rms | 10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

cb2ffac2a251378cda3f91cd613f453d
SHA1

3a028761638f5aa93b0719c5650c83a138e8abc9
SHA256

10165e27e0db0a6708f346ddea657ab0409499f93eb8426a80864a966f0f401e
SHA512

1d203540fde5074f0d57e1ecbd9af2ee862b940f8fb58c3e55ad9db5ba029aff82a4468eee24c760b5e55cc96e61244af0fd6f3c46db857824e13e45ec1e802f
SSDEEP

196608:P4Z1cDw8TWMpWRGAk7R85du3dWbpkPbVAp2FG0c+imht+:PE1CE3k7R5NWqu0cU+

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 8 IoCs

pid	Process
1664	installer.exe
3940	rutserv.exe
5032	rutserv.exe
2380	rutserv.exe
3932	rutserv.exe
2820	rfusclient.exe
3864	rfusclient.exe
2176	rfusclient.exe

Loads dropped DLL 1 IoCs

pid	Process
1828	MsiExec.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
30	3132	msiexec.exe
32	3132	msiexec.exe
34	3132	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e580e43.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e580e47.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19ED.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e580e43.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3.4ru_mod_mod.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1664	installer.exe
1664	installer.exe
1664	installer.exe
1664	installer.exe
1664	installer.exe
1664	installer.exe
1664	installer.exe
1664	installer.exe
1664	installer.exe
1664	installer.exe
3132	msiexec.exe
3132	msiexec.exe
3940	rutserv.exe
3940	rutserv.exe
3940	rutserv.exe
3940	rutserv.exe
3940	rutserv.exe
3940	rutserv.exe
5032	rutserv.exe
5032	rutserv.exe
2380	rutserv.exe
2380	rutserv.exe
3932	rutserv.exe
3932	rutserv.exe
3932	rutserv.exe
3932	rutserv.exe
3932	rutserv.exe
3932	rutserv.exe
2820	rfusclient.exe
2820	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2176	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3652	msiexec.exe
Token: SeSecurityPrivilege	3132	msiexec.exe
Token: SeCreateTokenPrivilege	3652	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3652	msiexec.exe
Token: SeLockMemoryPrivilege	3652	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3652	msiexec.exe
Token: SeMachineAccountPrivilege	3652	msiexec.exe
Token: SeTcbPrivilege	3652	msiexec.exe
Token: SeSecurityPrivilege	3652	msiexec.exe
Token: SeTakeOwnershipPrivilege	3652	msiexec.exe
Token: SeLoadDriverPrivilege	3652	msiexec.exe
Token: SeSystemProfilePrivilege	3652	msiexec.exe
Token: SeSystemtimePrivilege	3652	msiexec.exe
Token: SeProfSingleProcessPrivilege	3652	msiexec.exe
Token: SeIncBasePriorityPrivilege	3652	msiexec.exe
Token: SeCreatePagefilePrivilege	3652	msiexec.exe
Token: SeCreatePermanentPrivilege	3652	msiexec.exe
Token: SeBackupPrivilege	3652	msiexec.exe
Token: SeRestorePrivilege	3652	msiexec.exe
Token: SeShutdownPrivilege	3652	msiexec.exe
Token: SeDebugPrivilege	3652	msiexec.exe
Token: SeAuditPrivilege	3652	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3652	msiexec.exe
Token: SeChangeNotifyPrivilege	3652	msiexec.exe
Token: SeRemoteShutdownPrivilege	3652	msiexec.exe
Token: SeUndockPrivilege	3652	msiexec.exe
Token: SeSyncAgentPrivilege	3652	msiexec.exe
Token: SeEnableDelegationPrivilege	3652	msiexec.exe
Token: SeManageVolumePrivilege	3652	msiexec.exe
Token: SeImpersonatePrivilege	3652	msiexec.exe
Token: SeCreateGlobalPrivilege	3652	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe
Token: SeRestorePrivilege	3132	msiexec.exe
Token: SeTakeOwnershipPrivilege	3132	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1664	installer.exe
3940	rutserv.exe
5032	rutserv.exe
2380	rutserv.exe
3932	rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1664	4580	tmp.exe	99
PID 4580 wrote to memory of 1664	4580	tmp.exe	99
PID 4580 wrote to memory of 1664	4580	tmp.exe	99
PID 1664 wrote to memory of 3652	1664	installer.exe	100
PID 1664 wrote to memory of 3652	1664	installer.exe	100
PID 1664 wrote to memory of 3652	1664	installer.exe	100
PID 3132 wrote to memory of 1828	3132	msiexec.exe	103
PID 3132 wrote to memory of 1828	3132	msiexec.exe	103
PID 3132 wrote to memory of 1828	3132	msiexec.exe	103
PID 3132 wrote to memory of 3940	3132	msiexec.exe	104
PID 3132 wrote to memory of 3940	3132	msiexec.exe	104
PID 3132 wrote to memory of 3940	3132	msiexec.exe	104
PID 3132 wrote to memory of 5032	3132	msiexec.exe	105
PID 3132 wrote to memory of 5032	3132	msiexec.exe	105
PID 3132 wrote to memory of 5032	3132	msiexec.exe	105
PID 3132 wrote to memory of 2380	3132	msiexec.exe	106
PID 3132 wrote to memory of 2380	3132	msiexec.exe	106
PID 3132 wrote to memory of 2380	3132	msiexec.exe	106
PID 1664 wrote to memory of 4508	1664	installer.exe	108
PID 1664 wrote to memory of 4508	1664	installer.exe	108
PID 1664 wrote to memory of 4508	1664	installer.exe	108
PID 3932 wrote to memory of 2820	3932	rutserv.exe	110
PID 3932 wrote to memory of 2820	3932	rutserv.exe	110
PID 3932 wrote to memory of 2820	3932	rutserv.exe	110
PID 3932 wrote to memory of 3864	3932	rutserv.exe	111
PID 3932 wrote to memory of 3864	3932	rutserv.exe	111
PID 3932 wrote to memory of 3864	3932	rutserv.exe	111
PID 2820 wrote to memory of 2176	2820	rfusclient.exe	112
PID 2820 wrote to memory of 2176	2820	rfusclient.exe	112
PID 2820 wrote to memory of 2176	2820	rfusclient.exe	112

