rms | a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

8.3MB
MD5

73f351beae5c881fafe36f42cde9a47c
SHA1

dc1425cfd5569bd59f5d56432df875b59da9300b
SHA256

a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA512

f484b1260e73b3717603cfcfd62e820502480d8be57a7570e6c38612c9ea86b9335c6a42742fbdb369a37fcd5ec4c2b06f426a075582c39639128ad7be92da66
SSDEEP

196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO

Score

10^/10

rms discovery rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 8 IoCs

pid	Process
5048	installer.exe
4480	rutserv.exe
1720	rutserv.exe
3968	rutserv.exe
1196	rutserv.exe
5044	rfusclient.exe
4760	rfusclient.exe
3100	rfusclient.exe

Loads dropped DLL 1 IoCs

pid	Process
3652	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
14	4056	msiexec.exe
16	4056	msiexec.exe
19	4056	msiexec.exe
21	4056	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmspm.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\srvinst.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rmsui2.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\SampleClient.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmsui.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\ntprint.inf	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\VPDAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rms_s.lng	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rms.ini	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\progress.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\srvinst_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\English.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\install.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.hlp	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\fwproc.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rms.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\uninstall.cmd	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\VPDAgent_x64.exe	msiexec.exe
File created	C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rmspm.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58125a.msi	msiexec.exe
File created	C:\Windows\Installer\e58125e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23A0.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A58.tmp	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e58125a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D9E14363-FD66-419D-9DC9-C62471755C9F}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\PackageCode = "EE22CCA5812A64F4CB23B29D2A4A798E"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductIcon = "C:\\Windows\\Installer\\{D9E14363-FD66-419D-9DC9-C62471755C9F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9\RMS	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Version = "115998720"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\PackageName = "rms.host6.3ru_mod.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\ProductName = "Remote Manipulator System - Host"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Language = "1049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\509B38EF4554FFD4794F292971C81B17	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\7ZipSfx.000\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36341E9D66DFD914D99C6C421757C5F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36341E9D66DFD914D99C6C421757C5F9\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
4056	msiexec.exe
4056	msiexec.exe
4480	rutserv.exe
4480	rutserv.exe
4480	rutserv.exe
4480	rutserv.exe
4480	rutserv.exe
4480	rutserv.exe
1720	rutserv.exe
1720	rutserv.exe
3968	rutserv.exe
3968	rutserv.exe
1196	rutserv.exe
1196	rutserv.exe
1196	rutserv.exe
1196	rutserv.exe
1196	rutserv.exe
1196	rutserv.exe
4760	rfusclient.exe
4760	rfusclient.exe

