rms | cd072d072df3c9feb5cf7365b1c88ec1b94cc1dfb5ef29c8eb5e37f6ca20037f

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9bc726ed086972998ec04883f82c0cd.exe
Size

7.3MB
MD5

a9bc726ed086972998ec04883f82c0cd
SHA1

8e479f378d7e20a0eb39d82044a3a5f528aab5c6
SHA256

cd072d072df3c9feb5cf7365b1c88ec1b94cc1dfb5ef29c8eb5e37f6ca20037f
SHA512

6431178a072106cc34d7e9641f31213c543b7084deba00a731368890ddc9c041961d0c06a4d933656072a686e15beec1d62877926f7cbf1d653ecb7e051eb8ef
SSDEEP

196608:fJs8lp9+5ckLl4M4FluxtBB8p5ATnxZya:fLp9Xm5/xF8pqd

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	a9bc726ed086972998ec04883f82c0cd.exe

Executes dropped EXE 7 IoCs

pid	Process
4856	rutserv.exe
3568	rutserv.exe
1856	rutserv.exe
1424	rutserv.exe
444	rfusclient.exe
2144	rfusclient.exe
4468	rfusclient.exe

Loads dropped DLL 8 IoCs

pid	Process
384	MsiExec.exe
4856	rutserv.exe
3568	rutserv.exe
1856	rutserv.exe
1424	rutserv.exe
444	rfusclient.exe
2144	rfusclient.exe
4468	rfusclient.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
28	3540	msiexec.exe
30	3540	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Internet Explorer\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\unidrv_rms.hlp	msiexec.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\winmm.dll	cmd.exe
File created	C:\Program Files (x86)\Internet Explorer\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\dsfVorbisEncoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Microsoft.VC90.CRT.manifest	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\dsfVorbisDecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\gdiplus.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\msvcr90.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\msvcp90.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Internet Explorer\Printer\x86\rmsui2.exe	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e577426.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI79D3.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C36.tmp	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e577426.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e57742a.msi	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductName = "Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40.219"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\PackageName = "system32.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E629DA2CCD54F5C4880A36EA6E3A62A2\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Version = "100603060"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\ProductIcon = "C:\\Windows\\Installer\\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\PackageCode = "CA621BAB2625C4F47B0824566FC192D8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\Language = "1049"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\E629DA2CCD54F5C4880A36EA6E3A62A2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E629DA2CCD54F5C4880A36EA6E3A62A2\SourceList\Net	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4560	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3540	msiexec.exe
3540	msiexec.exe
4856	rutserv.exe
4856	rutserv.exe
4856	rutserv.exe
4856	rutserv.exe
4856	rutserv.exe
4856	rutserv.exe
3568	rutserv.exe
3568	rutserv.exe
1856	rutserv.exe
1856	rutserv.exe
1424	rutserv.exe
1424	rutserv.exe
1424	rutserv.exe
1424	rutserv.exe
1424	rutserv.exe
1424	rutserv.exe
444	rfusclient.exe
444	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4468	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2304	msiexec.exe
Token: SeSecurityPrivilege	3540	msiexec.exe
Token: SeCreateTokenPrivilege	2304	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2304	msiexec.exe
Token: SeLockMemoryPrivilege	2304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2304	msiexec.exe
Token: SeMachineAccountPrivilege	2304	msiexec.exe
Token: SeTcbPrivilege	2304	msiexec.exe
Token: SeSecurityPrivilege	2304	msiexec.exe
Token: SeTakeOwnershipPrivilege	2304	msiexec.exe
Token: SeLoadDriverPrivilege	2304	msiexec.exe
Token: SeSystemProfilePrivilege	2304	msiexec.exe
Token: SeSystemtimePrivilege	2304	msiexec.exe
Token: SeProfSingleProcessPrivilege	2304	msiexec.exe
Token: SeIncBasePriorityPrivilege	2304	msiexec.exe
Token: SeCreatePagefilePrivilege	2304	msiexec.exe
Token: SeCreatePermanentPrivilege	2304	msiexec.exe
