rms | 10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e

Analysis

max time kernel
166s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

cb2ffac2a251378cda3f91cd613f453d
SHA1

3a028761638f5aa93b0719c5650c83a138e8abc9
SHA256

10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e
SHA512

1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f
SSDEEP

196608:P4Z1cDw8TWMpWRGAk7R85du3dWbpkPbVAp2FG0c+imht+:PE1CE3k7R5NWqu0cU+

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeinstaller.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 8 IoCs

Processes:

installer.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerfusclient.exerfusclient.exe

pid	Process
3016	installer.exe
2604	rutserv.exe
1488	rutserv.exe
4932	rutserv.exe
4716	rutserv.exe
4076	rfusclient.exe
5096	rfusclient.exe
4948	rfusclient.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid	Process
2964	MsiExec.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow	pid	Process
25	2640	msiexec.exe
36	2640	msiexec.exe
38	2640	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Program Files directory 53 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Windows\Installer\e57b42d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID979.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b42d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7E1.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e57b431.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3.4ru_mod_mod.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

installer.exemsiexec.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exe

pid	Process
3016	installer.exe
3016	installer.exe
3016	installer.exe
3016	installer.exe
3016	installer.exe
3016	installer.exe
3016	installer.exe
3016	installer.exe
3016	installer.exe
3016	installer.exe
2640	msiexec.exe
2640	msiexec.exe
2604	rutserv.exe
2604	rutserv.exe
2604	rutserv.exe
2604	rutserv.exe
2604	rutserv.exe
2604	rutserv.exe
1488	rutserv.exe
1488	rutserv.exe
4932	rutserv.exe
4932	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4716	rutserv.exe
4076	rfusclient.exe
4076	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

rfusclient.exe

pid	Process
4948	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	680	msiexec.exe
Token: SeSecurityPrivilege	2640	msiexec.exe
Token: SeCreateTokenPrivilege	680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	680	msiexec.exe
Token: SeLockMemoryPrivilege	680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	680	msiexec.exe
Token: SeMachineAccountPrivilege	680	msiexec.exe
Token: SeTcbPrivilege	680	msiexec.exe
Token: SeSecurityPrivilege	680	msiexec.exe
Token: SeTakeOwnershipPrivilege	680	msiexec.exe
Token: SeLoadDriverPrivilege	680	msiexec.exe
Token: SeSystemProfilePrivilege	680	msiexec.exe
Token: SeSystemtimePrivilege	680	msiexec.exe
Token: SeProfSingleProcessPrivilege	680	msiexec.exe
Token: SeIncBasePriorityPrivilege	680	msiexec.exe
Token: SeCreatePagefilePrivilege	680	msiexec.exe
Token: SeCreatePermanentPrivilege	680	msiexec.exe
Token: SeBackupPrivilege	680	msiexec.exe
Token: SeRestorePrivilege	680	msiexec.exe
Token: SeShutdownPrivilege	680	msiexec.exe
Token: SeDebugPrivilege	680	msiexec.exe
Token: SeAuditPrivilege	680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	680	msiexec.exe
Token: SeChangeNotifyPrivilege	680	msiexec.exe
Token: SeRemoteShutdownPrivilege	680	msiexec.exe
Token: SeUndockPrivilege	680	msiexec.exe
Token: SeSyncAgentPrivilege	680	msiexec.exe
Token: SeEnableDelegationPrivilege	680	msiexec.exe
Token: SeManageVolumePrivilege	680	msiexec.exe
Token: SeImpersonatePrivilege	680	msiexec.exe
Token: SeCreateGlobalPrivilege	680	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe
Token: SeRestorePrivilege	2640	msiexec.exe
Token: SeTakeOwnershipPrivilege	2640	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

installer.exerutserv.exerutserv.exerutserv.exerutserv.exe

pid	Process
3016	installer.exe
2604	rutserv.exe
1488	rutserv.exe
4932	rutserv.exe
4716	rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