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:4508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 55DB5F0AD32CF11C8928597932C5A609
  2⤵
  - Loads dropped DLL
  PID:1828
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3940
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5032
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2380

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:2176
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580e46.rbs

Filesize
19KB

MD5
2ab97472914a5488a4aa2ab8a1b64f3e

SHA1
e1ff3e781a77207f17628de3b09018d4b1265c4e

SHA256
1ca2bc57561c58454ede8d224062470fd220cb21a6cc717497b43b66cc3a100a

SHA512
4d271ce8dceba08cb8f562e30dff103b5b90feed4875f85d89154e95282468fe44489af01e22dd79d14e8aa0aff40b49668e9b252632c71a9866bab18d0e59d4

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
975KB

MD5
3d0b27b3f8aa22575aa0faf0b2d67216

SHA1
39fc787538849692ed7352418616f467b7a86a1d

SHA256
d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

SHA512
19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
1.1MB

MD5
8de38f8a45139bd89868e6c1e82c7641

SHA1
16885be0f7e66bfa627822749a10a229d48f232f

SHA256
8df5d517a19ef5c6750f273fba6703928c3ec6a9c17056cdba70dcfb33b5dec4

SHA512
864000d5288bbd7a9a2a1ec4294eeaddbc7e14f5bde877f4446e817bf1b847aeb15f659cbb829a933365480a98d8d7d0b583aab0163d4dc068b87cf07f848790

