rms | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

73f351beae5c881fafe36f42cde9a47c
SHA1

dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256

a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512

f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
SSDEEP

196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
2688	installer.exe
1776	rutserv.exe
2276	rutserv.exe
3004	rutserv.exe
1936	rutserv.exe
2388	rfusclient.exe
916	rfusclient.exe
2444	rfusclient.exe

Loads dropped DLL 4 IoCs

pid	Process
2304	tmp.exe
2960	MsiExec.exe
1936	rutserv.exe
1936	rutserv.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2728	msiexec.exe
5	2728	msiexec.exe
7	2728	msiexec.exe
9	2728	msiexec.exe
11	2728	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI91CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI971C.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f765e87.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f765e84.msi	msiexec.exe
File created	C:\Windows\Installer\f765e87.ipi	msiexec.exe
File created	C:\Windows\Installer\f765e89.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\f765e84.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2688	installer.exe
2688	installer.exe
2688	installer.exe
2688	installer.exe
2688	installer.exe
2688	installer.exe
2728	msiexec.exe
2728	msiexec.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
1776	rutserv.exe
2276	rutserv.exe
2276	rutserv.exe
3004	rutserv.exe
3004	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
2388	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2444	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeSecurityPrivilege	2728	msiexec.exe
Token: SeCreateTokenPrivilege	2904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2904	msiexec.exe
Token: SeLockMemoryPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeMachineAccountPrivilege	2904	msiexec.exe
Token: SeTcbPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	2904	msiexec.exe
Token: SeTakeOwnershipPrivilege	2904	msiexec.exe
Token: SeLoadDriverPrivilege	2904	msiexec.exe
Token: SeSystemProfilePrivilege	2904	msiexec.exe
Token: SeSystemtimePrivilege	2904	msiexec.exe
Token: SeProfSingleProcessPrivilege	2904	msiexec.exe
Token: SeIncBasePriorityPrivilege	2904	msiexec.exe
Token: SeCreatePagefilePrivilege	2904	msiexec.exe
Token: SeCreatePermanentPrivilege	2904	msiexec.exe
Token: SeBackupPrivilege	2904	msiexec.exe
Token: SeRestorePrivilege	2904	msiexec.exe
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeDebugPrivilege	2904	msiexec.exe
Token: SeAuditPrivilege	2904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2904	msiexec.exe
Token: SeChangeNotifyPrivilege	2904	msiexec.exe
Token: SeRemoteShutdownPrivilege	2904	msiexec.exe
Token: SeUndockPrivilege	2904	msiexec.exe
Token: SeSyncAgentPrivilege	2904	msiexec.exe
Token: SeEnableDelegationPrivilege	2904	msiexec.exe
Token: SeManageVolumePrivilege	2904	msiexec.exe
Token: SeImpersonatePrivilege	2904	msiexec.exe
Token: SeCreateGlobalPrivilege	2904	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2688	installer.exe
1776	rutserv.exe
2276	rutserv.exe
3004	rutserv.exe
1936	rutserv.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2688	2304	tmp.exe	28
PID 2304 wrote to memory of 2688	2304	tmp.exe	28
PID 2304 wrote to memory of 2688	2304	tmp.exe	28
PID 2304 wrote to memory of 2688	2304	tmp.exe	28
PID 2304 wrote to memory of 2688	2304	tmp.exe	28
PID 2304 wrote to memory of 2688	2304	tmp.exe	28
PID 2304 wrote to memory of 2688	2304	tmp.exe	28
PID 2688 wrote to memory of 2904	2688	installer.exe	29
PID 2688 wrote to memory of 2904	2688	installer.exe	29
PID 2688 wrote to memory of 2904	2688	installer.exe	29
PID 2688 wrote to memory of 2904	2688	installer.exe	29
PID 2688 wrote to memory of 2904	2688	installer.exe	29
PID 2688 wrote to memory of 2904	2688	installer.exe	29
PID 2688 wrote to memory of 2904	2688	installer.exe	29
PID 2728 wrote to memory of 2960	2728	msiexec.exe	31
PID 2728 wrote to memory of 2960	2728	msiexec.exe	31
PID 2728 wrote to memory of 2960	2728	msiexec.exe	31
PID 2728 wrote to memory of 2960	2728	msiexec.exe	31
PID 2728 wrote to memory of 2960	2728	msiexec.exe	31
PID 2728 wrote to memory of 2960	2728	msiexec.exe	31
PID 2728 wrote to memory of 2960	2728	msiexec.exe	31
PID 2728 wrote to memory of 1776	2728	msiexec.exe	32
PID 2728 wrote to memory of 1776	2728	msiexec.exe	32
PID 2728 wrote to memory of 1776	2728	msiexec.exe	32
PID 2728 wrote to memory of 1776	2728	msiexec.exe	32
PID 2728 wrote to memory of 2276	2728	msiexec.exe	33
PID 2728 wrote to memory of 2276	2728	msiexec.exe	33
PID 2728 wrote to memory of 2276	2728	msiexec.exe	33
PID 2728 wrote to memory of 2276	2728	msiexec.exe	33
PID 2728 wrote to memory of 3004	2728	msiexec.exe	39
PID 2728 wrote to memory of 3004	2728	msiexec.exe	39
PID 2728 wrote to memory of 3004	2728	msiexec.exe	39
PID 2728 wrote to memory of 3004	2728	msiexec.exe	39
PID 2688 wrote to memory of 2244	2688	installer.exe	35
PID 2688 wrote to memory of 2244	2688	installer.exe	35
PID 2688 wrote to memory of 2244	2688	installer.exe	35
PID 2688 wrote to memory of 2244	2688	installer.exe	35
PID 1936 wrote to memory of 2388	1936	rutserv.exe	37
PID 1936 wrote to memory of 916	1936	rutserv.exe	36
PID 1936 wrote to memory of 916	1936	rutserv.exe	36
PID 1936 wrote to memory of 2388	1936	rutserv.exe	37
PID 1936 wrote to memory of 916	1936	rutserv.exe	36
PID 1936 wrote to memory of 2388	1936	rutserv.exe	37
PID 1936 wrote to memory of 916	1936	rutserv.exe	36
PID 1936 wrote to memory of 2388	1936	rutserv.exe	37
PID 2388 wrote to memory of 2444	2388	rfusclient.exe	40
PID 2388 wrote to memory of 2444	2388	rfusclient.exe	40
PID 2388 wrote to memory of 2444	2388	rfusclient.exe	40
PID 2388 wrote to memory of 2444	2388	rfusclient.exe	40

