Analysis
-
max time kernel
147s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe
Resource
win7-20221111-en
General
-
Target
e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe
-
Size
4.2MB
-
MD5
183f0ac56267fcfa87570e3533b17dcb
-
SHA1
0bcb4f0d472ed346ea41f652bc89f770b78d97a2
-
SHA256
e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b
-
SHA512
dda8c4a0c3869112085c7d9de249e0de2978e7e3a6bd11e798ece22fd3ea233f72f028b93ca08facd100966fed56092eecafd019ce66859f9e54857e2832111b
-
SSDEEP
98304:3jJ1gKpqp+z0DKOyZhjt4UpQohV6oby9pr1adb8l:91Rp02Oy7e9oSkSmA
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \??\c:\vp8decoder.dll acprotect \??\c:\vp8encoder.dll acprotect -
Processes:
resource yara_rule \??\c:\rutserv.exe aspack_v212_v242 C:\rutserv.exe aspack_v212_v242 C:\rutserv.exe aspack_v212_v242 C:\rutserv.exe aspack_v212_v242 C:\rutserv.exe aspack_v212_v242 C:\rutserv.exe aspack_v212_v242 C:\rutserv.exe aspack_v212_v242 \??\c:\rfusclient.exe aspack_v212_v242 C:\rutserv.exe aspack_v212_v242 C:\rfusclient.exe aspack_v212_v242 C:\rfusclient.exe aspack_v212_v242 C:\rfusclient.exe aspack_v212_v242 -
Executes dropped EXE 11 IoCs
Processes:
admi.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exerutserv.exerfusclient.exerfusclient.exepid process 1064 admi.exe 912 rutserv.exe 1220 rutserv.exe 1660 rutserv.exe 1256 rutserv.exe 1500 rutserv.exe 1548 rutserv.exe 1748 rfusclient.exe 1840 rutserv.exe 1744 rfusclient.exe 1216 rfusclient.exe -
Processes:
resource yara_rule \??\c:\vp8decoder.dll upx \??\c:\vp8encoder.dll upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1740 timeout.exe 1264 timeout.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1548 taskkill.exe 1716 taskkill.exe 632 taskkill.exe 1748 taskkill.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 552 regedit.exe 2032 regedit.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerfusclient.exepid process 912 rutserv.exe 912 rutserv.exe 1220 rutserv.exe 1220 rutserv.exe 1220 rutserv.exe 912 rutserv.exe 1220 rutserv.exe 912 rutserv.exe 1660 rutserv.exe 1660 rutserv.exe 1256 rutserv.exe 1256 rutserv.exe 1500 rutserv.exe 1500 rutserv.exe 1500 rutserv.exe 1500 rutserv.exe 1548 rutserv.exe 1548 rutserv.exe 1840 rutserv.exe 1840 rutserv.exe 1748 rfusclient.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
rfusclient.exepid process 1216 rfusclient.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exedescription pid process Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 1716 taskkill.exe Token: SeDebugPrivilege 632 taskkill.exe Token: SeDebugPrivilege 1748 taskkill.exe Token: SeDebugPrivilege 1220 rutserv.exe Token: SeDebugPrivilege 912 rutserv.exe Token: SeDebugPrivilege 1256 rutserv.exe Token: SeTakeOwnershipPrivilege 1500 rutserv.exe Token: SeTcbPrivilege 1500 rutserv.exe Token: SeTcbPrivilege 1500 rutserv.exe Token: SeDebugPrivilege 1840 rutserv.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
rutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exerutserv.exepid process 912 rutserv.exe 1220 rutserv.exe 1660 rutserv.exe 1256 rutserv.exe 1500 rutserv.exe 1548 rutserv.exe 1840 rutserv.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.execmd.exeadmi.execmd.exeWScript.execmd.exedescription pid process target process PID 848 wrote to memory of 1712 848 e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe cmd.exe PID 848 wrote to memory of 1712 848 e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe cmd.exe PID 848 wrote to memory of 1712 848 e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe cmd.exe PID 848 wrote to memory of 1712 848 e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe cmd.exe PID 848 wrote to memory of 1712 848 e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe cmd.exe PID 848 wrote to memory of 1712 848 e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe cmd.exe PID 848 wrote to memory of 1712 848 e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe cmd.exe PID 1712 wrote to memory of 1064 1712 cmd.exe admi.exe PID 1712 wrote to memory of 1064 1712 cmd.exe admi.exe PID 1712 wrote to memory of 1064 1712 cmd.exe admi.exe PID 1712 wrote to memory of 1064 1712 cmd.exe admi.exe PID 1712 wrote to memory of 1064 1712 cmd.exe admi.exe PID 1712 wrote to memory of 1064 1712 cmd.exe admi.exe PID 1712 wrote to memory of 1064 1712 cmd.exe admi.exe PID 1064 wrote to memory of 588 1064 admi.exe WScript.exe PID 1064 wrote to memory of 588 1064 admi.exe WScript.exe PID 1064 wrote to memory of 588 1064 admi.exe WScript.exe PID 1064 wrote to memory of 588 1064 admi.exe WScript.exe PID 1064 wrote to memory of 588 1064 admi.exe WScript.exe PID 1064 wrote to memory of 588 1064 admi.exe WScript.exe PID 1064 wrote to memory of 588 1064 admi.exe WScript.exe PID 1064 wrote to memory of 584 1064 admi.exe cmd.exe PID 1064 wrote to memory of 584 1064 admi.exe cmd.exe PID 1064 wrote to memory of 584 1064 admi.exe cmd.exe PID 1064 wrote to memory of 584 1064 admi.exe cmd.exe PID 1064 wrote to memory of 584 1064 admi.exe cmd.exe PID 1064 wrote to memory of 584 1064 admi.exe cmd.exe PID 1064 wrote to memory of 584 1064 admi.exe cmd.exe PID 584 wrote to memory of 1548 584 cmd.exe taskkill.exe