tmp.exeinstaller.exemsiexec.exerutserv.exerfusclient.exe

description	pid	Process	procid_target
PID 2516 wrote to memory of 3016	2516	tmp.exe	91
PID 2516 wrote to memory of 3016	2516	tmp.exe	91
PID 2516 wrote to memory of 3016	2516	tmp.exe	91
PID 3016 wrote to memory of 680	3016	installer.exe	92
PID 3016 wrote to memory of 680	3016	installer.exe	92
PID 3016 wrote to memory of 680	3016	installer.exe	92
PID 2640 wrote to memory of 2964	2640	msiexec.exe	97
PID 2640 wrote to memory of 2964	2640	msiexec.exe	97
PID 2640 wrote to memory of 2964	2640	msiexec.exe	97
PID 2640 wrote to memory of 2604	2640	msiexec.exe	100
PID 2640 wrote to memory of 2604	2640	msiexec.exe	100
PID 2640 wrote to memory of 2604	2640	msiexec.exe	100
PID 2640 wrote to memory of 1488	2640	msiexec.exe	101
PID 2640 wrote to memory of 1488	2640	msiexec.exe	101
PID 2640 wrote to memory of 1488	2640	msiexec.exe	101
PID 2640 wrote to memory of 4932	2640	msiexec.exe	102
PID 2640 wrote to memory of 4932	2640	msiexec.exe	102
PID 2640 wrote to memory of 4932	2640	msiexec.exe	102
PID 3016 wrote to memory of 4840	3016	installer.exe	104
PID 3016 wrote to memory of 4840	3016	installer.exe	104
PID 3016 wrote to memory of 4840	3016	installer.exe	104
PID 4716 wrote to memory of 5096	4716	rutserv.exe	106
PID 4716 wrote to memory of 5096	4716	rutserv.exe	106
PID 4716 wrote to memory of 5096	4716	rutserv.exe	106
PID 4716 wrote to memory of 4076	4716	rutserv.exe	107
PID 4716 wrote to memory of 4076	4716	rutserv.exe	107
PID 4716 wrote to memory of 4076	4716	rutserv.exe	107
PID 4076 wrote to memory of 4948	4076	rfusclient.exe	108
PID 4076 wrote to memory of 4948	4076	rfusclient.exe	108
PID 4076 wrote to memory of 4948	4076	rfusclient.exe	108

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:4840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4070BB8967BE8416F45818B3BCD6CD8C
  2⤵
  - Loads dropped DLL
  PID:2964
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2604
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1488
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4932

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b430.rbs

Filesize
19KB

MD5
6fde619523d78ae884e71fcbb82bde67

SHA1
d618a4cfb41311902291ccaca6734083eaddc82f

SHA256
7383f725be8706355cf4ea285019f67fc2c3e22bf451b7293a6d5062ac042b03

SHA512
b6808d7e66891e730722e05185e30ea8c3efd933cea221ecb06c20640cf390e3a497422aee5cfbed8003f24b430d519db313a31a575ab44e0fdcf60eebeba960

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
258KB

MD5
62e6babff654217f3a58938a9a97fc8b

SHA1
ccc7f593c25d51f7938a5fd58414f4f74359cb25

SHA256
5cad830ca778143ec9367bf6de822aebb6572d5ddbcb9d69fb988280e2b94f73

SHA512
605ebc7b8c974a2d6f297bcb44ae7493dbe594e4eaff76d7e6819c3c42a96818f23f4ebd28a0df5a82706eca2d5054add499a8e4e29e99b67736f601e9885906

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
117KB

MD5
1aecdaf48e2bbf4c63ead11606f5f6fc

SHA1
8f17430648c4569f0e0f7ed60188097f810afc28

SHA256
15a981ac6d9f4c7d72b15901d2f1060e4bd0e7f52257f797f4de90fb2bcb91f6

SHA512
edbecc396e885223a3e35847b42acaa4553ddb00810e87afbe76ba4546cc3d292c1023cb5c40c683bd9ef6d1247793f5216d4fe3bf062e8caef67194b3b20241

