rms | 10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-03-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

cb2ffac2a251378cda3f91cd613f453d
SHA1

3a028761638f5aa93b0719c5650c83a138e8abc9
SHA256

10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e
SHA512

1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f
SSDEEP

196608:P4Z1cDw8TWMpWRGAk7R85du3dWbpkPbVAp2FG0c+imht+:PE1CE3k7R5NWqu0cU+

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
2500	installer.exe
1936	rutserv.exe
1600	rutserv.exe
1916	rutserv.exe
2984	rutserv.exe
1084	rfusclient.exe
1864	rfusclient.exe
1752	rfusclient.exe

Loads dropped DLL 4 IoCs

pid	Process
2744	tmp.exe
580	MsiExec.exe
2984	rutserv.exe
2984	rutserv.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2628	msiexec.exe
5	2628	msiexec.exe
7	2628	msiexec.exe
9	2628	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\f767f2e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f767f2e.msi	msiexec.exe
File created	C:\Windows\Installer\f767f33.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f767f31.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A60.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI856F.tmp	msiexec.exe
File created	C:\Windows\Installer\f767f31.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3.4ru_mod_mod.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2500	installer.exe
2500	installer.exe
2500	installer.exe
2500	installer.exe
2500	installer.exe
2500	installer.exe
2628	msiexec.exe
2628	msiexec.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1936	rutserv.exe
1600	rutserv.exe
1600	rutserv.exe
1916	rutserv.exe
1916	rutserv.exe
2984	rutserv.exe
2984	rutserv.exe
2984	rutserv.exe
2984	rutserv.exe
1864	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1752	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeSecurityPrivilege	2628	msiexec.exe
Token: SeCreateTokenPrivilege	2632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2632	msiexec.exe
Token: SeLockMemoryPrivilege	2632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2632	msiexec.exe
Token: SeMachineAccountPrivilege	2632	msiexec.exe
Token: SeTcbPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeLoadDriverPrivilege	2632	msiexec.exe
Token: SeSystemProfilePrivilege	2632	msiexec.exe
Token: SeSystemtimePrivilege	2632	msiexec.exe
Token: SeProfSingleProcessPrivilege	2632	msiexec.exe
Token: SeIncBasePriorityPrivilege	2632	msiexec.exe
Token: SeCreatePagefilePrivilege	2632	msiexec.exe
Token: SeCreatePermanentPrivilege	2632	msiexec.exe
Token: SeBackupPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeShutdownPrivilege	2632	msiexec.exe
Token: SeDebugPrivilege	2632	msiexec.exe
Token: SeAuditPrivilege	2632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2632	msiexec.exe
Token: SeChangeNotifyPrivilege	2632	msiexec.exe
Token: SeRemoteShutdownPrivilege	2632	msiexec.exe
Token: SeUndockPrivilege	2632	msiexec.exe
Token: SeSyncAgentPrivilege	2632	msiexec.exe
Token: SeEnableDelegationPrivilege	2632	msiexec.exe
Token: SeManageVolumePrivilege	2632	msiexec.exe
Token: SeImpersonatePrivilege	2632	msiexec.exe
Token: SeCreateGlobalPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe
Token: SeRestorePrivilege	2628	msiexec.exe
Token: SeTakeOwnershipPrivilege	2628	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2500	installer.exe
1936	rutserv.exe
1600	rutserv.exe
1916	rutserv.exe
2984	rutserv.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2500	2744	tmp.exe	28
PID 2744 wrote to memory of 2500	2744	tmp.exe	28
PID 2744 wrote to memory of 2500	2744	tmp.exe	28
PID 2744 wrote to memory of 2500	2744	tmp.exe	28
PID 2744 wrote to memory of 2500	2744	tmp.exe	28
PID 2744 wrote to memory of 2500	2744	tmp.exe	28
PID 2744 wrote to memory of 2500	2744	tmp.exe	28
PID 2500 wrote to memory of 2632	2500	installer.exe	29
PID 2500 wrote to memory of 2632	2500	installer.exe	29
PID 2500 wrote to memory of 2632	2500	installer.exe	29
PID 2500 wrote to memory of 2632	2500	installer.exe	29
PID 2500 wrote to memory of 2632	2500	installer.exe	29
PID 2500 wrote to memory of 2632	2500	installer.exe	29
PID 2500 wrote to memory of 2632	2500	installer.exe	29
PID 2628 wrote to memory of 580	2628	msiexec.exe	31
PID 2628 wrote to memory of 580	2628	msiexec.exe	31
PID 2628 wrote to memory of 580	2628	msiexec.exe	31
PID 2628 wrote to memory of 580	2628	msiexec.exe	31
PID 2628 wrote to memory of 580	2628	msiexec.exe	31
PID 2628 wrote to memory of 580	2628	msiexec.exe	31
PID 2628 wrote to memory of 580	2628	msiexec.exe	31
PID 2628 wrote to memory of 1936	2628	msiexec.exe	32
PID 2628 wrote to memory of 1936	2628	msiexec.exe	32
PID 2628 wrote to memory of 1936	2628	msiexec.exe	32
PID 2628 wrote to memory of 1936	2628	msiexec.exe	32
PID 2628 wrote to memory of 1600	2628	msiexec.exe	33
PID 2628 wrote to memory of 1600	2628	msiexec.exe	33
PID 2628 wrote to memory of 1600	2628	msiexec.exe	33
PID 2628 wrote to memory of 1600	2628	msiexec.exe	33
PID 2628 wrote to memory of 1916	2628	msiexec.exe	34
PID 2628 wrote to memory of 1916	2628	msiexec.exe	34
PID 2628 wrote to memory of 1916	2628	msiexec.exe	34
PID 2628 wrote to memory of 1916	2628	msiexec.exe	34
PID 2500 wrote to memory of 1496	2500	installer.exe	35
PID 2500 wrote to memory of 1496	2500	installer.exe	35
PID 2500 wrote to memory of 1496	2500	installer.exe	35
PID 2500 wrote to memory of 1496	2500	installer.exe	35
PID 2984 wrote to memory of 1084	2984	rutserv.exe	38
PID 2984 wrote to memory of 1084	2984	rutserv.exe	38
PID 2984 wrote to memory of 1084	2984	rutserv.exe	38
PID 2984 wrote to memory of 1084	2984	rutserv.exe	38
PID 2984 wrote to memory of 1864	2984	rutserv.exe	39
PID 2984 wrote to memory of 1864	2984	rutserv.exe	39
PID 2984 wrote to memory of 1864	2984	rutserv.exe	39
PID 2984 wrote to memory of 1864	2984	rutserv.exe	39
PID 1864 wrote to memory of 1752	1864	rfusclient.exe	40
PID 1864 wrote to memory of 1752	1864	rfusclient.exe	40
PID 1864 wrote to memory of 1752	1864	rfusclient.exe	40
PID 1864 wrote to memory of 1752	1864	rfusclient.exe	40