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:2244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 995324DFFC47B62796AD1B76F4A17C27
  2⤵
  - Loads dropped DLL
  PID:2960
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1776
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2276
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3004

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
1⤵
- Executes dropped EXE
PID:916

C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: SetClipboardViewer
  PID:2444

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f765e88.rbs

Filesize
19KB

MD5
424a3933d609cc83ff47ea610d4c396f

SHA1
e0d335d29262d6bb610736bf22a6b625a98d1e44

SHA256
ec8642c5540583d48fc2aff26dfa8542de01034894fe827f7b2aa1d9b27be710

SHA512
0a5d2b9a3481bc2feb831934cc71c892321035d9d8162a9ad11637b20fc4a008d0666b75b55534e3961e14bc599dd72eeffd43c758184f17a3bf60c820038d14

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
975KB

MD5
3d0b27b3f8aa22575aa0faf0b2d67216

SHA1
39fc787538849692ed7352418616f467b7a86a1d

SHA256
d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

SHA512
19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
1.9MB

MD5
589cd3e008afa1048322e7e9cadd68b5

SHA1
5fc46032775dc9fb242cf70336b0d1c4eba617f2

SHA256
cb8a50ff9c94fbe1eb3d80d0f75649cea13e22ef04456351ee8841b6745a755b

SHA512
accd0365c65500469470c7529ea610c2780102fe5b483092a9ec52c0adc786790ce6336c9a30d174d19f4daccd21c1f0ca86fcb0ad46faf4d6669b0aae801012

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
3.1MB

MD5
84da4c9a0438bbe4ad4091a74af91c6b

SHA1
2907ddf2d161a2c967ec738309118e11f282ca9e

SHA256
2ab817e01c8082ab8422a8225c040ea3b4d59b7a72e7913192e04a42fee28d84

SHA512
73d8740b772739eaa1dfc8579461b4cd6fae8d4c6922210def257d5b7bdb8b3e886fc4accc3d4a102e1c94a8a4bba74145950f4d964fa1e0846d760ef9b31d88

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
3.4MB

MD5
6b51d080c312a3fc79e43aefe9597c2b

SHA1
389131582e4058f5b4187d344b6f143a16ffb2bf

SHA256
6b2ed5b33c3f2526e85bdb54c69e684a65f5d886fe19a7e6e6df647eb91b1d48

SHA512
ce55f182c02b5af9966e30927bb930188dc158307b9a0a283da5fc79a14d313b0dec24282a6b558d1b282b2e555a29364d7cc33d7354529b2519eb894ecaa8f6

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
4.9MB

MD5
e471fc90e83368a410477a5d1cfa5d88

SHA1
be3977b0ff5d90bddbb32e5a20914afdaa5f9da6

SHA256
883150ca1ecb71563509535d071a2859abdc0608aae05638e3a6e895562a37ad

SHA512
04dabf53cbd7aa8e092dc691eaf6bbb8370315e9db7d0552917cf4329ebd8b56be00517168885b7f6eece593de63b0a1f42345c3c01b219d0b8e7f95d35d2e7f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
4.9MB

MD5
2e0ab45d152cd420af1a88a078fa6029

SHA1
96789cb8742a0179f9ddfe72b7ddfd6ac143765a

SHA256
90bc1379a3ac83d0d9eaf83a64cc36a10aedffc63cd4a67e9f52b3220144bc58

SHA512
8894897269881b4f20e158da73321106387ebfc748bfb167d2558add7b7ed3b685a77ff9aa38b8dac2a9f1e11f5d97c6b1efcbee4f9543bc5c69e52c110a4daa

