rms | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
01-03-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

73f351beae5c881fafe36f42cde9a47c
SHA1

dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256

a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512

f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
SSDEEP

196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Executes dropped EXE 8 IoCs

pid	Process
3012	installer.exe
2724	rutserv.exe
2336	rutserv.exe
1236	rutserv.exe
560	rutserv.exe
2060	rfusclient.exe
2928	rfusclient.exe
608	rfusclient.exe

Loads dropped DLL 4 IoCs

pid	Process
2152	tmp.exe
284	MsiExec.exe
560	rutserv.exe
560	rutserv.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2472	msiexec.exe
5	2472	msiexec.exe
7	2472	msiexec.exe
9	2472	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI22E6.tmp	msiexec.exe
File created	C:\Windows\Installer\f761def.ipi	msiexec.exe
File created	C:\Windows\Installer\f761df1.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f761dec.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f761dec.msi	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f761def.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI245D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3012	installer.exe
3012	installer.exe
3012	installer.exe
3012	installer.exe
3012	installer.exe
3012	installer.exe
2472	msiexec.exe
2472	msiexec.exe
2724	rutserv.exe
2724	rutserv.exe
2724	rutserv.exe
2724	rutserv.exe
2336	rutserv.exe
2336	rutserv.exe
1236	rutserv.exe
1236	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
560	rutserv.exe
2928	rfusclient.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
608	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeSecurityPrivilege	2472	msiexec.exe
Token: SeCreateTokenPrivilege	2572	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2572	msiexec.exe
Token: SeLockMemoryPrivilege	2572	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2572	msiexec.exe
Token: SeMachineAccountPrivilege	2572	msiexec.exe
Token: SeTcbPrivilege	2572	msiexec.exe
Token: SeSecurityPrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeLoadDriverPrivilege	2572	msiexec.exe
Token: SeSystemProfilePrivilege	2572	msiexec.exe
Token: SeSystemtimePrivilege	2572	msiexec.exe
Token: SeProfSingleProcessPrivilege	2572	msiexec.exe
Token: SeIncBasePriorityPrivilege	2572	msiexec.exe
Token: SeCreatePagefilePrivilege	2572	msiexec.exe
Token: SeCreatePermanentPrivilege	2572	msiexec.exe
Token: SeBackupPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeShutdownPrivilege	2572	msiexec.exe
Token: SeDebugPrivilege	2572	msiexec.exe
Token: SeAuditPrivilege	2572	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2572	msiexec.exe
Token: SeChangeNotifyPrivilege	2572	msiexec.exe
Token: SeRemoteShutdownPrivilege	2572	msiexec.exe
Token: SeUndockPrivilege	2572	msiexec.exe
Token: SeSyncAgentPrivilege	2572	msiexec.exe
Token: SeEnableDelegationPrivilege	2572	msiexec.exe
Token: SeManageVolumePrivilege	2572	msiexec.exe
Token: SeImpersonatePrivilege	2572	msiexec.exe
Token: SeCreateGlobalPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe
Token: SeRestorePrivilege	2472	msiexec.exe
Token: SeTakeOwnershipPrivilege	2472	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3012	installer.exe
2724	rutserv.exe
2336	rutserv.exe
1236	rutserv.exe
560	rutserv.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 3012	2152	tmp.exe	28
PID 2152 wrote to memory of 3012	2152	tmp.exe	28
PID 2152 wrote to memory of 3012	2152	tmp.exe	28
PID 2152 wrote to memory of 3012	2152	tmp.exe	28
PID 2152 wrote to memory of 3012	2152	tmp.exe	28
PID 2152 wrote to memory of 3012	2152	tmp.exe	28
PID 2152 wrote to memory of 3012	2152	tmp.exe	28
PID 3012 wrote to memory of 2572	3012	installer.exe	29
PID 3012 wrote to memory of 2572	3012	installer.exe	29
PID 3012 wrote to memory of 2572	3012	installer.exe	29
PID 3012 wrote to memory of 2572	3012	installer.exe	29
PID 3012 wrote to memory of 2572	3012	installer.exe	29
PID 3012 wrote to memory of 2572	3012	installer.exe	29
PID 3012 wrote to memory of 2572	3012	installer.exe	29
PID 2472 wrote to memory of 284	2472	msiexec.exe	31
PID 2472 wrote to memory of 284	2472	msiexec.exe	31
PID 2472 wrote to memory of 284	2472	msiexec.exe	31
PID 2472 wrote to memory of 284	2472	msiexec.exe	31
PID 2472 wrote to memory of 284	2472	msiexec.exe	31
PID 2472 wrote to memory of 284	2472	msiexec.exe	31
PID 2472 wrote to memory of 284	2472	msiexec.exe	31
PID 2472 wrote to memory of 2724	2472	msiexec.exe	32
PID 2472 wrote to memory of 2724	2472	msiexec.exe	32
PID 2472 wrote to memory of 2724	2472	msiexec.exe	32
PID 2472 wrote to memory of 2724	2472	msiexec.exe	32
PID 2472 wrote to memory of 2336	2472	msiexec.exe	33
PID 2472 wrote to memory of 2336	2472	msiexec.exe	33
PID 2472 wrote to memory of 2336	2472	msiexec.exe	33
PID 2472 wrote to memory of 2336	2472	msiexec.exe	33
PID 2472 wrote to memory of 1236	2472	msiexec.exe	34
PID 2472 wrote to memory of 1236	2472	msiexec.exe	34
PID 2472 wrote to memory of 1236	2472	msiexec.exe	34
PID 2472 wrote to memory of 1236	2472	msiexec.exe	34
PID 3012 wrote to memory of 2332	3012	installer.exe	35
PID 3012 wrote to memory of 2332	3012	installer.exe	35
PID 3012 wrote to memory of 2332	3012	installer.exe	35
PID 3012 wrote to memory of 2332	3012	installer.exe	35
PID 560 wrote to memory of 2060	560	rutserv.exe	39
PID 560 wrote to memory of 2060	560	rutserv.exe	39
PID 560 wrote to memory of 2060	560	rutserv.exe	39
PID 560 wrote to memory of 2060	560	rutserv.exe	39
PID 560 wrote to memory of 2928	560	rutserv.exe	38
PID 560 wrote to memory of 2928	560	rutserv.exe	38
PID 560 wrote to memory of 2928	560	rutserv.exe	38
PID 560 wrote to memory of 2928	560	rutserv.exe	38
PID 2928 wrote to memory of 608	2928	rfusclient.exe	40
PID 2928 wrote to memory of 608	2928	rfusclient.exe	40
PID 2928 wrote to memory of 608	2928	rfusclient.exe	40
PID 2928 wrote to memory of 608	2928	rfusclient.exe	40