Suspicious behavior: SetClipboardViewer 3 IoCs

pid	Process
4760	rfusclient.exe
5044	rfusclient.exe
3100	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2128	msiexec.exe
Token: SeSecurityPrivilege	4056	msiexec.exe
Token: SeCreateTokenPrivilege	2128	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2128	msiexec.exe
Token: SeLockMemoryPrivilege	2128	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2128	msiexec.exe
Token: SeMachineAccountPrivilege	2128	msiexec.exe
Token: SeTcbPrivilege	2128	msiexec.exe
Token: SeSecurityPrivilege	2128	msiexec.exe
Token: SeTakeOwnershipPrivilege	2128	msiexec.exe
Token: SeLoadDriverPrivilege	2128	msiexec.exe
Token: SeSystemProfilePrivilege	2128	msiexec.exe
Token: SeSystemtimePrivilege	2128	msiexec.exe
Token: SeProfSingleProcessPrivilege	2128	msiexec.exe
Token: SeIncBasePriorityPrivilege	2128	msiexec.exe
Token: SeCreatePagefilePrivilege	2128	msiexec.exe
Token: SeCreatePermanentPrivilege	2128	msiexec.exe
Token: SeBackupPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	2128	msiexec.exe
Token: SeShutdownPrivilege	2128	msiexec.exe
Token: SeDebugPrivilege	2128	msiexec.exe
Token: SeAuditPrivilege	2128	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2128	msiexec.exe
Token: SeChangeNotifyPrivilege	2128	msiexec.exe
Token: SeRemoteShutdownPrivilege	2128	msiexec.exe
Token: SeUndockPrivilege	2128	msiexec.exe
Token: SeSyncAgentPrivilege	2128	msiexec.exe
Token: SeEnableDelegationPrivilege	2128	msiexec.exe
Token: SeManageVolumePrivilege	2128	msiexec.exe
Token: SeImpersonatePrivilege	2128	msiexec.exe
Token: SeCreateGlobalPrivilege	2128	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe
Token: SeRestorePrivilege	4056	msiexec.exe
Token: SeTakeOwnershipPrivilege	4056	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5048	installer.exe
4480	rutserv.exe
1720	rutserv.exe
3968	rutserv.exe
1196	rutserv.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 5048	948	tmp.exe	96
PID 948 wrote to memory of 5048	948	tmp.exe	96
PID 948 wrote to memory of 5048	948	tmp.exe	96
PID 5048 wrote to memory of 2128	5048	installer.exe	97
PID 5048 wrote to memory of 2128	5048	installer.exe	97
PID 5048 wrote to memory of 2128	5048	installer.exe	97
PID 4056 wrote to memory of 3652	4056	msiexec.exe	100
PID 4056 wrote to memory of 3652	4056	msiexec.exe	100
PID 4056 wrote to memory of 3652	4056	msiexec.exe	100
PID 4056 wrote to memory of 4480	4056	msiexec.exe	101
PID 4056 wrote to memory of 4480	4056	msiexec.exe	101
PID 4056 wrote to memory of 4480	4056	msiexec.exe	101
PID 4056 wrote to memory of 1720	4056	msiexec.exe	102
PID 4056 wrote to memory of 1720	4056	msiexec.exe	102
PID 4056 wrote to memory of 1720	4056	msiexec.exe	102
PID 4056 wrote to memory of 3968	4056	msiexec.exe	104
PID 4056 wrote to memory of 3968	4056	msiexec.exe	104
PID 4056 wrote to memory of 3968	4056	msiexec.exe	104
PID 5048 wrote to memory of 2020	5048	installer.exe	107
PID 5048 wrote to memory of 2020	5048	installer.exe	107
PID 5048 wrote to memory of 2020	5048	installer.exe	107
PID 1196 wrote to memory of 5044	1196	rutserv.exe	110
PID 1196 wrote to memory of 5044	1196	rutserv.exe	110
PID 1196 wrote to memory of 5044	1196	rutserv.exe	110
PID 1196 wrote to memory of 4760	1196	rutserv.exe	109
PID 1196 wrote to memory of 4760	1196	rutserv.exe	109
PID 1196 wrote to memory of 4760	1196	rutserv.exe	109
PID 4760 wrote to memory of 3100	4760	rfusclient.exe	111
PID 4760 wrote to memory of 3100	4760	rfusclient.exe	111
PID 4760 wrote to memory of 3100	4760	rfusclient.exe	111

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
    3⤵
    PID:2020

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8B8EC87EEF6777C47AF54CAF48DD3427
  2⤵
  - Loads dropped DLL
  PID:3652
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4480
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1720
- C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3968

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
    "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:3100
- C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
  "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: SetClipboardViewer
  PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1792 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58125d.rbs

Filesize
19KB

MD5
ae5aa0d809975c085dee3d8e996f6092

SHA1
1b026aeb336626376c7aed6e2deb68e460bb6310

SHA256
b0c9e847f237ed90a01f027f65561d0d540c73366dda39807305fb17825df820

SHA512
4ab65f223751cacac100c5b1375334422b0ee8a85a4927d7d5602e6d6395ba418591698f5f15dbdcc64fe845283508d7d476a6ade365daba0f27750bf0a72d20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\English.lg

Filesize
43KB

MD5
bc25377ade68750b834c81fa71c233b8

SHA1
84dbb465dd2125f47668e2508e18af9bd6db2fd8

SHA256
9a48a7ea7ba2c2f33280d1e1722ebbc59bf81bc6c5a1f97edca53ea641ffd8e3

SHA512
205ab195339d7108adbe6dfabd48e4e21c5956ded587d7213a44618f0d34a43f7b8abaa7765b9d31695efacfc44beeb69fbaa3cb27c141b6a653713fdf5ebce5