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
4.5MB

MD5
e78e641ffcdd96ad4479e922d553a5fa

SHA1
9c11cab83ccf45b12f414b9940eb1e2e13a88947

SHA256
1236e5598b9f9ab7de96394f41b8e734290936fad0391b75b442378519345c64

SHA512
3facde19fade2f21c9d21f80e825fb0c3fc414c05a9183a3849cd2a6d9619b0b090cecad2d6564948908055e42563091cc29b273d6474ba984e0f1c939a061bb

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
4.4MB

MD5
52a6c83e0c42bce83244e33f869e5afa

SHA1
0356c282cdbdfd3474ed7a777e9a52df88254e13

SHA256
d555eb563adc72ba723f894393d67022726e521bbbfcafe908c8cab2e6eb43d0

SHA512
18993525a166f0bb586e1f97c31f26e5c6a14813113b4bfa97e442da60a0ab7aff0939ca805abebf72184229bf8625838259d29023a820a8691f77b491cbee41

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
378KB

MD5
292a1748850d1fdc91d4ec23b02d6902

SHA1
8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

SHA256
acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

SHA512
cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
1.6MB

MD5
4570f7a40357016c97afe0dd4faf749b

SHA1
ebc8a1660f1103c655559caab3a70ec23ca187f1

SHA256
a5f008bf852d4c73e001f840d6f8b233c7d9bc9570cee639d40c1c8723bf99f8

SHA512
6b16979d004adc04259f2ce043cde6f7b57f2ddf5f4cea7bb390fd6b9fb273d22355b837f1b5c2eae77ea7df792de8e6db43e31d7246f044935a8187dace493b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
258KB

MD5
038bf9f3a58560ad1130eeb85cdc1a87

SHA1
3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

SHA256
d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

SHA512
8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
363KB

MD5
eeb2c52abbc7eb1c029b7fec45a7f22e

SHA1
8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

SHA256
c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

SHA512
0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
858KB

MD5
e38372f576d927f525ef8e1a34b54664

SHA1
26af9d1db0a3f91d7fe13147e55f06c302d59389

SHA256
4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

SHA512
78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab601C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar603E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
411B

MD5
c2ac85b000427a4a00f19da237aaaf86

SHA1
459ecb5e64576348e6c654724e87825772c06ea8

SHA256
b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

SHA512
e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

Download Submit
C:\Windows\Installer\f765e84.msi

Filesize
4.4MB

MD5
94f142aba3377ffd89ddbdb65f12465c

SHA1
bc10b70bab4a594d17fb9073f18bf9295cbca0b5

SHA256
f394990674572eaf12b8724a79a10ffdc9dcd6bf46ae911dc1b416775df8a257

SHA512
8fb4c2689146bcbc08e87537194ec7479d332cbefda6d76c58d1ca443cbabd3b56175d1343ef25c38ed3c91cab1054d974e0e8b3057f1f81c7c847cc3684e751

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
2.9MB

MD5
39dc2e29037bbd0146434bba7987092a

SHA1
35cfb90bf31741b173e9dbd2a662dc91f0bf0723

SHA256
b3d4ea7587f94957fc3c28ab1ad8744e63c92f45f5156c33e8c101cca456aafd

SHA512
f6d618a8fe656271eeae7ea0f048890fd8aa4c953974c7e4919a1be2dfe5fca00ed844fef8319d630cf0818d4398631ed25500eb8587cdfb82a9bf8d4f183983

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
2.8MB

MD5
6078b1a8b9de48a3fa7e15e6f39d9f11

SHA1
b1008f79f8a4e5d634a0953b736474fa6e64286d

SHA256
4858174746e537b26f8fd5314bde537ca2f2c136ac7e6248f1b2efc99749b41d

SHA512
96aa63562603120a362f9457a29ed7f0ad9ea058675f0d53e0a2e43972124e85e5a4590067ad204685e78b6a908f8b0171a3dccddd419f3d6a8ec1860b8f0134

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
5.2MB

MD5
562590f3bb6090c18b189b2d874cf6f8

SHA1
c482461b5c939184f6c5b6b3044fbbe289c00811

SHA256
b96b3dff02d2f533c9fe528630af5e83b1ca053cf50b18d2b9441d6cce975edf

SHA512
c1767d717ee957dd647100812ea905cefc1843e00d7900f5a07472b39ea7cb6f552c784fc82129e7184ff974921231dee57a4b3a24ed45be31f10da74c0afce9

Download Submit
\Windows\Installer\MSI91CE.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/916-206-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/916-203-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/916-199-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/916-209-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/916-190-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/916-217-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/916-224-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1776-146-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1776-144-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1936-200-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1936-207-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-218-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-243-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-229-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-215-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-197-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-222-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-239-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-172-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1936-236-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2276-148-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2276-149-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2388-189-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2388-204-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2388-198-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2444-196-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2444-195-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2688-170-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2688-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2688-54-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2688-171-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3004-159-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3004-188-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download