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
74KB

MD5
774df5a60f16662a34636a07de840a88

SHA1
b0a4766f42b97cc676a173ee36615af14d0023fe

SHA256
a3a8e2aa6d20bfa47431c5a1137fee4e408f99c5144baaa7a4b2b8b04c3619b8

SHA512
67922887c56ef7a65bb1a9f8557965842ed9158dc5c9ddc161e95183a66a72fac4927ea56a4b6fc8cde35df8c71554d95ca7ead93bb33bf597c83ae1a3d29dcb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
123KB

MD5
4158f715b50d79618ed8863aec0eb83e

SHA1
ac28a18e51bb86ea496be01eacbb64c092c2a25a

SHA256
0f089b1c4ae0045238683b037065430901f107539e4aef64fc26cbe5d55be05a

SHA512
7b1f30e6fb66ea960c7e435322cf762a8b02335c8c3fc83492073fac5caba6ced7bc2ed9c0419537d14760cb47ce847a4decf0aaa48721cabdbfdccbbf7ac958

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
113KB

MD5
5e6c28992fec06985046c900e0a8e009

SHA1
1df9292dcfc18e6fbf763b91666b856127f7a495

SHA256
b86130f11da1d19d2a39bd6f650c5a3fdfc198d82b874d70d45752a5ff3b1e95

SHA512
b4d8aedfe629524a9b1bd9013e6df0b4fc1c8a7843d3776269947ff42d67f299abc49cf4656a031038751501ca9ce08f353028c527cad1fef6e70e78539bb353

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
109KB

MD5
536769f9e6e173ca0577e7355c362197

SHA1
554505548e1c701083ff32fea1d563b3ce592cd1

SHA256
24db4c86a64be99b2418df960afd704e59f18f18b7042167bd100598867fab3b

SHA512
cb65f4e86d6d535b32f0880e692fcc8b6eb4ec72c7372d0f6f3bcc2638faa98747cb5a51d1c646cbdf7969cbeace0275d19a21ca5f129d39b25e4b6e5ff8a511

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
91KB

MD5
1339481565e32a9a9f8e83eb22f50dfb

SHA1
b49aba71f00406bdaaa42a0bcab259252c075413

SHA256
24b153b2f6a60b98bfb7aa1640bdb4a2a8523dcc9070ab0ec50e93434f71150a

SHA512
a275801d4476fddc5689f7e051e0e89e1bee8b6cec66438418c07effbf38c017cb392be6936a3366a5ecd310ec147326410d48c6547428d946f42a132b7f0524

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
248KB

MD5
356cc795d2a850d8e26629b2b0e84d6f

SHA1
056e4f03ec28b60a2e9799c26f644fb42f2b40b4

SHA256
2131eab598112b67384da984c44c462db6059ae456e4c90208a912671566afe1

SHA512
03bc8d6e7e1b67bf1c17a8ee74e883f97e9a4c9011595857a568d4702fdfa6d6d0b82ce30d716b954a61b24ab63ef4bb9a70c5f351f01bf6204bd9b11a20263a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
225KB

MD5
9c6caa42164b484494ff941f589290b3

SHA1
7132bf4b3bfef10fdc979125e353661729c96bfa

SHA256
1caa92699b95c9193e479c446a9420b2b7ecca7fe79eeb712363cb66ea14a991

SHA512
abe4781bd0a61921364238eb9c30550ecfaa84857685d16e2adb509a1663bb8417ef5dda49a78865b93cf7d77c49e96c7d3aa3082ef9e2628b9d41d3bab41d7e

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
132KB

MD5
ecb8de7b8f4fe8b95f752c8578bfd8e4

SHA1
bfa453ca7b996f2928b1c25bd010a3c89798a86d

SHA256
dc970f7dca925e550bad8c363c10b86c39cf34cc63bc4e8afb23f75c6b1d16c2

SHA512
24a601642aaa7b29b581bdadb9cc0660f49a123ec3cda9408f75262fccdd42a89d882cba7437277bbe092e175d81590ff030987d8f188af38f45bc479574a476

