rms | a081a0418491a5c5ef0d8a5cde2fc0617ffc0c4a62b88d18e2f2557b50e1fbab

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exe
Size

21.0MB
MD5

4747b6f3d7f498abdc341e2fa7441685
SHA1

c7eeafa51d7834a1a18ebeb552693b6f9e6a1340
SHA256

a081a0418491a5c5ef0d8a5cde2fc0617ffc0c4a62b88d18e2f2557b50e1fbab
SHA512

352635157ac33b93438aeda53a38ec290533e3d4515a6a122d8b79f2213c6afed1421710379627261f8ab8d22f08517267e8abed0829b890176b27320ceb7214
SSDEEP

393216:1FHWNZQ7v3RvjnbdV8l5DdkM9lUXFLMVp:1FZZvjnRODYVmp

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exerfusclient.exerutserv.exerfusclient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 4 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerfusclient.exe

pid	Process
2928	rfusclient.exe
2684	rutserv.exe
3960	rutserv.exe
4804	rfusclient.exe

Loads dropped DLL 4 IoCs

Processes:

rutserv.exerutserv.exe

pid	Process
2684	rutserv.exe
2684	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe

Drops file in System32 directory 8 IoCs

Processes:

rutserv.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_09E960F015FF4A8F16C13B5E9BAAA43F	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_09E960F015FF4A8F16C13B5E9BAAA43F	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	rutserv.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 45 IoCs

Processes:

rutserv.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\NetworkExplorer.dll,-1 = "Network"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\ieframe.dll,-5723 = "The Internet"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\prnfldr.dll,-8036 = "Printers"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rutserv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-9216 = "This PC"	rutserv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rutserv.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rutserv.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rutserv.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerfusclient.exe

pid	Process
2928	rfusclient.exe
2928	rfusclient.exe
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
4804	rfusclient.exe
4804	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rutserv.exerutserv.exe

description	pid	Process
Token: SeDebugPrivilege	2684	rutserv.exe
Token: SeTakeOwnershipPrivilege	3960	rutserv.exe
Token: SeTcbPrivilege	3960	rutserv.exe
Token: SeTcbPrivilege	3960	rutserv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

rfusclient.exe

pid	Process
4804	rfusclient.exe
4804	rfusclient.exe
4804	rfusclient.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

rfusclient.exe

pid	Process
4804	rfusclient.exe
4804	rfusclient.exe
4804	rfusclient.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

rutserv.exerutserv.exe

pid	Process
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
2684	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe
3960	rutserv.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exerfusclient.exerutserv.exe

description	pid	Process	procid_target
PID 3508 wrote to memory of 2928	3508	bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exe	88
PID 3508 wrote to memory of 2928	3508	bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exe	88
PID 3508 wrote to memory of 2928	3508	bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exe	88
PID 2928 wrote to memory of 2684	2928	rfusclient.exe	89
PID 2928 wrote to memory of 2684	2928	rfusclient.exe	89
PID 2928 wrote to memory of 2684	2928	rfusclient.exe	89
PID 3960 wrote to memory of 4804	3960	rutserv.exe	97
PID 3960 wrote to memory of 4804	3960	rutserv.exe	97
PID 3960 wrote to memory of 4804	3960	rutserv.exe	97

C:\Users\Admin\AppData\Local\Temp\bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exe
"C:\Users\Admin\AppData\Local\Temp\bb4b88da25e06b8daf7cd814f772849f0e28a1c8eba92b67477a31bce5636309.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe" -run_agent
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe" -run_agent
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2684
  - - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe" -run_agent -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe
        
        "C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe" /tray /user
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\EULA.rtf

Filesize
69KB

MD5
e6b99144ea133a583f2964fdaa0c514a

SHA1
a9ab6b4ad60bd60c798e9909be801dad725497de

SHA256
b137e38facdd1cdfc9730856675f4b531366d7af54b605209cb2158a58deb1ef

SHA512
a4f6e9663163e7a85251e129983251698b2c98070d2044f6402804d92779d77e477cb63c703b72a6ea20e19fc0d443a2a4f7fcf9d181a1e0ef0c0276297bf072