Token: SeBackupPrivilege	2304	msiexec.exe
Token: SeRestorePrivilege	2304	msiexec.exe
Token: SeShutdownPrivilege	2304	msiexec.exe
Token: SeDebugPrivilege	2304	msiexec.exe
Token: SeAuditPrivilege	2304	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2304	msiexec.exe
Token: SeChangeNotifyPrivilege	2304	msiexec.exe
Token: SeRemoteShutdownPrivilege	2304	msiexec.exe
Token: SeUndockPrivilege	2304	msiexec.exe
Token: SeSyncAgentPrivilege	2304	msiexec.exe
Token: SeEnableDelegationPrivilege	2304	msiexec.exe
Token: SeManageVolumePrivilege	2304	msiexec.exe
Token: SeImpersonatePrivilege	2304	msiexec.exe
Token: SeCreateGlobalPrivilege	2304	msiexec.exe
Token: SeShutdownPrivilege	3120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3120	msiexec.exe
Token: SeCreateTokenPrivilege	3120	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3120	msiexec.exe
Token: SeLockMemoryPrivilege	3120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3120	msiexec.exe
Token: SeMachineAccountPrivilege	3120	msiexec.exe
Token: SeTcbPrivilege	3120	msiexec.exe
Token: SeSecurityPrivilege	3120	msiexec.exe
Token: SeTakeOwnershipPrivilege	3120	msiexec.exe
Token: SeLoadDriverPrivilege	3120	msiexec.exe
Token: SeSystemProfilePrivilege	3120	msiexec.exe
Token: SeSystemtimePrivilege	3120	msiexec.exe
Token: SeProfSingleProcessPrivilege	3120	msiexec.exe
Token: SeIncBasePriorityPrivilege	3120	msiexec.exe
Token: SeCreatePagefilePrivilege	3120	msiexec.exe
Token: SeCreatePermanentPrivilege	3120	msiexec.exe
Token: SeBackupPrivilege	3120	msiexec.exe
Token: SeRestorePrivilege	3120	msiexec.exe
Token: SeShutdownPrivilege	3120	msiexec.exe
Token: SeDebugPrivilege	3120	msiexec.exe
Token: SeAuditPrivilege	3120	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3120	msiexec.exe
Token: SeChangeNotifyPrivilege	3120	msiexec.exe
Token: SeRemoteShutdownPrivilege	3120	msiexec.exe
Token: SeUndockPrivilege	3120	msiexec.exe
Token: SeSyncAgentPrivilege	3120	msiexec.exe
Token: SeEnableDelegationPrivilege	3120	msiexec.exe
Token: SeManageVolumePrivilege	3120	msiexec.exe
Token: SeImpersonatePrivilege	3120	msiexec.exe
Token: SeCreateGlobalPrivilege	3120	msiexec.exe
Token: SeShutdownPrivilege	4084	msiexec.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1868	1148	a9bc726ed086972998ec04883f82c0cd.exe	89
PID 1148 wrote to memory of 1868	1148	a9bc726ed086972998ec04883f82c0cd.exe	89
PID 1148 wrote to memory of 1868	1148	a9bc726ed086972998ec04883f82c0cd.exe	89
PID 1868 wrote to memory of 2816	1868	cmd.exe	91
PID 1868 wrote to memory of 2816	1868	cmd.exe	91
PID 1868 wrote to memory of 2816	1868	cmd.exe	91
PID 1868 wrote to memory of 2304	1868	cmd.exe	92
PID 1868 wrote to memory of 2304	1868	cmd.exe	92
PID 1868 wrote to memory of 2304	1868	cmd.exe	92
PID 1868 wrote to memory of 3120	1868	cmd.exe	94
PID 1868 wrote to memory of 3120	1868	cmd.exe	94
PID 1868 wrote to memory of 3120	1868	cmd.exe	94
PID 1868 wrote to memory of 4560	1868	cmd.exe	95
PID 1868 wrote to memory of 4560	1868	cmd.exe	95
PID 1868 wrote to memory of 4560	1868	cmd.exe	95
PID 1868 wrote to memory of 4084	1868	cmd.exe	98
PID 1868 wrote to memory of 4084	1868	cmd.exe	98
PID 1868 wrote to memory of 4084	1868	cmd.exe	98
PID 3540 wrote to memory of 384	3540	msiexec.exe	100
PID 3540 wrote to memory of 384	3540	msiexec.exe	100
PID 3540 wrote to memory of 384	3540	msiexec.exe	100
PID 3540 wrote to memory of 4856	3540	msiexec.exe	101
PID 3540 wrote to memory of 4856	3540	msiexec.exe	101
PID 3540 wrote to memory of 4856	3540	msiexec.exe	101
PID 3540 wrote to memory of 3568	3540	msiexec.exe	102
PID 3540 wrote to memory of 3568	3540	msiexec.exe	102
PID 3540 wrote to memory of 3568	3540	msiexec.exe	102
PID 3540 wrote to memory of 1856	3540	msiexec.exe	103
PID 3540 wrote to memory of 1856	3540	msiexec.exe	103
PID 3540 wrote to memory of 1856	3540	msiexec.exe	103
PID 1424 wrote to memory of 444	1424	rutserv.exe	105
PID 1424 wrote to memory of 444	1424	rutserv.exe	105
PID 1424 wrote to memory of 444	1424	rutserv.exe	105
PID 1424 wrote to memory of 2144	1424	rutserv.exe	106
PID 1424 wrote to memory of 2144	1424	rutserv.exe	106
PID 1424 wrote to memory of 2144	1424	rutserv.exe	106
PID 444 wrote to memory of 4468	444	rfusclient.exe	107
PID 444 wrote to memory of 4468	444	rfusclient.exe	107
PID 444 wrote to memory of 4468	444	rfusclient.exe	107