PID 584 wrote to memory of 1548 584 cmd.exe taskkill.exe PID 584 wrote to memory of 1548 584 cmd.exe taskkill.exe PID 584 wrote to memory of 1548 584 cmd.exe taskkill.exe PID 584 wrote to memory of 1548 584 cmd.exe taskkill.exe PID 584 wrote to memory of 1548 584 cmd.exe taskkill.exe PID 584 wrote to memory of 1548 584 cmd.exe taskkill.exe PID 588 wrote to memory of 832 588 WScript.exe cmd.exe PID 588 wrote to memory of 832 588 WScript.exe cmd.exe PID 588 wrote to memory of 832 588 WScript.exe cmd.exe PID 588 wrote to memory of 832 588 WScript.exe cmd.exe PID 588 wrote to memory of 832 588 WScript.exe cmd.exe PID 588 wrote to memory of 832 588 WScript.exe cmd.exe PID 588 wrote to memory of 832 588 WScript.exe cmd.exe PID 832 wrote to memory of 1716 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1716 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1716 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1716 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1716 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1716 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1716 832 cmd.exe taskkill.exe PID 584 wrote to memory of 632 584 cmd.exe taskkill.exe PID 584 wrote to memory of 632 584 cmd.exe taskkill.exe PID 584 wrote to memory of 632 584 cmd.exe taskkill.exe PID 584 wrote to memory of 632 584 cmd.exe taskkill.exe PID 584 wrote to memory of 632 584 cmd.exe taskkill.exe PID 584 wrote to memory of 632 584 cmd.exe taskkill.exe PID 584 wrote to memory of 632 584 cmd.exe taskkill.exe PID 832 wrote to memory of 1748 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1748 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1748 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1748 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1748 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1748 832 cmd.exe taskkill.exe PID 832 wrote to memory of 1748 832 cmd.exe taskkill.exe PID 584 wrote to memory of 1304 584 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe"C:\Users\Admin\AppData\Local\Temp\e055c80c80b7462e02dc357dfb0c336f60987611d24f29dc867d8788ca9eff6b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\tests.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\admi.exeadmi.exe -p12345 -dc:\3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\install.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f6⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"6⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
\??\c:\rutserv.exerutserv.exe /silentinstall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\rutserv.exerutserv.exe /firewall6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\rutserv.exerutserv.exe /start6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\install.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f5⤵
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"5⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
\??\c:\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
\??\c:\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\rutserv.exec:\rutserv.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
\??\c:\rfusclient.exec:\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
\??\c:\rfusclient.exec:\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
\??\c:\rfusclient.exec:\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\admi.exeFilesize
4.1MB
MD566c240a84a50ff544a5ca49d714c76d4
SHA199173116f3c04acadbd943a69a68a030d6513bf1
SHA256f4da4eb7c0b7e6bbb98162a7fdf558aac39aaf9caf52531cbe2fe41bb46fec2d
SHA512075a5afbe16ba014b339de380c9689514628c84bbcb8a89321a2a6b41eb9733d48db73b702f03d0cdf4f641c060f2ca7d8e39a059cd70ff382e6e85a58e17943
-
C:\install.batFilesize
289B
MD5a60d06edbd2b022c5009b0606c1e7481
SHA1300432e9ebf424dd8e97f405ea2d64c0388c8749
SHA256b7bdf067aca5eb9fd2b83b2b17195022fb4c684680bcdb278d158e9f77db10a2
SHA512ded38d51fc5dd90f38a76613646111eb6a44f7d7db01b3e17debff4c779d0f222d7b99820785af1b1d13fa2954557ded03e11a441277668d9dfe729fe824028d
-
C:\install.vbsFilesize
117B
MD565fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
C:\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
C:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
C:\tests.batFilesize
22B
MD5d4b0e840fe4def0621f001fde561e5b9
SHA1ddb72ac6c5a5eb438ba1c978e48922f9ea30d50f
SHA256afa70763c180373e6a669f3e5ad09141f5baa03e3d1a40e65e8ba36694c82d66
SHA5124a1c440735af0db34eabe8698a3e28ab8658d62ecced39aeee2dfeee4a75653221ef91c0362311eb92d9752efe1d24aaf49d0fd191289eb75758ed201bd3f3b6
-
\??\c:\admi.exeFilesize
4.1MB
MD566c240a84a50ff544a5ca49d714c76d4
SHA199173116f3c04acadbd943a69a68a030d6513bf1
SHA256f4da4eb7c0b7e6bbb98162a7fdf558aac39aaf9caf52531cbe2fe41bb46fec2d
SHA512075a5afbe16ba014b339de380c9689514628c84bbcb8a89321a2a6b41eb9733d48db73b702f03d0cdf4f641c060f2ca7d8e39a059cd70ff382e6e85a58e17943
-
\??\c:\regedit.regFilesize
11KB
MD554b11bea17cfd51834a5e6cc265f1637
SHA11aa9823410a37e8e9a11b81b9b33f9e03f310ad7
SHA25612af76d157ec14db12588aa0e97d2b0e69f822e2e83ba5909fdfd201f90c6378
SHA5128b534df7d61c8ba1a55d2b51c4aae9074278a22a82a732ce199e08871fc0ff2b50c0db352ab52b3e1abcf9c5efc473ab33180a2df01423ec28203aa561fcbaf2
-