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:1496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B60351DEA4D0B1960353DCDC8105C6C1
  2⤵
  - Loads dropped DLL
  PID:580
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1936
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1600
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1916

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f767f32.rbs

Filesize
19KB

MD5
bc644b2edb899f2189e622f573e8d342

SHA1
01543166d5b33d2005c9174168b1b92fc91412c9

SHA256
542ddb427ce48af7907beea48acd1d78f926a396cd55ff225956dc5345410e6c

SHA512
23d5e7165c8384281918d4912b2a2477761f62883c812bca5e1015e20766f677d89058e0c67e8f7b15b4d01b09ef8e50486b9fd23c898a0a3e00f3fe6c5c487a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
192KB

MD5
d20aa506da915153d3f973b049343d75

SHA1
af2b4f15a6b67cdee6510324746d56adf8b6a180

SHA256
fc987471357098da07b13362bd6d1aaf1571b3c98e777d3cc711dee94f4cfced

SHA512
c4686d49ee08cce8256506a295220c61c01f0e08dfab4c8e0f0deb149e936db7ad60ad22f08b2d7c1d92436901b9ce06710154ac618ef2a4ec32776037d89a16

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
333KB

MD5
760aa533e3a38a919efc5aa68bb21135

SHA1
d93942006b6742308026ebc1c23ee605dd749f53

SHA256
4c3979dee8e60e73a2be6fbce1acd374bd94a3101320cc572848f9c863fa2dc5

SHA512
8265564114705189baee7c9ff97ed58d9f59dbedad6d04b9c3967888158487195790513d7782deadf97f17da59e22583ea66ee63d0096486e85e604f4e8ec8af

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
832KB

MD5
ed77c345bd53d26de565c3ca4b2ed6ce

SHA1
29f5d7183ecb823a0b19678bd8c50d15f632940a

SHA256
ae7e58e1fef06983519f11277b170bf33a274111f15d193176ac4dde12ad25d6

SHA512
52360734db9ce5a7799bb9ebf69bf4db55e0753815027ac9ecd14952147d2e5740e392c8262eca2b6ea2367b86e04965a61a2c58225925305ce47fbc8090fded