C:\Users\Admin\AppData\Local\Temp\a9bc726ed086972998ec04883f82c0cd.exe
"C:\Users\Admin\AppData\Local\Temp\a9bc726ed086972998ec04883f82c0cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd" "
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {61FFA475-24D5-44FB-A51F-39B699E3D82C} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /x {54067864-C0E7-47DB-A0C1-D6C874CE6BD8} /qn REBOOT=ReallySuppress
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4560
- - C:\Windows\SysWOW64\msiexec.exe
    MsiExec /I "system32.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 374AB3415A1430EF60BA853150390DF5
  2⤵
  - Loads dropped DLL
  PID:384
- C:\Program Files (x86)\Internet Explorer\rutserv.exe
  "C:\Program Files (x86)\Internet Explorer\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Internet Explorer\rutserv.exe
  "C:\Program Files (x86)\Internet Explorer\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3568
- C:\Program Files (x86)\Internet Explorer\rutserv.exe
  "C:\Program Files (x86)\Internet Explorer\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1856

C:\Program Files (x86)\Internet Explorer\rutserv.exe
"C:\Program Files (x86)\Internet Explorer\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files (x86)\Internet Explorer\rfusclient.exe
  "C:\Program Files (x86)\Internet Explorer\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Program Files (x86)\Internet Explorer\rfusclient.exe
    "C:\Program Files (x86)\Internet Explorer\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: SetClipboardViewer
    PID:4468
- C:\Program Files (x86)\Internet Explorer\rfusclient.exe
  "C:\Program Files (x86)\Internet Explorer\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577429.rbs

Filesize
21KB

MD5
76823b166ae7cdd5304242096de293bb

SHA1
6deef8bbb96480ee20f5fe968fcf3c63ff42f304

SHA256
a955419e4f07c6ba9ef25b2206fefe657c619455feaaea1e9aa6b712b31be4b0

SHA512
e2a9cb2ee96d83c171608884d6082b8eef00d97d8ced96a0022bdd5daa235dfb8a79d19bf1dacced15d414944c9462d4dd41f809d6da7b9e156741aa1206aedb

Download Submit
C:\Program Files (x86)\Internet Explorer\English.lg

Filesize
43KB

MD5
90dea654be9ff2a477a874ede3b8919e

SHA1
53e2e671335c55e16dde8913e09509b4ecd9b39e

SHA256
3b6d4e43df68eadef9def8e7e8b4472114459385853cea859f2185a5ecfab24e

SHA512
297dbf1fb868e56fe5175e70d6c88c8f5932ddb838f415ea97835a994ca2958657ed58eb920abc33417aa7386a532a6412449b08989290d4749efe2270f62bd9

Download Submit
C:\Program Files (x86)\Internet Explorer\RIPCServer.dll

Filesize
144KB

MD5
941d1b63a94549cbe5224a4e722dd4d5

SHA1
bab121f4c3528af35456bac20fbd296112624260

SHA256
ce1cd24a782932e1c28c030da741a21729a3c5930d8358079b0f91747dd0d832

SHA512
b6bf11fa34ceab70e3f3ce48a8a6dcbe5cfa859db4a03ca18cc6309773a32aff9db111d2d2ab5bb1ce974322eaf71ea81cfaa3911d6b8085a82823a0aa1d30ee