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\branding.ini

Filesize
310B

MD5
01f121599ac79e08ce8da08e215ba9b4

SHA1
85041d2f778b2aaaab706d48a09cf158dcc58b43

SHA256
32e3de52524fff138e6734b61b12c018808a903dfd8f02d4983aab4396fea338

SHA512
4896c22866b206cc3aaee5d80f1eb628e20d6990727c7aedc56ca89cf970dc524ad64f8fd1936eed3c0ba512472fc4c960c3138a9230c633cc9863b8935bf4a4

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\eventmsg.dll

Filesize
51KB

MD5
ca8a4346b37cdd0220792885c5937b30

SHA1
eef05f4b7fb5f8aabfb93d10a6451cc77b489864

SHA256
ccd5b9e5947f956e880bd2285a6091dc9f1ee9b0eb8df627ec4e72b451a1c745

SHA512
c286b0fa9d24a85fe63d3a3d801f135d12409736742c4fc16ba1dc15529df136577dc8975736146437dd56467576fdedb4ac50cf05ab054547504f3dc5ca0c35

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\libeay32.dll

Filesize
1.2MB

MD5
2d39e1656213b721b347552189570ed2

SHA1
c57ba54feb3dbd191e475a3d04a5778ec83884c0

SHA256
0c8aa14dd22b6d6e4a53c428d8b054de79855aa061c4edb10854f02a56276f7a

SHA512
ccf8b95b4e4e21d3da442f42939c77e8e083eab48338212a218f94aba04eff5b425d7a864c0d74cf211c8f692540f6f1673c316f0263188c0345d45459a173c6

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\libeay32.dll

Filesize
302KB

MD5
fe6931f6c977a6c93a17dcdc335bbc0f

SHA1
3ba3c724a9be37a92e729f3c653b2c9c5b78b9a7

SHA256
757187d37fa3afeef7df948984303819f01e4b151ae05ca86778829e41a6ad67

SHA512
e31ef70b08c85e194140cfd96276c718314cc87242508fdd30296f8b0d45da12522294d80054906dc8506a3b0d341a9af3e5f94cb4dcb78fe8d7a13cf9b6136d

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\libeay32.dll

Filesize
459KB

MD5
b79fd2f2e27b618038ba0fba61147824

SHA1
e4f51e0f3e5ac5ff0e2a7da37db6eca2a0a67eb3

SHA256
84ab82473f65f4fb37ef0b79f04563a20fab8a245db6eee57d70266d29e6cea4

SHA512
636b7e9ba71944abc741c29cd7f2dba4076869b0020d73a493149be9f17e314b97d1c747cf07751621d9e6b96f443c71389f323c792ca23fb7fb4cf70e63e865

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\libeay32.dll

Filesize
331KB

MD5
2f93f1aa2b66568d0bb2dea135c98e37

SHA1
f8a0633011dfc97e28a1b5d675bb30d59d68698e

SHA256
84c9ec93d411eaaec564a5eea5683cc2baec91f3d46f9b506501dfb3bd0d69df

SHA512
ee441a543236eefe4201558e533b302468165a712c899569f144410bdb5bbf8f520b89387d3bc2f01ff82df2fcb939d617ab2045df36416d5b49aaedf85be80e

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\logo.png

Filesize
47KB

MD5
df43633ed3537fdf83fa263b6980fc77

SHA1
5d0e4d8eee36ca602831486b8e7183df62f25a5c

SHA256
3623af4b5bbf5dbec85c40d628899ae3270342a7eb2b5303f001f0fb6dd291fa

SHA512
4ed8870f04c142042ad933a7cb3c1f004d72b09aa1e7aba189fef40415b82a652de87718b198ff0f58c3b4a013a5551deac23c164f37058324940598b1fc5131

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe

Filesize
153KB

MD5
bf14df51086d04d2d9cfec7d0b459c6f

SHA1
f12ca60532113e316feaeabeff2cf743bf56409a

SHA256
4db303068d9b69ff0c3b3fc6d1142f4355d2ffc9e4785bf7af00eab7691bd1d5

SHA512
3264648dc7279df2174d07813a0de0ef6c925f0e392dacebb0f4ab3a10ded35509a332096eb56a3c84aeb9b1488935ffe69ba85044d5f86cbac144c2ed7b94c3

