2000	msiexec.exe
Token: SeCreateGlobalPrivilege	2000	msiexec.exe
Token: SeShutdownPrivilege	1700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1700	msiexec.exe
Token: SeCreateTokenPrivilege	1700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1700	msiexec.exe
Token: SeLockMemoryPrivilege	1700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1700	msiexec.exe
Token: SeMachineAccountPrivilege	1700	msiexec.exe
Token: SeTcbPrivilege	1700	msiexec.exe
Token: SeSecurityPrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeLoadDriverPrivilege	1700	msiexec.exe
Token: SeSystemProfilePrivilege	1700	msiexec.exe
Token: SeSystemtimePrivilege	1700	msiexec.exe
Token: SeProfSingleProcessPrivilege	1700	msiexec.exe
Token: SeIncBasePriorityPrivilege	1700	msiexec.exe
Token: SeCreatePagefilePrivilege	1700	msiexec.exe
Token: SeCreatePermanentPrivilege	1700	msiexec.exe
Token: SeBackupPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeShutdownPrivilege	1700	msiexec.exe
Token: SeDebugPrivilege	1700	msiexec.exe
Token: SeAuditPrivilege	1700	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1700	msiexec.exe
Token: SeChangeNotifyPrivilege	1700	msiexec.exe
Token: SeRemoteShutdownPrivilege	1700	msiexec.exe
Token: SeUndockPrivilege	1700	msiexec.exe
Token: SeSyncAgentPrivilege	1700	msiexec.exe
Token: SeEnableDelegationPrivilege	1700	msiexec.exe
Token: SeManageVolumePrivilege	1700	msiexec.exe
Token: SeImpersonatePrivilege	1700	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1600	1604	fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe	27
PID 1604 wrote to memory of 1600	1604	fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe	27
PID 1604 wrote to memory of 1600	1604	fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe	27
PID 1604 wrote to memory of 1600	1604	fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe	27
PID 1604 wrote to memory of 1600	1604	fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe	27
PID 1604 wrote to memory of 1600	1604	fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe	27
PID 1604 wrote to memory of 1600	1604	fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe	27
PID 1600 wrote to memory of 1996	1600	cmd.exe	29
PID 1600 wrote to memory of 1996	1600	cmd.exe	29
PID 1600 wrote to memory of 1996	1600	cmd.exe	29
PID 1600 wrote to memory of 1996	1600	cmd.exe	29
PID 1600 wrote to memory of 2000	1600	cmd.exe	30
PID 1600 wrote to memory of 2000	1600	cmd.exe	30
PID 1600 wrote to memory of 2000	1600	cmd.exe	30
PID 1600 wrote to memory of 2000	1600	cmd.exe	30
PID 1600 wrote to memory of 2000	1600	cmd.exe	30
PID 1600 wrote to memory of 2000	1600	cmd.exe	30
PID 1600 wrote to memory of 2000	1600	cmd.exe	30
PID 1600 wrote to memory of 1700	1600	cmd.exe	32
PID 1600 wrote to memory of 1700	1600	cmd.exe	32
PID 1600 wrote to memory of 1700	1600	cmd.exe	32
PID 1600 wrote to memory of 1700	1600	cmd.exe	32
PID 1600 wrote to memory of 1700	1600	cmd.exe	32
PID 1600 wrote to memory of 1700	1600	cmd.exe	32
PID 1600 wrote to memory of 1700	1600	cmd.exe	32
PID 1600 wrote to memory of 2016	1600	cmd.exe	33
PID 1600 wrote to memory of 2016	1600	cmd.exe	33
PID 1600 wrote to memory of 2016	1600	cmd.exe	33
PID 1600 wrote to memory of 2016	1600	cmd.exe	33
PID 1600 wrote to memory of 684	1600	cmd.exe	34
PID 1600 wrote to memory of 684	1600	cmd.exe	34
PID 1600 wrote to memory of 684	1600	cmd.exe	34
PID 1600 wrote to memory of 684	1600	cmd.exe	34
PID 1600 wrote to memory of 684	1600	cmd.exe	34
PID 1600 wrote to memory of 684	1600	cmd.exe	34
PID 1600 wrote to memory of 684	1600	cmd.exe	34
PID 1052 wrote to memory of 1148	1052	msiexec.exe	35
PID 1052 wrote to memory of 1148	1052	msiexec.exe	35
PID 1052 wrote to memory of 1148	1052	msiexec.exe	35
PID 1052 wrote to memory of 1148	1052	msiexec.exe	35
PID 1052 wrote to memory of 1148	1052	msiexec.exe	35
PID 1052 wrote to memory of 1148	1052	msiexec.exe	35
PID 1052 wrote to memory of 1148	1052	msiexec.exe	35
PID 1052 wrote to memory of 1324	1052	msiexec.exe	36
PID 1052 wrote to memory of 1324	1052	msiexec.exe	36
PID 1052 wrote to memory of 1324	1052	msiexec.exe	36
PID 1052 wrote to memory of 1324	1052	msiexec.exe	36
PID 1052 wrote to memory of 692	1052	msiexec.exe	37
PID 1052 wrote to memory of 692	1052	msiexec.exe	37
PID 1052 wrote to memory of 692	1052	msiexec.exe	37
PID 1052 wrote to memory of 692	1052	msiexec.exe	37
PID 1052 wrote to memory of 1748	1052	msiexec.exe	38
PID 1052 wrote to memory of 1748	1052	msiexec.exe	38
PID 1052 wrote to memory of 1748	1052	msiexec.exe	38
PID 1052 wrote to memory of 1748	1052	msiexec.exe	38
PID 1748 wrote to memory of 1192	1748	rutserv.exe	39
PID 1748 wrote to memory of 1192	1748	rutserv.exe	39
PID 1748 wrote to memory of 1192	1748	rutserv.exe	39
PID 1748 wrote to memory of 1192	1748	rutserv.exe	39
PID 1748 wrote to memory of 1192	1748	rutserv.exe	39
PID 1748 wrote to memory of 1192	1748	rutserv.exe	39
PID 1748 wrote to memory of 1192	1748	rutserv.exe	39
PID 1192 wrote to memory of 1396	1192	cmd.exe	41
PID 1192 wrote to memory of 1396	1192	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe
"C:\Users\Admin\AppData\Local\Temp\fb2c0262656d101b084eecc059653b938081a6a812197d2c6c8f7582f946c3e3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2016
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "rms.host5.5ru.msi" /qn
    3⤵
    PID:684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8E81C20E56D0B620032229F852FE36C1
  2⤵
  - Loads dropped DLL
  PID:1148
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1324
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:692
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /printerinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe stop
      4⤵
      Executes dropped EXE
      PID:1396
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1784
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe
      setupdrv.exe uninstall
      4⤵
      Executes dropped EXE
      PID:1660
  - - C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe
      srvinst_x64.exe uninstall
      4⤵
      Executes dropped EXE
      PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
3e2d738baf89f2df0f677453b641b00f