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RIPCServer.dll

Filesize
144KB

MD5
2ddfa39f5c2fd3f00681ef2970617e4b

SHA1
8152aa18afbacf398b92168995ec8696d3fe3659

SHA256
f938bdc741ef1d2738b532aef001a160e3a3627ed8a27158b7017ee49fc65791

SHA512
f89f0f02cda650c138e4ebaef198f0762dfd571ef7d46a6b3710cd93d76bc52a79055c55afca46128a9a84a795a5cb946ca93c492e07cfb503c9b27d96211e20

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\RWLN.dll

Filesize
592KB

MD5
b39dff16387f9f646c0f75b9b5e8f179

SHA1
9da1bffc4a09b8361634571471dbd649b68375f5

SHA256
835f5209242d9ca1c091d169aba841a84a9659c0ab45af8b93d922c9b1bf060c

SHA512
c5e083206df2c39234fe75baf7f4a1348955b5aa2465c9d937d68d41ea74e9a092c71c84557cbe908d33ea7420d0f30051be489f1acec3445da9a90a3fc6fcbc

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
711KB

MD5
0a5e10ff14ba33f1eee9e8ac3d59531b

SHA1
9c25f9ccbe8067704c3f34f81802da105223aeff

SHA256
c19c924bc78d5e50e1599e44dd38d48ec4dc4f6a4ebbb1cd0ea5189c04c58997

SHA512
637c550c61121e15cc7ff00287bb79e754d61fa224405030642181bead4e7df987169462cc209ff409ca778fad31307f4e770ec4cbe65c6690fc6b0837334147

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
200KB

MD5
3bb7250610663a252ffc1b55afbcbb3d

SHA1
ac29b885bd65c2d7cfde85c322732777f798c3bd

SHA256
77fdd063a9ca36f40d42c4e807aebc4f0c0099ed441a7d50d0aa6e1e59bb6d6d

SHA512
1fe0ffd178394f82f866f295d82f076e1ce0b536e2d6208d05a249df587a070fdb3dbaa46bb0efd5404f62fff83845c5ea65751ad1425236e6fc4ce4debb4987

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
125KB

MD5
4afa1d77fd7b306187214d643ed5fe5b

SHA1
3740b4049910875ed72eb949994d897bcfa6efe2

SHA256
37e005b923dbe556fa89affa38fd1c71d0ac96d18dc7c9f03767ef10645760b8

SHA512
5cfdc0ddc0d825c174e1c78bf342ab55cd0bc291d132a3c5cff5179fb9ed30e23936789d2db943a7f35f6856000ca8ab8440a71ba934251066a7a62276435be1

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Filesize
5.1MB

MD5
76ebe5fd077a62161d0ab560208b9f94

SHA1
614c218d35ba531f0bad791d52e5dcf57df5c742

SHA256
f0a653463850ce111457513e9ad3ec4443ed88c69fdf33d76e05c33ce8e1722b

SHA512
baba7b03042c4bfbf6efa9c2219ed72e393e193ee743a32501e1a5df56293b3bdf2270b92843c9333049dcfcfe52007d6e9a7bfaa0548ef268d2511cf590efde

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
2.2MB

MD5
9f0222125fece61f176a9908b0e679a7

SHA1
1ffb2c781316d51bbbfb0cc5786b1f066d8cfe7c

SHA256
c1631f5f8ff899efd11830ef9b75f99eb4e3904b8d57abc6f3ecb8e666530900

SHA512
78aa40c83b82cb4899c4b2bedb9680f1e51159b8ed1ce257f0467e798f1592bb06c280cc2210356f834e8364482875cc954512825991f445631a8b3939f226bd

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.8MB

MD5
d06856506509a54217d84bc77344f8d6

SHA1
977aa7dceaf4d5681dcce407ad5a7750d1b594dd

SHA256
c5a427fff5f7d62f603a37c5e058f045762f5eef71c40722a8d96fb94eee1d24

SHA512
3474c7dcaec58d6be299849415774addab4238c07ef23f54ef89b039a9b968c078d066341b6f91a9aaf0abd7802b2dc790a28de911bc88c35bf46c13d279cf59