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
645KB

MD5
a551e8bb87123e93ac1dc05ade00bd84

SHA1
5b7ff070bbb36ca57a0efb0d38378eeef997371d

SHA256
870aa851b2ef7ccfedd849058693e51b3859c8d7fb62d835e445b07e52d0b2e7

SHA512
d918473dfe2fe63ac0ae932bfc1a8ae0204df1779a834e25a2c7b8c618aad8803246fa5d370ca8c4b8097f7544cd2837cc1939f5198288bae88e72b81221cc77

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
832KB

MD5
4014f52499a1cc7862bdb6a8ceb2e343

SHA1
643dfa0099ea3ae7dd6c4c2274974a2684de1ae2

SHA256
f9895f611e984c30f55e23d0a5a0ea2571f1ec221d6b55a7c28cc28254262830

SHA512
591c7a247e9fae5b7308c2ef887321e3a2cba7d7a132e2918fd4b656f453ca9f072502393abd1ccd51d2da7a34ade5d1f778d6225665eb7107af79489ebfa3df

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
2.3MB

MD5
8e095a5e7502731732a9daa47d6d4dfd

SHA1
e8ae9b37b24836ff127e570c8caf5f07b6e283e1

SHA256
c44daf0e52d2b97801c2f7d70fc395ebe89d4b185f3c8613f415fde8cc011b0b

SHA512
28cdca06df22a694804a2c773a75391e56e8009cbf45212cdd26399e1ff27d1d51c0963293ad1f5a2ccc247ab63afdf672310b35f44935737ec5a4653d445335

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
116KB

MD5
b84f8f4db2bfccd78858f3c935bee270

SHA1
bf9e623f7f749200e38c5c60034afd31681cfc6e

SHA256
766ce973526d9c0543f1c2ff233f5de85a82cb2cd6ab73f87a0624d37ab59f54

SHA512
fe7e61856d6d054138aca9f9afb43465cae9cfc592c7d17fe862fbc31d9db38dfe9024b42b14e7fcd5b30cc046122d7467ac5d0f9a2c0c49826f552a21169d01

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
96KB

MD5
7620849e1afafb33081c626b72e70c37

SHA1
88c63c52aada23688686246c727ef6a696263067

SHA256
d9adbe64c04a861824974054c23992f750adbefb97f20e20803ca434f2498743

SHA512
eac76b1b2cf64bbcab4917e7b77e6ca91e359d5235934a1eacb8ece49c4204da293eee0529164257feb1690d5b75ff4bc75d5ffd831802bc2c293357460d7f2d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
2.1MB

MD5
92081986a6e37389b975b71433333ab6

SHA1
f7a826e0ea6a60dfe2dee1d24cac4617d197e45e

SHA256
c589d7363d913aadef1f534a522c428d2a30a3ad641ec30bfb4c3095a5a0b37c

SHA512
8a059c890fa88aa584e9295a025d78f74d29f5ce93dd1d4bbe36d17e7d68642b3ef204c106eb40b476617a8f2307421d43fdf86cecbffef662f98168ce24ea8b

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
113KB

MD5
695192cdb19b857dbdb4559257e001c3

SHA1
260164851070b4f95072b8735fdfba786d184718

SHA256
c985945234f198981d6e02d9ddc72e24f36b9c9feb5276f209c1422d85f03a42

SHA512
1e4342eef4172da212b763c876391f1825cde87e7097a50cf96c44e3048f4df587b04275c8daf188fd2991aa937d81a69fedc21888cb9c0f1df1536396514286

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.6MB

MD5
e06f180d4f3221ac23bf6bea8db5b4de

SHA1
1d45a7f5ae3ba23de817226e24d07ea54ff27fa7

SHA256
bb3b1c8311387b574f9e8d72dc166a652c34e047113633964c901a66aa3c6fe5

SHA512
272063a6be91103bd8b231c1292ff610b28c4b87a1a26899e6dcfefb54d9200bb38697127d531dd4ba6a149faed392f47595cc71ec627fea8929f2dec261d1da