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
89KB

MD5
6d421e40e6b592d84ea972927fd451eb

SHA1
83dcb2df3b43709fedc0c1ac986bc6e35e2b549c

SHA256
1ec1b98eb88e679cb333f4a7bd06afea6a4db4f0d28c38e2f671d6e9947bde14

SHA512
777d0dcf76a1c8269a7ce4abf00d4bedcaee5b897a2d795aeb480c45f552acba862a87942324421270fc6a082d5df5378298f9fd8f464b39c93c3589d6b83090

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
194KB

MD5
3e3edbb325fe099a6935fa0f2e025b33

SHA1
122bd56892f2788309b547d93295809197ea635f

SHA256
8fe4118f92d20b5486fda14ef39ecdaabcabc91f2d3e162f40129d45b31ae8df

SHA512
7cd434461e3aaa3594e2bb0e341bf15e1c676bc80d6579207a445cf0d7da3d358ac0395ffdc471926d61f18b70e816d0b53e8443475e8790aae5452bc8a8bdac

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
113KB

MD5
c98ea2dec75baaaed31e39a5c78769b2

SHA1
9857c9a72dae512c0916417701bde9757657dc41

SHA256
847f4abd50c5dff06e489c341dd59c43608d8ff3a65b02476460b47a0439b486

SHA512
401b9375ff2a407397ac3f81baa010c8ea6fea3dd321c0cbc6876e404d482f0499534e7553bc146dfb66271eef5446fcf35bc6327834d97dcff2375a91f88e31

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
82KB

MD5
c930f55bbdb003625b2d8b7cfadc1c5b

SHA1
4846dab3ae170d98d2f389cece3ac18e2fe576fc

SHA256
081517aeeef295f9493391215afd65d711572123ce580b90065dc59a10a63709

SHA512
201a290ccd177f503538a699dff95717e824a1e440409480f54d0cb9e4c90d77993f8125eefa16e5f5318d52e0dd70dc801a34081e37140c6261569d42c35127

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
175KB

MD5
7cce91848a56a6f5620b482d2b2ff0b6

SHA1
d0c1a3494b924f5a4cac7b48d4721aa6a69e897d

SHA256
efdd93624c04e16160b4f80e919fd015baf945423d953dc4e19aca23376206d0

SHA512
9a963ff39b571dc211873e2586d4d95a282500e9cb957de56c37beb07ba9fa8e264fa34e2f4cdcea989ed7e21a80b69f23c2b33445232de0eb0e0996e8d75567

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
383KB

MD5
eafbe737e565c8cc4d90326772f347b6

SHA1
536adbc9755950c4fe5b36013e1aa71da0358a69

SHA256
01ff9d6bbb697470373ddae7e921b6d3a5e3c5318e616630a8954d5b094deb7e

SHA512
d5ba85bb499cb283eeba6bb790772e0aba33cf76eecce24b9fc9d1e5016d0a1d8d23e42e1c084f1980547b0b772ea3d1a92db23784881a87db7555cce9830b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
365KB

MD5
940d8f384aff3809112533ea04254ce9

SHA1
39abd3ae1e6ea49a11ba114ff12dd28418788e72

SHA256
ea21da4b7aee4c8f49eeea06ff7e57278e866c56c228697396ec7eb498c8f544

SHA512
47901083d4e11c9655a9186fc16dd7369f465475a08ffc1df4444ef2e470cddb3b03103a26cc8d6ddc11422fde48e92f603834c3202c2f03eadf74b6a8e383b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
1.8MB

MD5
66a551fec545775923207a364f69b544

SHA1
b8d94c698a33767ec99839afe238827678a5bd42

SHA256
c9714b64de90c40ec894d6f825816a02347dea7c22d7b62f3bb046b7df020a10

SHA512
98f08677968853da46192df9335a63f0d30800e147be778df670397efc22ab15368b557e82cf4d3bbff71e31d4255f68afe016c5f6a51b4af5a9874d8d250fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi