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe

Filesize
600KB

MD5
567f572dfb269d357785e0ff23401b87

SHA1
506ffe8e406aa773fec451aa47142458126339ba

SHA256
beefc06cf0ad8db795067001b8a1241515066afa0537b7d4970c9a9b2bd4513d

SHA512
f2c531c4416d73c1b5d7160a8a19425b4be8aac152a318cee1595a3167e5bbf354a2c9870daf15a52b3311aed98a3fd27c6ce575b49c0666402dd5eda69dc572

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe

Filesize
320KB

MD5
91558404ddf8566fd83a12204d77a11c

SHA1
082534dd62a2585a8ae2de62ae0e6e9305e27604

SHA256
633ffdf03394211c7c597b179a85f6491e16bdfa7ed6db6471587fd6fbf894c9

SHA512
8c465a653dc80742704724f5924bf9b637ba459fb443cd8b7483701b6df04c506e0c5cf4ff2bb925f41e314cd408cb6de3ce78ad1c188199d44fa26dc8500fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rfusclient.exe

Filesize
195KB

MD5
8b45abab506c09eddea8261bc1097eed

SHA1
368a1ee84fe663202fe7bfcb49cb6da49de33f7e

SHA256
e78642c1aff19b1f8a94d4849876f65fb01fe8764073a76fb3c2b862964255e1

SHA512
f41ccde691c494d85c0848c869ab96cc087ebd955b64b47630f1e886d7a3a2db7195d84aa26651458453e34c5c4ef63e61cfaa42059d8465d2ef094822889f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe

Filesize
467KB

MD5
f68ad135a6fbe0e60696c95adce22e95

SHA1
8648e3b9618b87fd199fdf428331387cdd7b92bb

SHA256
b656e9b4563510469f646b6bf5800e0f4913b8ea59655fc892f302dc4d242b12

SHA512
59535db7fcf0299a13a1c000f0c35d82a41515d28e03ca70aef19c856b63cd9aaf3b2cdb6513d4d23a00ee1847241573e10d2b9725422bdce02294cda8613c75

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe

Filesize
172KB

MD5
8743f456ac5098a5e4fc22bd8b115b76

SHA1
81b631cf8b771eae2913af0ea2da3afab76f808c

SHA256
a96e2376d9a8b17c2cad68a596c1bd39d029936cf378512dfc4f55fe1dd7a22b

SHA512
cfdbd38c4d1993b591e977cd1f0a674328bb187884e79e7a216c56b661645d48f4ccd559835b4104476ae9e895b1bbf0278292cbf4e3ef50a7a25ab2c3eaf461

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe

Filesize
20KB

MD5
82d5b9bc87d4948d2cc7507b5dd0bd8e

SHA1
4cc6c3d411bdb9d7d92a4a7fd31fb7c331c19f90

SHA256
d02d3e57a0a7e13eed4a330df730b00a79bcb30bc1725309d859a1fed379d718

SHA512
b7fa0e1c8f7f830cf73ff783886f05bcd36ed710dbe308431e948e7ab248e84d9e15e492857045902740b315065d91af03330e6578c761e6ebf335e754e75d39

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\rutserv.exe

Filesize
290KB

MD5
9c4e109d619f2c1a11399bc6df7f07a8

SHA1
e5a29fdbd09d03d0976d2d1dc7ce77d782e192df

SHA256
c5a6c37e5610a63a4e23e2e260773eccc3bd7856777f550767a8e24aca1cf055

SHA512
12806fa6dfe7b6e235cf0408ffd081479ca297cd138dd6cbcb6ea69377228caf6755bf131eec78d96d90f304c7e225f2ca77c89ca45b37d34db68c17d7cb100b

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\settings.dat

Filesize
8KB

MD5
fe1c1ff76ed834197a354d2f68ddf764

SHA1
b591c8317da01bf5b6a678547b16f8d841e0c1e7

SHA256
bd9c4090bccb808e8946c91af6fa17409583f3aad543a5adc4ef5c1939e17aeb

SHA512
4f3ae76d72c29fdf0a2e229b0a5b814d2389d89c7a38e436fdb2495c7a90e73b8bc1f0d52fe85a73e4a6ee54210d29036767c1418e7ca988d2ede162c2670931