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
576KB

MD5
d909d491341e98f7ce778218e4f54a42

SHA1
2bc2c5b2d05779c1de7f1fe4a459ab2389bcfd26

SHA256
d6f3261a1a7bbd6bde25d85e58756c9848141990c6aef671b498dd7437e83d77

SHA512
222134b1213328bfc404ae6be6083b6cf44b6f171def7140f9be63453f69d55bf37666397398e9d64910ea74173759234e7794994b8a6b4f2e1be94bd22a4d30

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.4MB

MD5
2b8d326820e7b6928c5f69f4c716b8d5

SHA1
6b0e906799126564bfb60f892d60a38347e5de1a

SHA256
21ba1108867901babcee7a0d87a5a32f52d2b61a6ed4edd6c1ffe1ce9b72674b

SHA512
e71a8ca0dc8060bd70a2c793fb8536a3f0d61d63fad1871a48efdfcfec695297ffc52616dbdecfe4ee85fe082ac7743b9dda4e1be824c9aeeaf5ed64b20206c6

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
811KB

MD5
f178d8bfe636992abec6f5e3bf364568

SHA1
892734f688c27666936e7dad90fae9ea782c112b

SHA256
c74b5dab9d3c4f78f0e0349c5001fdcdfbb50fbd41635b2b14bd3fcfe5df8e1d

SHA512
a59c0c876445cba5ad49b9850a1f8b785af879954ad27874d6de0c64a7cac1a4c4af2671c47bf893707ffaadeccb8b72f5e0b490eeff53207be8f8b469ccb481

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.4MB

MD5
92cc0f07c6d905a15d3f9bc5d73f8b74

SHA1
cf3b87a904c3b6c1568182bf69a3406fd0468f83

SHA256
3d649033bd3307eb9486cfb92d07e335919db13c1af8a493422f72dbf163c88b

SHA512
2a5212cffa9b916cc60c9f2dd12c416fb01f0cea9d05a64979cf8f0c7efbff8d362170a09d6eb21c343c8b18662af61a995461ac3cb861377393f9f40c8dfd95

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
64KB

MD5
4be25328ec62936bce72b113b58b8339

SHA1
c4262e09c527df24169226d238711225e1927b4a

SHA256
2b9664b6f7f46b1b1b536aafdf62f137836b3147836d8bc0ae7cdb752421e530

SHA512
1217374711b13593a97ae0d2816c8b65ce4697627a2885b432329865117932de32a0bd8d96f6ab18571d53a01f28a877ef4ea39db86c6d36e5ce5a239e5a25cf

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
92KB

MD5
e029e7d62e2dbca3c3b19743a0ad7805

SHA1
3c87c7c7179ef0af9c0379a8dd8e7a456cd8cb30

SHA256
6a9e9dc600a861b97c9fccec99d731263574485aa347765dcc012dc659cbee44

SHA512
249b08c04c45d6fe8bdada520814f15d822381c96a1be39d766948c4a629b0f2641c4bda16f0cd84eb28361c0b161a84963a5d5c2b8ab8665412ea9f9f69046f

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
68KB

MD5
c20f417b50ed36960808cd47eaf17f33

SHA1
f0ff7f1f98600595e83ff4695218b538b0a9ed3b

SHA256
cac05bfd43e9c50d26d5137aa8dd59fbd32c5702e874360d3d7efe640bd38519

SHA512
b20fdd952522f9cca2d51c54e719b027081c98bee66d52bd23584224ee1b29fd702a7702af06e2247f56f025785d8e1dd943dc5673daefa0050426de092ad4bd

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
8KB

MD5
036c31c2d71b37353b8497ca59037c34

SHA1
7da85ec4ba00bf5d1c07273a015d96909a7b7573

SHA256
f7ebcb0bd054314b9e58b399716cb8851d418b9580931fe45586166aef866011

SHA512
0b9f2db7b6078af3c5db9dbf24aece946962bdc7c39484c81da0e8387d9ab8c87ddc27576e354eafd44d8bab211fc47c5168881ca629df318ab61438e2bf3a9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
3.2MB