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
190KB

MD5
9574053ff0825026d9e36fbaac636a9a

SHA1
9c2ed128c2aa4b37e805a9dcdb03d201149103a4

SHA256
bab50a48080b6fcd6dc0e8baad3d7f8c7b6e6d73b12aa86d71f29acf086d681a

SHA512
70d2525f95ff007c6ef9b9222b6ca9c2f470768e0f609e9196055cbf6c8bffc4e02dd17c1205594f1d558369f527ce4b6393f5e7c2a3625f41a48c49d1e326df

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.9MB

MD5
9b2ab5e1dade320ad991181c19937aea

SHA1
ba19901a4a78f89daab4c3558e2f1670613caba8

SHA256
b3aea6ec723f6178108e6f51e6480f251a9ff830b41882a281520c79ab1953a8

SHA512
b6a26c2723ffb46a6474d3e94bf83679044391a19dc9ddcd21f025d72bf7a630ad4ca2a95c5b9d6051d2d9a4ab4fabda24790d1e3434a6fa1e1c14cc31234026

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Filesize
1.5MB

MD5
47ff80fc5e0ca521d1f0e44b8a6a014e

SHA1
ab73c7ace30eb448e2726852fbb82ea602605248

SHA256
2e446af05fcb2018f1893e9693bb285ec1980d8753d6858d669439a839163ebb

SHA512
4b4d6c59f222bde9d75be5f52133bd4047a1804570b4d9322f2188cd75f981d9c8cc938b268861b8438b1059902f38e9f2b7ef41784c0e3a6d0de7b7dc2c7e0c

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

Filesize
378KB

MD5
292a1748850d1fdc91d4ec23b02d6902

SHA1
8f15f1c24e11c0b45b19c82a78f7b79b1e7f932d

SHA256
acf354ad6ed94e876b29a60c5870dd91e7b3f76cc82c1a862c92024a12404a9f

SHA512
cf7579f1169ec21d9bf3c666d416d3fe2a4f9953d4d328b182452e40043f91055d301fd4b4a21454b847dbdb0af6a61c52657caded7d6fd7e88812aceeacf704

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

Filesize
652KB

MD5
3970668e0f35a72e5320f0d7e3beb69f

SHA1
bae971b14861c5dd0c3bdcb02bfa64234f9b0e5a

SHA256
aa941101d81a470c81cd3689b02f6fbf84426e46ba71922340a85a2a50188655

SHA512
f747fe7e43687d971736299e8900cedac73307ef3a030b8f1846347483b49a2f72ff4ff13fc8d9a3c40165272160019ebd8cae56119c12c3183ce2d7dabc3e94

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

Filesize
258KB

MD5
038bf9f3a58560ad1130eeb85cdc1a87

SHA1
3571eb7293a2a3a5bf6eb21e1569cd151d995d1a

SHA256
d247afa3bd1ccc18e11eb099280802a61d3792a2018c476d95debf2091e9707d

SHA512
8ffa52b358841600b9122974079d22d4e11bc4214316cd85ac4d4af0e369112b6827029f74a9a9d3918db00c7fed3a9a1985e0b43da39783a748d78752ae2385

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

Filesize
363KB

MD5
eeb2c52abbc7eb1c029b7fec45a7f22e

SHA1
8bfeb412614e3db0a2bf0122f4d68cc27b8c3a61

SHA256
c0f0b84d587066af8f80f41a7be63b4c01547af3f1e011602ac1b6ee0ac54a2c

SHA512
0b5b83335c6f602b8397a3c2ae6d1e661d744eb27114463d53e344bf18774ccb38853d314ebe05536d4c28c29fe3fdaba041a6a46983789f064ca70881cfcb85

Download Submit
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

Filesize
599KB

MD5
a9a87bb4a73122926760c1c98644cdbf

SHA1
3e638394b80e1190438e20b0d89e6959544fe241

SHA256
01a477deeb196096b7eea35ebd0befed5d8d1da9e47f5413ba835f5386216766

SHA512
43d60a08796a39da6f9f4589ea742128d713afd74af288917bd3c129e465144e9544864a2f39bff6499def115dc831b9c79b2d49088ccbfa4e39bd197150aed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
4.6MB