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\ssleay32.dll

Filesize
191KB

MD5
6e244c52f4cd6cb5d63c05262ec5e508

SHA1
9a07f59d041ccabc37599cbd2aec31f5cd74611b

SHA256
74b24feaabe3273ce36de06f218e391b4a57388cd5d8c0182f3530bbcb0c016e

SHA512
0bf44f21f11eaf1893ef8102f209fdef7cb0958f6aaa0348b8351978f1a936fbdd22d88b0e12b07b19a4e605574e552a710025fdd1b749f75dd3eab4143e704b

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\vp8decoder.dll

Filesize
380KB

MD5
41acd8b6d9d80a61f2f686850e3d676a

SHA1
38428a08915cf72dd2eca25b3d87613d9aa027dd

SHA256
36993fc3312ce757c8adeca3e5969e1fcc11d5b51b12c458ba8d54d73b64d4e7

SHA512
d174638965ec781cbcb2927ceafb295c3176dc78da8938467faca3e512a42fe71a9dc1070f23e1c95f0b7c157fff3b00a8b572c39e4670713564f1310360ed23

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\vp8decoder.dll

Filesize
158KB

MD5
4c86e8583369447f55419b6b27e5b924

SHA1
7a3bdd861ccb77075e0c3cccc21bd3cc93e42153

SHA256
1b4ff660b82cc71168812b42e3efb4d3154867b50bf179a449ae8d2a229b8f98

SHA512
d6c10344a1ed0a5d931170346bfe6df5fb8e68a7afb5e3b2dc0e5af49e194446eb840285829d222dfc8245db52f75f1bdbb34c851877f3017db5bbb299f8f2fb

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\vp8encoder.dll

Filesize
152KB

MD5
e846e080225cb56a25a280272dc38fa8

SHA1
6b00b5006695eba1fc429219a7ee235aeef91297

SHA256
f6e48bdcae7a29667db39cbdace3bda85cc74b76ca40e6e5485598fd9e7e83c3

SHA512
cffc68b5c000e66606162d4bf9da709aa58131f707309a3dfbd84e5e5e84c2a8e465d1136f9bbd344ea5b9f78f747926b63c0451429a300f7e67762ffbce71e3

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\vp8encoder.dll

Filesize
481KB

MD5
f080fb642de9901faf1a486e9d67620a

SHA1
7b6569da62ec5bc805d4f76ac4eff79018b281ec

SHA256
b5a3919e867bcf54f1d27da5d9bc6f4b6804f3fa79819aa8cb7b6ecd6801fec8

SHA512
e7fc6592154de4096632b1771fad9641c776dc1eb7e1a6a9714f1989ae6ef9cc02a34f0af9b5f30805eebe3de5aea1999e9bbea1a55f3b68018f4c2c6f642e90

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\webmmux.dll

Filesize
249KB

MD5
b52ebdf9f2a417b5bd7d4b03578a44cc

SHA1
54ddc2dfc283b56e65cb3e35de16926a61accf27

SHA256
f246bc19d5207d982a2db791bcdb1189caf514cb2ba5f6e2746cb98f5e1513f2

SHA512
ffb582d2ad22326e5b0ee2670777130001d201d350783a23ed831244bac1a0320153bdc08ab51a989e547ad7305a52c0b338f88679d4cd1b939b008fc548bec8

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\webmmux.dll

Filesize
260KB

MD5
8a683f90a78778fba037565588a6f752

SHA1
011939c1fa7b73272db340c32386a13e140adc6a

SHA256
bd520007864b44e0bda7a466384d12c3c3f328326cf3549ba1853a58ccdbc99d

SHA512
9280fbb121f8b94f57560d1be3bcfe5e7c308d54dac278f13ea6c00256444fb9f17f543dd0d32c9844460818c1a50d83b26ce51c79698e9ca7a304652a3f5ea9