\??\c:\rfusclient.exeFilesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
\??\c:\rutserv.exeFilesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
\??\c:\vp8decoder.dllFilesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
\??\c:\vp8encoder.dllFilesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
memory/552-82-0x0000000000000000-mapping.dmp
-
memory/584-64-0x0000000000000000-mapping.dmp
-
memory/584-163-0x0000000002120000-0x00000000027D9000-memory.dmpFilesize
6.7MB
-
memory/584-172-0x0000000002120000-0x00000000027D9000-memory.dmpFilesize
6.7MB
-
memory/584-109-0x0000000002120000-0x00000000027D9000-memory.dmpFilesize
6.7MB
-
memory/588-62-0x0000000000000000-mapping.dmp
-
memory/632-74-0x0000000000000000-mapping.dmp
-
memory/832-70-0x0000000000000000-mapping.dmp
-
memory/832-121-0x0000000002330000-0x00000000029E9000-memory.dmpFilesize
6.7MB
-
memory/832-108-0x0000000002330000-0x00000000029E9000-memory.dmpFilesize
6.7MB
-
memory/848-54-0x00000000766F1000-0x00000000766F3000-memory.dmpFilesize
8KB
-
memory/912-104-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/912-101-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/912-106-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/912-107-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/912-99-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/912-93-0x0000000000000000-mapping.dmp
-
memory/912-110-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/912-112-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1064-59-0x0000000000000000-mapping.dmp
-
memory/1216-185-0x0000000000000000-mapping.dmp
-
memory/1216-193-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1220-102-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1220-111-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1220-105-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1220-98-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1220-141-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1220-103-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1220-100-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1220-92-0x0000000000000000-mapping.dmp
-
memory/1256-124-0x0000000000000000-mapping.dmp
-
memory/1256-131-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1256-169-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1256-132-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1256-128-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1256-127-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1256-129-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1264-87-0x0000000000000000-mapping.dmp
-
memory/1304-78-0x0000000000000000-mapping.dmp
-
memory/1500-164-0x0000000002710000-0x0000000002CC6000-memory.dmpFilesize
5.7MB
-
memory/1500-135-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1500-136-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1500-137-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1500-138-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1500-139-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1500-140-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1548-151-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1548-152-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1548-142-0x0000000000000000-mapping.dmp
-
memory/1548-68-0x0000000000000000-mapping.dmp
-
memory/1548-153-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1548-148-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1548-149-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1548-150-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1660-113-0x0000000000000000-mapping.dmp
-
memory/1660-119-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1660-118-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1660-120-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1660-122-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1660-123-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1660-117-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1660-116-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1712-55-0x0000000000000000-mapping.dmp
-
memory/1716-72-0x0000000000000000-mapping.dmp
-
memory/1740-88-0x0000000000000000-mapping.dmp
-
memory/1744-156-0x0000000000000000-mapping.dmp
-
memory/1744-175-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1744-177-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1748-154-0x0000000000000000-mapping.dmp
-
memory/1748-165-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1748-176-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1748-178-0x0000000000400000-0x00000000009B6000-memory.dmpFilesize
5.7MB
-
memory/1748-76-0x0000000000000000-mapping.dmp
-
memory/1840-167-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1840-174-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1840-173-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1840-171-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1840-170-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1840-168-0x0000000000400000-0x0000000000AB9000-memory.dmpFilesize
6.7MB
-
memory/1840-158-0x0000000000000000-mapping.dmp
-
memory/1972-79-0x0000000000000000-mapping.dmp
-
memory/2032-83-0x0000000000000000-mapping.dmp