Filesize
340KB

MD5
3ebd63302029813cd5b1152945cdad66

SHA1
52657c25670905c5c6a001581589dda12d3d7362

SHA256
6e5985f6aba907c6f197ba8716a852994cbefae97e05ad285f9f1c67c15c82e4

SHA512
d046dc9d7e3e843efd6b5e57e865adc81ee497e7cfb734573e58abc0007631883f7cc873ddd2d2f6d812a059e294a67645a78d44016bab2938ec4a360309aa16

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
417B

MD5
2fe7ba7d9103012d8593f220508eaf6a

SHA1
fce4c84da7d0d97b46d494b15acbcd992b04f06a

SHA256
874044e21f5b7c8a7a2286f1a5c61693515153e73c019451f32a0df1bb910708

SHA512
9fb05799d464f26097c84d4b6dbb18de6de360f62a4373849fc6c7bc7348dc0738f702bcd3dbfa3bde4e1cb9275898ee33eb03706d419d2029a4a8fd3f983678

Download Submit
C:\Windows\Installer\MSID7E1.tmp

Filesize
35KB

MD5
e5ffc79d9567e62682886e84f3c2858d

SHA1
8aa3ee2e507ef482786a915a5cf66af9e8377571

SHA256
6b67ed500c992a1d82d5c136ccbe55891727ca1abee28e525ac04e2ce7630c94

SHA512
cff33682417c936bf045a6ed541fe0d3a8ad5d09d487c06eec0f80c5a5ddcb97d3d003adad32ba4be619c00060963a386bd53bf04c3adf4791abecc8d93424b9

Download Submit
C:\Windows\Installer\MSID7E1.tmp

Filesize
57KB

MD5
b2753a462908cdb43e9c081d09bdea00

SHA1
d85e0f10b6caa1e5bebedc61f8056a0ff832ab5c

SHA256
53e2fcdc1fadcb4632e3ebf33272dd9a0cd3d685f3cf292cd5a8836d990ab8af

SHA512
8c537c6abe183cb779c1666174571e5919eb476ae93b384b1fb7d814c83e3839d9fe21f8740e07e7da1724bc46c42f90147a551916daf2469d4883aa42411a0c

Download Submit
C:\Windows\Installer\e57b42d.msi

Filesize
86KB

MD5
42d2dd21efa3caf838c3b54843526c44

SHA1
88c9a524e8fe4927c5f4be7d7bfeccdf84810365

SHA256
c598394526b702f8614a5ebc0274005f4e33db6ede4421a03e76f4178a683bb3

SHA512
af2085cc23e7ce94ac24775320bcfd699080e38390b15881f5d3315d22ec3867a4219dde03a0fc4469d0433bb2be3f4785beb5d030041a640e7992cbdc7981b5

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
78KB

MD5
56198d673011fb8833f5c64b5e00a312

SHA1
9b1dc6535d1574e97ec3c128baca9b29b663e452

SHA256
bb3143e53ab847c6f797e6e21170cdef52e82cb69f3d738160a109e2d76d4f0e

SHA512
3e79b13b0e10d06855ebe37eeff420c179ce37cdfd61d7feff4c4901adda4c1ecf2679b3086be8650466f54ada091b6ceb07d9b303ea8c4f27e9c5a5102d3306

Download Submit
memory/1488-107-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1488-106-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2604-104-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2604-103-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/3016-134-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3016-102-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3016-14-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/4076-139-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4076-155-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4076-147-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4716-164-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-174-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-195-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-188-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-146-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-184-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-181-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-119-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4716-150-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4716-159-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4716-156-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4932-117-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/4932-137-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4948-145-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4948-144-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/5096-138-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5096-158-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5096-153-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5096-166-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5096-149-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/5096-176-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5096-148-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download