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:2332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57D046BB2E2215DB27A7E976DBD99647
  2⤵
  - Loads dropped DLL
  PID:284
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1236

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:608
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f761df0.rbs

Filesize
19KB

MD5
29e1241ca76626ae006c75c8b32dda1f

SHA1
8089dfde0c3c0648032e2d3b4255db6fda2ea2ca

SHA256
2c55e18cec56364f45cc68aff136cd9f96e96f644ece126958a64b1bec84bb8d

SHA512
5f52b471638ffd466f01002085bc9c4c85b5ec97c8628487b5a2029d66c438deb91310d564f0a21453b13849f85ab8361b254a1425b3aba6b833ab02584571ea

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
975KB

MD5
3d0b27b3f8aa22575aa0faf0b2d67216

SHA1
39fc787538849692ed7352418616f467b7a86a1d

SHA256
d7782488ef29bf0fd7e8faf0bd24414a6540bf7366434692a5a485d5ae2d7d44

SHA512
19f0785d3cecce0dbbb7da1be640bffebe4daedc65a513d1db0b5e533eb96aaa0588831de74c88e5013c00405e03ca4188c4b633e39e6c49ab5c1d1b42191ca8

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
960KB

MD5
8fa1e87544d6e4f6561f529a1eb3f7b4

SHA1
ae9b79b6393914eead0cbca2fadbff313858a6a5

SHA256
7d49101af647f3cbdedc4731d4d9ff55d88e7ef5f503047fa05b44f2c0fcbbbe

SHA512
84b46239ca7f8dfba8f0b2f1f07bcd40385077af369c41f346e8ce2a6aa771959468ab06a6ccb76b1ec00ae2293c2c6988c3c217bb946d333e77da4f50841481

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
576KB

MD5
5ce8cf454fc7705236eb347ff215b9b0

SHA1
655c0614584e8f612c82e5a9efb10ee509cb8889

SHA256
8338f9f5a2efe19608418929f516592969d7d8c964f8b95ef2106e4c7a490a7d

SHA512
76d25e71dc8d943a71abaf505b91cf52ff8c79c72c4ed305d74f8135a2abf1a42f70b698aab667acb019c7a4a8c601716475cec0a0366395c8ff95c04b80dc64

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
5.1MB

MD5
76ebe5fd077a62161d0ab560208b9f94

SHA1
614c218d35ba531f0bad791d52e5dcf57df5c742

SHA256
f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

SHA512
baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
5.4MB

MD5
bf773f9c4bf450b37e4edb2c5c70f39f

SHA1
ca7ed1a1df9b7a6ca41ae440399cb26871f70071

SHA256
cba1e9105079d7376f0a795ea9a3e5983c1db15ac2ad9d152fdba8179ce23423

SHA512
4102de45155c9ff8e3e98e6de03e93adf8272d2c5ab4c978cd174b67eaf1caf28578aad9c90b061a71b35f2c3c2bfcab90aa5e7d15dc7e0ba0889e5adfc832b1