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
378KB

MD5
292a1748850d1fdc91d4ec23b02d6902

SHA1
8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

SHA256
acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

SHA512
cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
994KB

MD5
8b9a0b65ee11feb417756e8947cdc73d

SHA1
22b153992c2754205264c2e88e73c51b84299c30

SHA256
c1f321be60dcecdb0f1fd7aefdf6c1fa340f8d6095de9cf39265e7a8c28926b6

SHA512
4dd91bda6cc97d6b580fffddebb39b1422ad1bb8bda23c7e9a828311f56cec36c2d9df919f7a5fb7754e28f772ceeaa60cea2033f1b7d1d5922421815d7ff1f5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
258KB

MD5
038bf9f3a58560ad1130eeb85cdc1a87

SHA1
3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

SHA256
d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

SHA512
8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
363KB

MD5
eeb2c52abbc7eb1c029b7fec45a7f22e

SHA1
8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

SHA256
c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

SHA512
0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
858KB

MD5
e38372f576d927f525ef8e1a34b54664

SHA1
26af9d1db0a3f91d7fe13147e55f06c302d59389

SHA256
4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

SHA512
78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
3.2MB

MD5
1eef002c5fdbac6516045dd9be57e36b

SHA1
55b2c5358c92cfc6bf14616139b1d89c50fe3b09

SHA256
b241f8002e7cc4d947601f58e74b0d8e49705a6a880472b31235940723ce90e4

SHA512
61dbea2aa773908513b002fb07e6386816a16f0575d2a74860300395ebeeae07b234b8bf7b7959cc970dfb48a19ae826a30846f73cfcccfcfa1388062b56b077

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3.4ru_mod_mod.msi

Filesize
7.3MB

MD5
998f9b9eefeddbfc898356139220bab3

SHA1
324bb9170598a73ce7f1359da7a35a6065f22f8e

SHA256
0230d36dc995c5fa25b6dd3f33c670fdf5f06c014a0b2d1012c064d733e9d81c

SHA512
efea0f628fca55733a29cd6c05aab11b8b4e49153d9ae94340daa00e5cb47f1ce4c2c2a3d9fea6108205fcb3a13ca13a4d533f47c561e8785f529d58c95f08e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
417B

MD5
2fe7ba7d9103012d8593f220508eaf6a

SHA1
fce4c84da7d0d97b46d494b15acbcd992b04f06a

SHA256
874044e21f5b7c8a7a2286f1a5c61693515153e73c019451f32a0df1bb910708

SHA512
9fb05799d464f26097c84d4b6dbb18de6de360f62a4373849fc6c7bc7348dc0738f702bcd3dbfa3bde4e1cb9275898ee33eb03706d419d2029a4a8fd3f983678

Download Submit
C:\Windows\Installer\MSI16FE.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\e580e43.msi

Filesize
2.9MB

MD5
e64042c5ab639a36d3e1dd6d4d7ada5f

SHA1
7403755354e47cc9fd4804327c153f7edda419d3

SHA256
ea836510c132d5dd31bcd98ea401774f2b1a87a2011e963af273a5a1817cb935

SHA512
0937611f21a9394ac9241693e6e1ff86f6734b4c373dc3094aee6fed70525fc83e8b113015ab9100fffcc71866b3fbc5daa0ac060ea65f9438e9f435973d950b

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
memory/1664-123-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1664-14-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2176-145-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2176-146-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2380-117-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2380-138-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2820-155-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2820-148-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2820-140-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3864-160-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3864-152-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3864-141-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3864-177-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3864-167-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3864-156-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3864-149-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3932-158-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3932-189-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3932-125-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3932-154-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/3932-165-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3932-147-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3932-171-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3932-175-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3932-196-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3932-182-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3940-103-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3940-104-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/5032-106-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/5032-107-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download