Download Submit
C:\Program Files (x86)\Internet Explorer\RWLN.dll

Filesize
957KB

MD5
897266223a905afdc1225ff4e621c868

SHA1
6a5130154430284997dc76af8b145ab90b562110

SHA256
be991f825a2e6939f776ebc6d80d512a33cbbe60de2fcc32820c64f1d6b13c07

SHA512
1ad1386e71e036e66f3b6fdece5a376e7309ceb0f6eb73c3a8203b0825c45aa1f74e1f722b508cf3f73456e7d808853d37bcef79bfe8476fc16a4e6af2e9202b

Download Submit
C:\Program Files (x86)\Internet Explorer\Russian.lg

Filesize
48KB

MD5
3756211f2aa8ffe4b37afd42b6e3ecd3

SHA1
8fc79a50f97d0cfe3c877b13931353cade99e2f6

SHA256
e283bc3d094bc5ec94d922f3b5559c4ad8ca25c4a24e2ca31e74511ba31e29c1

SHA512
e83cd1d0fa8cc28d3154fb223ac938a5fd1b37a600f3a88a4ae7924a56b1a3684d210e273005fe436b03e07e8af76a19626c022bd6fc2eeefd1be8bd0d251edb

Download Submit
C:\Program Files (x86)\Internet Explorer\dsfVorbisDecoder.dll

Filesize
240KB

MD5
50bad879226bcbbf02d5cf2dcbcfbf61

SHA1
be262f40212bd5a227d19fdbbd4580c200c31e4b

SHA256
49295f414c5405a4f180b319cfed471871471776e4853baaf117a5185ec0d90d

SHA512
476df817a9c9e23423080afcac899b83fc8f532e4fe62bea2feeb988cba538f1f710e2fb61d81d6c283c428d772922c7a6ecb1684ac68ca8f267415105a60116

Download Submit
C:\Program Files (x86)\Internet Explorer\dsfVorbisEncoder.dll

Filesize
1.6MB

MD5
2721aa44e21659358e8a25c0f13ce02b

SHA1
91589226e6fd81675e013c5b7aad06e5f7903e61

SHA256
74ca24097bc69145af11dc6a0580665d4766aa78c7633f4084d16d7b4fecc5fb

SHA512
fb1f06e18b369e5df0dedf20bf5bcaae4f6d93bf8a4789db2d05b7c895fdeff2dc086089cca67fa7d352563b491606a547c37959db623b071e90a1c876d6cc2a

Download Submit
C:\Program Files (x86)\Internet Explorer\gdiplus.dll

Filesize
1.6MB

MD5
7916c52814b561215c01795bb71bb884

SHA1
0b3341642559efc8233561f81ec80a3983b9fc2d

SHA256
7d3c4c52684afff597dc4c132c464b651cb94aad039458b674d69cf76c240e64

SHA512
fc0a1d717c636639be6835d93bdde8019799842e11a055bedeb468f57cfaabf5582a65e1770841486550e06b1b9ba020ff5fad14b7838fe70afefb37933f1a8f

Download Submit
C:\Program Files (x86)\Internet Explorer\msvcp90.dll

Filesize
556KB

MD5
99c5cb416cb1f25f24a83623ed6a6a09

SHA1
0dbf63dea76be72390c0397cb047a83914e0f7c8

SHA256
9f47416ca37a864a31d3dc997677f8739433f294e83d0621c48eb9093c2e4515

SHA512
8bd1b14a690aa15c07ead90edacbcc4e8e3f68e0bfd6191d42519b9542786df35a66ed37e7af9cf9ff14d55a5622c29a88fee2a5bde889740a3ce6160d5256ac

Download Submit
C:\Program Files (x86)\Internet Explorer\msvcr90.dll

Filesize
638KB

MD5
bfeac23ced1f4ac8254b5cd1a2bf4dda

SHA1
fd450e3bc758d984f68f0ae5963809d7d80645b6

SHA256
420d298de132941eacec6718039a5f42eaec498399c482e2e0ff4dad76a09608

SHA512
1f4afc2eb72f51b9e600fbbf0d4408728e29b0c6ca45801605801ead0a287873ebbfaaae10b027f1a287c82232d1e7a3a7e7435b7f6a39223c3f7b23d96ed272