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
3.9MB

MD5
2d7c00c632cbf8a261a5c4bb4432b970

SHA1
89b31642a0c33dd78fbf3a26cd5738b3463a1ade

SHA256
4c55f321812646b3d1e7502db4aabca07b4c09dd2b2a926a86d8ba9ddcffaa33

SHA512
a255edc220e6ea8de15d23b71e2e6a1e87a49a5f50b53e66b8a775cf8cec8e32f88d7299ccc66ab9a881b2339cc7be239bfc3cdef6adacf0e1862e2e7acc40f2

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
2.8MB

MD5
63f9382a48621880ca304517c8f175c8

SHA1
829c9bf29257128721d0f05136e41eb3b9e68f3c

SHA256
70a325073fd3451428f8470de837c20e1702f5be7627d5715f0f4f59d029f062

SHA512
a71a2890375e579584bf279a7b4f2bd59f439639993d0a4413785680364a19fd251eda0a0298d1e0b45d642355ffee2c6d911fa2fa074d8e7ff3d8187986792d

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.2MB

MD5
59a8fba525299fd769da6b6fd08f2553

SHA1
62d4c0959176cff6c97e6ede41982189d869cbc9

SHA256
54a0791b8e3e0aa76a5d0100b033655c1c1f358bf7b13622b159b1e2f7390b6a

SHA512
09d65e0224b09facfabe5a8ba05c35b47ca44be2d946fc1059d6a0e08d37dea09f3d9f990f1ce94214fa3115a8e69ac79afa9cac8dc68b5ce67e00b22ff2486a

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
378KB

MD5
292a1748850d1fdc91d4ec23b02d6902

SHA1
8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

SHA256
acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

SHA512
cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
1.4MB

MD5
7ba40134adf921ccd29beda853b1e0de

SHA1
bc03eb0773cda6ec7caa3bc289f53362483ee644

SHA256
554190d59c5037d7793fe55512a5f90fe58467368a1bac9ed99a98ae88c3f4dc

SHA512
bd6fd2e50c52667ddf6f66f7137f9466e193f7dc0936dfe7df407f2ca661c0d15f437f280c7a246667017078fc6a761817f3f4cc37bc7fcb352fe9468adec3a2

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
258KB

MD5
038bf9f3a58560ad1130eeb85cdc1a87

SHA1
3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

SHA256
d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

SHA512
8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
363KB

MD5
eeb2c52abbc7eb1c029b7fec45a7f22e

SHA1
8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

SHA256
c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

SHA512
0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
858KB

MD5
e38372f576d927f525ef8e1a34b54664

SHA1
26af9d1db0a3f91d7fe13147e55f06c302d59389

SHA256
4046bd0b93909a41d0fd96f0405a864c79a47f493165546569251c1f73db6b0b

SHA512
78b7477b000407990304ec37624b873514d4ed9daa1b42fd988707b7374ffab442ba28fe19884724867f3f0f7a5f12f7fc8c228c050115c902d1569e4a3b13c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2006.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
411B

MD5
c2ac85b000427a4a00f19da237aaaf86

SHA1
459ecb5e64576348e6c654724e87825772c06ea8

SHA256
b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

SHA512
e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

Download Submit
C:\Windows\Installer\MSI22E6.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
128KB

MD5
bd630f6cb36b00364b66a493a2ccb48b

SHA1
661f999ae102f6d31e9e7adbff54e0ab0542be01

SHA256
2af32bb04d6108f5e626676307be78b01fa7751297b02c9de4c305efac9d44e3

SHA512
3b5e1c1cf20aa96cfcd15de01fa339930d3884f3e7ae6b27f2662e5df71183a89d01ba062491de42efa004a2066acc1e061882b55f8eb2e71eba68a6e1e09c0f

Download Submit
\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
1.6MB

MD5
7a7dc3635b49345f29f103a95695d7e7

SHA1
dd74358b13f9b440e35ec9a98e53a590e16bf8be

SHA256
5ff67cfa0771d71e2d6b630a652c88175042c3aea23b1bdb08f4b2c5af2acd78

SHA512
b4bfb5b97febef17c79e23e423ecfe663594563a764f6d396eb74358c6ffb5c9d032486e578fdb59f7993ba6ba461eb6cac5080ad9ac778eeab3020a8306b737

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
memory/560-227-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-223-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-241-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-237-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-174-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/560-230-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-208-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-201-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/560-198-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-219-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/560-212-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/608-196-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/608-197-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/1236-189-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1236-171-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2060-214-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2060-225-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2060-205-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2060-207-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2060-210-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2060-191-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2060-200-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2336-151-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2336-150-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2724-148-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/2724-146-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2928-190-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2928-199-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2928-202-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/3012-9-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3012-170-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download