MD5
18f884ac8d15be8adcf2580c10e2be48

SHA1
843c51588ec90853ded16c31a1eb22657bb5f73b

SHA256
0c98c531ac3598264aeb33f2c4712800e70157fe022a2af988f5d6211fc9210d

SHA512
03934235803c222474a4dc60d574dce2c815d52db015f666c8a87ba5cd498de07739000e148779340ab56c20816c83ac1c487b77ccb8edae805018eb21d5674f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
768KB

MD5
aba9fa8af95338311b9f220ef9737c2d

SHA1
c7feaa87de24db8499f19b05183a9fb96f51ab67

SHA256
c34e95e5bd7955f6a8a05375c26655242369296cad7446de90bede3c5e1f4a39

SHA512
78af9f326cb82cdd062ede2b5f02b01888c7bff7e5ca04bc8d2037ed4eb38dac5ddba94aa3f0722f60d8739cbe4dfa9b3c9afab2e70de11916d7777812f65a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
960KB

MD5
caaf318b5e18472de25ee2b380a0d4fe

SHA1
7bd7e830fc99852826e43d4ce129586bfb922b0b

SHA256
a7146abe377d7f324609bdd815b6ab3b1ed74dd4642d8911a25ec5c9965e58cf

SHA512
dc06dcc79970546e8849637acf8115df438571e08897b3a29f57538965ce867e6b0530bfc1279869dfb61ee967f06b3812996acbfd098d6124bec9906924f99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi

Filesize
2.2MB

MD5
2924b61c23496b7a99f270eae06b218d

SHA1
b5c4e21caa51f60072eff59ebfa9ed0646f9f4e5

SHA256
8059b011f6cb0ee8be09d923cf31cb1daebcf8bed9014eeafff4c7e23536b324

SHA512
103bdfa297612bd382158a6b3968abe0f8ed0893342ba257b771ecacb39ecfb79d21acf584f4cd2f8ac26f2efb5d67a7016bd4cabf0f6147d2ec3bbb1b7ad3f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8196.tmp

Filesize
83KB

MD5
99b21caed110a826673e17a0e835e0f6

SHA1
6c3728713ab03cd9efce17ae4a92a07f1c58802a

SHA256
d4f113e4c74688bd9e64c8c857c5af84c517ead28265dd5a9e8ac5da786e2baf

SHA512
c561c7723f7d684bb0697acd57164ab9f2640a9f44ee57391a8fb37d100b310fe76cc29bf4ec7f69799ee8e22d034a94085a9ecd471f60c381bef5b7758c23c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
417B

MD5
2fe7ba7d9103012d8593f220508eaf6a

SHA1
fce4c84da7d0d97b46d494b15acbcd992b04f06a

SHA256
874044e21f5b7c8a7a2286f1a5c61693515153e73c019451f32a0df1bb910708

SHA512
9fb05799d464f26097c84d4b6dbb18de6de360f62a4373849fc6c7bc7348dc0738f702bcd3dbfa3bde4e1cb9275898ee33eb03706d419d2029a4a8fd3f983678

Download Submit
C:\Windows\Installer\f767f2e.msi

Filesize
1.9MB

MD5
19e97173890997740316179bf56c80b8

SHA1
2f28c5974ee35ca308f54a1ab2ddd714aa970c48

SHA256
4e849f8e35e5b74a819952d372859f35ca2bd8e01eb81575d7b933ff66570542

SHA512
5e44668b91f169bef0ff9bac5905fe4afef55d0b8023f7c9608e6909d44f8fa558cfd722c36879f1c51562d5897e3ad00c86101a24205802d3f4016dff513e7d

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
640KB

MD5
81e79676aa9bbc3d29989e2e5f992b50

SHA1
5197205cda72d3444031181ac7edc7738e964b79

SHA256
cc69fb6e13d6c3443660a9892b0775c8cb05121d947868d9e6374f66eded2ecc

SHA512
c71b95b04fe692209f438e5b632543c333d167016ae06c59a32538ddf0445309fad2d5a0b3c52947ae42a5959f742830585ab8eefe6c0e5508510e37c1510655

Download Submit
\Windows\Installer\MSI856F.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
memory/1084-199-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1084-224-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1084-216-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1084-209-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1084-205-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1084-190-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1084-203-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1600-151-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1600-150-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1752-197-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1752-196-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1864-191-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1864-200-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1864-207-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1916-163-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1916-189-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1936-146-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1936-148-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2500-9-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2500-171-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-198-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-208-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-202-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-211-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-215-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-201-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-219-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-223-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-174-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2984-230-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-237-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2984-244-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download