Download Submit
C:\Program Files (x86)\Internet Explorer\rfusclient.exe

Filesize
4.8MB

MD5
1d6f0b1752b19af83f1acffac80d02a9

SHA1
e9c4bce6a1999e399a0fe69f6377c816d0241fdc

SHA256
a8f5fa708123f8471bcd790725a021a3e3edfec3371cdffcb7788b9eb20c1d22

SHA512
e04bbb7761236dd177a97bd68e191f6678a583bb5a6626eca7ec918356fb6cc37f9b41169bdce3060c6b0898dabe14b933df7771863762fcb91239ec45ed4731

Download Submit
C:\Program Files (x86)\Internet Explorer\rfusclient.exe

Filesize
4.3MB

MD5
16da93bcfb6134d4919e5e4a286371bd

SHA1
5b17c44d140b161738d2fe3f226c16093cda5940

SHA256
fc67f05172bd0f05e0fe5b285d4c80483349fe3a63d0ff3a9135e1ce1e64afba

SHA512
29e1867697e609bd31a6599c1fa374ad5fa005671af8860f5f9929e00555dc192d86ee8de85b6d95828d47109eab94f61c16c0f60587a3b1a81001c09a4fa2fd

Download Submit
C:\Program Files (x86)\Internet Explorer\rutserv.exe

Filesize
2.0MB

MD5
434a0b31831401666ba8623bb03e16ea

SHA1
cfaa27d072e4b74b023e85c58ad0058e291fd72b

SHA256
73f52aa876faee087136095ab775ec83f8183c411a68ec23b0607eafc5364796

SHA512
7992cfbd3ccbe6119042c9c84dec83c536a7af2dc9d0d53c22f2c9d22d5949b3a6834fe4f90b5f16fc22937819556881397cb1eb22a3d7851c6cf4ddc46b13cc

Download Submit
C:\Program Files (x86)\Internet Explorer\rutserv.exe

Filesize
4.9MB

MD5
0495a4a4bec03729b4d77417a9e4e62c

SHA1
0cc4e9d67b2c87bc95af64045db78806b253089b

SHA256
064c0d0f5c4e460a364e0342a7d95ab9fa54809d31a27e4a7cd17cd75c0a7cde

SHA512
22d9e3a063226489bc083f0af52e697917419173de37a011741a204af57d27f072fa4f3414a08110ab4f4b3b09eb7cc763981ec1d433dbd9a4bfc7b5afa31ca3

Download Submit
C:\Program Files (x86)\Internet Explorer\rutserv.exe

Filesize
1.7MB

MD5
e64c586224673e016388ccd98474df71

SHA1
ebcd562b8bfe623c0b3183cbb68b17110ecb252d

SHA256
5a362513c3378ea126aa6689ef9f79c1dc5cb8914551da2539e9d2c9e01b3a16

SHA512
1cac8273671289fb80a8f87214fb7cf97cb8f0d1dc81e41a369d93150c986ef266993026d85ef249a07d745afc20dc0a055f3a58710c010c936c06e031bd698d

Download Submit
C:\Program Files (x86)\Internet Explorer\rutserv.exe

Filesize
5.7MB

MD5
84abcb8cc5427479c3e4ebe66300c78a

SHA1
4227f7850eaebf08f18aa6a2769a600a05bfbf70

SHA256
a0487ebd599580d2364bafcd8990970436e40e4979021e02866d0652067d6dbd

SHA512
2f3c5dcba1ea204e7abe9dcc47c40097a2d3ddd52b979a8bdd773977e64195a3b71cb5bd2bdb196e5c55071a918326bed34dadc48f1927067b9011bb3633039a

Download Submit
C:\Program Files (x86)\Internet Explorer\vp8decoder.dll

Filesize
409KB

MD5
1525887bc6978c0b54fec544877319e6

SHA1
7820fcd66e6fbf717d78a2a4df5b0367923dc431

SHA256
a47431090c357c00b27a3327d9d591088bc84b60060751ea6454cb3f1ae23e69

SHA512
56cb35ef2d5a52ba5cf4769a6bad4a4bae292bceff1b8aff5125046d43aff7683282a14bc8b626d7dccc250e0ed57b1ae54dd105732573089359444f774d6153