SHA1
ba3db6e032a2a9ca7197459c9485ae05a31e6214

SHA256
ea746fa2f55af75aea2f476a5a8371e2446b4c993b668468566734ca4172e98b

SHA512
1a721f3a4bca6c32dbcbbc408c41bb52bd42f9d4abea4a663daf5d8553cba7b3907b4ef147cdf3d4725eab6410218c587383192a640a89738a781978b59e3896

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
3e2d738baf89f2df0f677453b641b00f

SHA1
ba3db6e032a2a9ca7197459c9485ae05a31e6214

SHA256
ea746fa2f55af75aea2f476a5a8371e2446b4c993b668468566734ca4172e98b

SHA512
1a721f3a4bca6c32dbcbbc408c41bb52bd42f9d4abea4a663daf5d8553cba7b3907b4ef147cdf3d4725eab6410218c587383192a640a89738a781978b59e3896

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
8d5c6130f1ac7bbc63a5ca7bfdbe0b86

SHA1
65c5870581d5ecccda95e8cd7988ed296e1b13bf

SHA256
00dbd31fb64d0c908f174c7f028e7beb287f2ac25e2ddf6109df910cf2900205

SHA512
dcaf1d6d3e6d87f7f6eed0ecb2b16156048589a37c0528d3dc1d0f691e831cfe6d82a7122d52429e94b694802ec8b50893eb86d25ea660d6b397d47cdcd761c9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
8d5c6130f1ac7bbc63a5ca7bfdbe0b86

SHA1
65c5870581d5ecccda95e8cd7988ed296e1b13bf

SHA256
00dbd31fb64d0c908f174c7f028e7beb287f2ac25e2ddf6109df910cf2900205

SHA512
dcaf1d6d3e6d87f7f6eed0ecb2b16156048589a37c0528d3dc1d0f691e831cfe6d82a7122d52429e94b694802ec8b50893eb86d25ea660d6b397d47cdcd761c9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
8d5c6130f1ac7bbc63a5ca7bfdbe0b86

SHA1
65c5870581d5ecccda95e8cd7988ed296e1b13bf

SHA256
00dbd31fb64d0c908f174c7f028e7beb287f2ac25e2ddf6109df910cf2900205

SHA512
dcaf1d6d3e6d87f7f6eed0ecb2b16156048589a37c0528d3dc1d0f691e831cfe6d82a7122d52429e94b694802ec8b50893eb86d25ea660d6b397d47cdcd761c9

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd

Filesize
87B

MD5
24837286ab8b5537ea3967e0a7905238

SHA1
4f3dc09d2f0c9ede72577154b9954621dd30604b

SHA256
f6ebaa2bc59841b72aaf3c03c7bfea91c75ec1f982f497d6b3d7fb7271cacdf6

SHA512
6b0cfd707fbab7034ef45b4864329a9ad01f649216fe13aede6bf6488b50020da65f8a3776c1b125eebe08aef6a848d04a33de8277a2ad3827c8869af1368c00