MD5
5c2e9b897d5181f341d83b57ba94a260

SHA1
0b4db75e2f00aca9e39661902bfc9256e82a3f10

SHA256
14bf48a5661698551bdf6e48278566bf8f445fcd835f2b3f4b69b2fcb3a139ff

SHA512
d082a21d33f690c283bfb1333ea894f0078a57bee3a34b0678a5360c5188a636e3ac849e395ce6cd1e44c8a56f92eaf6b496bc6c3497c6f44890caeb6d1269bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
4.2MB

MD5
ea4be5af2baf39e6c38f799f30a30cf7

SHA1
52d03ed797f6ad324d2e4ab509405ed7e40e561b

SHA256
6a55677b25cc4bee0b708a04abe66d78ca82617075de01afe4853ab9d6d524bd

SHA512
e2cb8f1a6f632a0e5cba9b86214368afa7b15bbc22725d0cba67fb3b7183b1095f07f94cbd06ea0dc6af7c82d20e57c88e8458ec1b7b835f06a29a10e4a35f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
6.0MB

MD5
c9704931d887685d96ce92d637d84045

SHA1
0875a71e9118ded121d92f3f46a3af1ec8380f8b

SHA256
0448c45cb43585409002e01ef53442cb9f6ad58f211f5deb3ad2ca8b8d535826

SHA512
3b739394f69ec9f26ef607a0d481f1ad3d107462220c2281cbc300f16886ab3d857bee9af59b8857c7e7ae5b04e6a849eaa5e304d6935957a0a15e462375c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi

Filesize
7.4MB

MD5
73e578a44265558d3ace212869d43cbb

SHA1
d2c15578def8996ed0ae4a44754055b774b095a7

SHA256
8a6945ead42d78d963d6f2e126eebb89c0e82b02c389d4badcaa837ff49bf7f4

SHA512
fe661e19899a6f749a180e5b312fcebb2963acc92720d1c6cabba22b0ffd250f1930c9dac62f789cd4b99aff86ef0f3944ae52a583e2c1be57c9fca391be9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
411B

MD5
c2ac85b000427a4a00f19da237aaaf86

SHA1
459ecb5e64576348e6c654724e87825772c06ea8

SHA256
b5157eceaf9b5f6448d15dcfe7011af0b44a4288f7667c5d717f042c2fba1352

SHA512
e62f711445398b0654e698c4f7d4c75bb8693e901ae99f1cf543f45ccd9532daf27bba1ceb9d180d0379a41c9a62d6ee2df30cd25b9abb05532c551a0fad814b

Download Submit
C:\Windows\Installer\MSI23A0.tmp

Filesize
125KB

MD5
b0bcc622f1fff0eec99e487fa1a4ddd9

SHA1
49aa392454bd5869fa23794196aedc38e8eea6f5

SHA256
b32687eaaad888410718875dcbff9f6a552e29c4d76af33e06e59859e1054081

SHA512
1572c1d07df2e9262d05a915d69ec4ebeb92eab50b89ce27dd290fb5a8e1de2c97d9320a3bb006834c98b3f6afcd7d2c29f039d9ca9afaa09c714406dedbc3c7

Download Submit
C:\Windows\Installer\e58125a.msi

Filesize
6.4MB

MD5
4505634f3e5588c85940427f4a3276d0

SHA1
bbc0ed98b7e548030653df7c7f28a4eee9e0076b

SHA256
9d00b8723e5427aefed1cdb68c14014cd46c0a11a8f63143926a3235cd937bf3

SHA512
c08c475db90765342417581690e8ee1e7356854663997aa386ccb924f722474c465d8d321be23d3fafbe495a8f3fdaf48b1ed9720e60a2b494be8bc5b630e12c

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
memory/1196-177-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1196-184-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1196-124-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1196-173-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1196-194-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1196-159-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1196-167-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1196-154-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1196-191-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1196-149-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1720-109-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1720-110-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/3100-147-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/3100-148-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3968-115-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/3968-140-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4480-106-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/4480-107-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/4760-142-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4760-150-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4760-153-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/5044-151-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5044-161-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5044-169-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5044-158-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/5044-156-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5044-179-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/5044-143-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/5048-137-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/5048-35-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/5048-14-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download