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\webmvorbisdecoder.dll

Filesize
90KB

MD5
00518d4930cd313d010463ab349a5923

SHA1
3088e12998ba07d6f16a92ad176d7420ff446608

SHA256
8deb51f8f2e02f16d6cad92a4c7a165015bef4fc58d2ca88f12b66b85c081716

SHA512
3be8d29ba3d32dae60458557e93e7ffcc110ebee97a22d5aeeac26a6247d3dba6e8025367494cf3aa6ae36886acce738d8727a0f6e6a75a01210e70a03fadf35

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\webmvorbisdecoder.dll

Filesize
365KB

MD5
c9d412c1d30abb9d61151a10371f4140

SHA1
87120faa6b859f5e23f7344f9547b2fc228af15b

SHA256
f3465ce8a23db5e8228eed5a60a6f7a096d1a9adf3012c39bc6d81d4e57e8e9e

SHA512
1c020afa89cdae55f4dcb80a455dc1b352f40455142f3947ed29c3e3d51fbd465b6e0ea16cd103186c252783a3f2a7f7c417e4df5727d9b2db511b650308face

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\webmvorbisencoder.dll

Filesize
103KB

MD5
e2d54bcc5a30813dc7d19e774fe6e5fb

SHA1
325fec273b973d451c08e8ba3f537e08a77c5062

SHA256
007ea668bf2d45499ab5b1a438d8af011cec539d6a4bd7cdf6497aa6151a04be

SHA512
992f1568ed3293956a7877298e7e07e38e676e8059a3dc3caaaa3798b1c3935a23468f2629facac083bfb45b6377bc104cfb9139ad2572777db74e79937cc0d1

Download Submit
C:\Users\Admin\AppData\Roaming\Remote Utilities Agent\70120\D668F227D0\webmvorbisencoder.dll

Filesize
398KB

MD5
0c793a77e6f5f798f7ae1348866a485f

SHA1
19ff4a9879e1031813beaa9b508d4175ebe53df3

SHA256
635ea4f71b1a95d64325596428a7496e56e6eb94b68521919ae57e18e399e3b2

SHA512
d67ca66ca7ace92aeeabe1c6b58e8595c3d88af6e77d585a6eb7d56197b0a7d5a25725d8ea2fae9cffccf3e1d6d61a3bffd46f9f6a944fa9cb39c817e13a51ce

Download Submit
memory/2684-91-0x0000000006520000-0x0000000006521000-memory.dmp

Filesize
4KB

Download
memory/2684-94-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/2684-92-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/2684-86-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2928-85-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/2928-82-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/3508-0-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/3508-80-0x0000000000400000-0x00000000019A5000-memory.dmp

Filesize
21.6MB

Download
memory/3960-114-0x0000000007690000-0x0000000007691000-memory.dmp

Filesize
4KB

Download
memory/3960-161-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-106-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/3960-110-0x0000000006CC0000-0x0000000006CC1000-memory.dmp

Filesize
4KB

Download
memory/3960-181-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-115-0x00000000075A0000-0x00000000075A1000-memory.dmp

Filesize
4KB

Download
memory/3960-107-0x00000000066A0000-0x00000000066A1000-memory.dmp

Filesize
4KB

Download
memory/3960-113-0x0000000007640000-0x0000000007641000-memory.dmp

Filesize
4KB

Download
memory/3960-119-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/3960-112-0x00000000075F0000-0x00000000075F1000-memory.dmp

Filesize
4KB

Download
memory/3960-111-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/3960-95-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/3960-121-0x0000000008020000-0x0000000008021000-memory.dmp

Filesize
4KB

Download
memory/3960-120-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

Filesize
4KB

Download
memory/3960-178-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-124-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

Filesize
4KB

Download
memory/3960-175-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-133-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/3960-171-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-134-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-167-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-164-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-139-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-105-0x00000000069F0000-0x00000000069F1000-memory.dmp

Filesize
4KB

Download
memory/3960-142-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-158-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-145-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-155-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/3960-149-0x0000000000400000-0x0000000001868000-memory.dmp

Filesize
20.4MB

Download
memory/4804-165-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-182-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-150-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-143-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-159-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-140-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-162-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-138-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/4804-156-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-147-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-135-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-168-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-172-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-123-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/4804-176-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-125-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/4804-179-0x0000000000400000-0x0000000000EF8000-memory.dmp

Filesize
11.0MB

Download
memory/4804-116-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/4804-136-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download