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
686B

MD5
71b49822e6941d131840c3902d61b940

SHA1
9bd095ae0ef802bae85f659a22c7f343814c9a9d

SHA256
903cebb868adeea505be095cbc5bff92fa66ffd848a171d3b1208efa8ed6d66b

SHA512
ce0a42fe81f21547cdf95f3141319c167449a81228ff50599f1e2483543f6c9291e0f1b60157fb495de64526d62a4499b07bedf218c73392b739bbef935322df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host5.5ru.msi

Filesize
7.9MB

MD5
f63f70f82fa77f0e2f771c7fc10b3985

SHA1
d6db70a31267811aa5553058a32f0382532f1b12

SHA256
4e079967632c04b3981197fc54c925bab1a7b9a1edf9a3c282374563a481dfc2

SHA512
792eb27d03d67574938429f3177e7b896d9ef96e2b24002f5a6d5a6c077451ec0f4dd8d0c88e09a625e4d04e516450739583c35a3377b8cc741bf3b33197d889

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
C:\Windows\Installer\MSIB208.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
3e2d738baf89f2df0f677453b641b00f

SHA1
ba3db6e032a2a9ca7197459c9485ae05a31e6214

SHA256
ea746fa2f55af75aea2f476a5a8371e2446b4c993b668468566734ca4172e98b

SHA512
1a721f3a4bca6c32dbcbbc408c41bb52bd42f9d4abea4a663daf5d8553cba7b3907b4ef147cdf3d4725eab6410218c587383192a640a89738a781978b59e3896

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
3e2d738baf89f2df0f677453b641b00f

SHA1
ba3db6e032a2a9ca7197459c9485ae05a31e6214

SHA256
ea746fa2f55af75aea2f476a5a8371e2446b4c993b668468566734ca4172e98b

SHA512
1a721f3a4bca6c32dbcbbc408c41bb52bd42f9d4abea4a663daf5d8553cba7b3907b4ef147cdf3d4725eab6410218c587383192a640a89738a781978b59e3896

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
3e2d738baf89f2df0f677453b641b00f

SHA1
ba3db6e032a2a9ca7197459c9485ae05a31e6214

SHA256
ea746fa2f55af75aea2f476a5a8371e2446b4c993b668468566734ca4172e98b

SHA512
1a721f3a4bca6c32dbcbbc408c41bb52bd42f9d4abea4a663daf5d8553cba7b3907b4ef147cdf3d4725eab6410218c587383192a640a89738a781978b59e3896

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

Filesize
64KB

MD5
3e2d738baf89f2df0f677453b641b00f

SHA1
ba3db6e032a2a9ca7197459c9485ae05a31e6214

SHA256
ea746fa2f55af75aea2f476a5a8371e2446b4c993b668468566734ca4172e98b

SHA512
1a721f3a4bca6c32dbcbbc408c41bb52bd42f9d4abea4a663daf5d8553cba7b3907b4ef147cdf3d4725eab6410218c587383192a640a89738a781978b59e3896

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
8d5c6130f1ac7bbc63a5ca7bfdbe0b86

SHA1
65c5870581d5ecccda95e8cd7988ed296e1b13bf

SHA256
00dbd31fb64d0c908f174c7f028e7beb287f2ac25e2ddf6109df910cf2900205

SHA512
dcaf1d6d3e6d87f7f6eed0ecb2b16156048589a37c0528d3dc1d0f691e831cfe6d82a7122d52429e94b694802ec8b50893eb86d25ea660d6b397d47cdcd761c9

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
8d5c6130f1ac7bbc63a5ca7bfdbe0b86

SHA1
65c5870581d5ecccda95e8cd7988ed296e1b13bf

SHA256
00dbd31fb64d0c908f174c7f028e7beb287f2ac25e2ddf6109df910cf2900205

SHA512
dcaf1d6d3e6d87f7f6eed0ecb2b16156048589a37c0528d3dc1d0f691e831cfe6d82a7122d52429e94b694802ec8b50893eb86d25ea660d6b397d47cdcd761c9

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe

Filesize
39KB

MD5
8d5c6130f1ac7bbc63a5ca7bfdbe0b86

SHA1
65c5870581d5ecccda95e8cd7988ed296e1b13bf

SHA256
00dbd31fb64d0c908f174c7f028e7beb287f2ac25e2ddf6109df910cf2900205

SHA512
dcaf1d6d3e6d87f7f6eed0ecb2b16156048589a37c0528d3dc1d0f691e831cfe6d82a7122d52429e94b694802ec8b50893eb86d25ea660d6b397d47cdcd761c9

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\winmm.dll

Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
\Windows\Installer\MSIB208.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/692-83-0x0000000073D10000-0x0000000073D17000-memory.dmp

Filesize
28KB

Download
memory/1052-61-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1324-78-0x0000000073D00000-0x0000000073D07000-memory.dmp

Filesize
28KB

Download
memory/1604-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1748-88-0x0000000073D00000-0x0000000073D07000-memory.dmp

Filesize
28KB

Download