Download Submit
C:\Program Files (x86)\Internet Explorer\vp8encoder.dll

Filesize
691KB

MD5
c8fd8c4bc131d59606b08920b2fda91c

SHA1
df777e7c6c1b3d84a8277e6a669e9a5f7c15896d

SHA256
6f5ddf4113e92bf798e9ecf0fc0350ee7cae7c5479ca495e3045bdb313efd240

SHA512
2fe25325a94cd0f8af30f96ef03c4e64b1a721f603f792d9da72dcd4a5c92081bb24d90da5394f47e54d9d23e9c7ee845cbf469ea8371c088bda787c54b9369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.cmd

Filesize
484B

MD5
4ec53ed5a150ccfdfe03f62f75f7d81d

SHA1
63cb66d383d6f1c0fc825fd867fe08139d692eff

SHA256
c1385b5a160c47f04f7acf70f8ad560d431a9ebafd35b0d6bb1077abb829e283

SHA512
e820c24f6294f447f8aa9a60019364b411e22f0f58e7e43ffab8fdd4bc74b3b2c50e0266a0bdf6e27f10611aafa2a60a9a7e888e2d01ca112179c7ed2b31645e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\system32.msi

Filesize
7.9MB

MD5
659d7d79d5edcab1a4f0ec707be7ce62

SHA1
d3a245aaa60791a7801744b1aa66cc723a38ecb4

SHA256
ec3f75f2f29ce9d8ffb1a9b3a36dde03e50c98929c4c1a652f7265c804d47d52

SHA512
6a8492026b706421a58760120ebb28a9cbbbb94257bbe4ab7ddc2798cf8d3645aa96d1251cd8f0c1598e29dc5f98a7b0cefafe2b0313b3f09dbe12532a04ba9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\winmm.dll

Filesize
21KB

MD5
91b769ba7d48157f452bd26be72160ec

SHA1
b61e2369084235ebc0bc277c16d3a56ac20a95b9

SHA256
58e401bfbd9387d65571afda2ffc28d290d9d21843aa06a6ceca4f9457d357e9

SHA512
1c1a87690486d22007f6f0e5c101575a78f1a17255d4cf6a79df7f5c5b2b4c3e8ec01bf5df33515ea888df12d52a5cd959bd7df6dfb0acceb34b411e97f8f0c2

Download Submit
C:\Windows\Installer\MSI79D3.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\{C2AD926E-45DC-4C5F-88A0-63AEE6A3262A}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
memory/444-166-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/444-163-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/444-182-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/444-180-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/444-157-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/444-161-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/444-165-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1424-137-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1424-151-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/1424-138-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/1424-196-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1424-191-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1424-179-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1424-134-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/1424-188-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1424-136-0x00000000736A0000-0x00000000736A7000-memory.dmp

Filesize
28KB

Download
memory/1424-168-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/1856-160-0x00000000736A0000-0x00000000736A7000-memory.dmp

Filesize
28KB

Download
memory/1856-158-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/1856-135-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1856-132-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1856-129-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1856-130-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/2144-190-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/2144-198-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/2144-170-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2144-183-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2144-159-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/2144-162-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2144-156-0x00000000736A0000-0x00000000736A7000-memory.dmp

Filesize
28KB

Download
memory/2144-164-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2144-186-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/2144-171-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2144-181-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/3568-112-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3568-110-0x00000000736A0000-0x00000000736A7000-memory.dmp

Filesize
28KB

Download
memory/3568-116-0x00000000736A0000-0x00000000736A7000-memory.dmp

Filesize
28KB

Download
memory/3568-115-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/3568-114-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3568-113-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/3568-111-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/4468-177-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/4468-178-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/4468-176-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/4468-175-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4468-174-0x00000000736A0000-0x00000000736A7000-memory.dmp

Filesize
28KB

Download
memory/4856-104-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4856-105-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/4856-106-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4856-107-0x0000000000400000-0x0000000000A5B000-memory.dmp

Filesize
6.4MB

Download
memory/4856-103-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/4856-102-0x0000000073B00000-0x0000000073B07000-memory.dmp

Filesize
28KB

Download