2e788cb99c13ae5c4af88902d86042d38b520ae446b87bc673c0665a70d855ff

Analysis

max time kernel
128s
max time network
128s
platform
windows10_x64
resource
win10v20201028
submitted
05-11-2020 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup-watch_9082033929.bin.exe
Size

12.6MB
MD5

866851d5c7a0536411545db4c89aaf00
SHA1

c6dcf8511d874a347f83ca324e2a6b36b69a8cc5
SHA256

aee2348118b903e5f5bcd90493f4de2eed7f2575edf2bccad25fb15391f1e7ee
SHA512

6a484075adb926209849ad39407402d10840fc1bff909c1fff4142ba1dadb00a0e0236fa2444a730fbdbe4b184898f8c67a6d024a7a4b0f13df5a3f372e8d725

Score

9^/10

discovery

Malware Config

Signatures

ServiceHost packer 35 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2192-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-25-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-27-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-26-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-35-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-40-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-43-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-45-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-44-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-46-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-48-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-49-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-50-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-51-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-52-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-53-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-55-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-57-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-56-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-58-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-130-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2192-131-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 3 IoCs

Processes:

setup-watch_9082033929.bin.tmpwmfdist.exeVideoConverter.exe

pid process

3888 setup-watch_9082033929.bin.tmp
676 wmfdist.exe
2192 VideoConverter.exe
Loads dropped DLL 3 IoCs

Processes:

setup-watch_9082033929.bin.tmpregsvr32.exeVideoConverter.exe

pid process

3888 setup-watch_9082033929.bin.tmp
2980 regsvr32.exe
2192 VideoConverter.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

setup-watch_9082033929.bin.tmp

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\xvidcore.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Windows\SysWOW64\xvidvfw.dll	setup-watch_9082033929.bin.tmp
File created	C:\Windows\SysWOW64\is-N35EH.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Windows\SysWOW64\is-9QAF4.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Windows\SysWOW64\is-VEKKA.tmp	setup-watch_9082033929.bin.tmp

Drops file in Program Files directory 49 IoCs

Processes:

setup-watch_9082033929.bin.tmp

description	ioc	process
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-Q303O.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-R1A8U.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-70G43.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-8TMNF.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-R14PH.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\unins000.dat	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\sqlite3.dll	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-9OR0M.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\xvidcore.dll	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-RGAPK.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-QU4V7.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-MRK95.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-FBKI3.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-QKJML.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\avdevice-52.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\libffmpeg.dll	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-6PMAU.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-K4EB2.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-N6O0C.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\SkinMagicU.dll	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\unins000.dat	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\wmfdist.exe	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-3L24E.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-A4D02.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\libffplay.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\MediaAssist.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\SkinScroll.dll	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-QR4FT.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-44Q5J.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-00FKG.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\Common.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\SDL.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\VideoConverter.exe	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\avformat-52.dll	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-0JQO9.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-DRR9J.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\avutil-49.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\CrashReport.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\update.EXE	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-FAI15.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-P638E.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-EHGBP.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-13B5H.tmp	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-MLI0E.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\avfilter-0.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\Log.dll	setup-watch_9082033929.bin.tmp
File created	C:\Program Files (x86)\Wisoft Free Video Converter\is-2NN7N.tmp	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\ImageEx.dll	setup-watch_9082033929.bin.tmp
File opened for modification	C:\Program Files (x86)\Wisoft Free Video Converter\swscale-0.dll	setup-watch_9082033929.bin.tmp

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3944	2192	WerFault.exe	VideoConverter.exe
2284	2192	WerFault.exe	VideoConverter.exe
1980	2192	WerFault.exe	VideoConverter.exe
2260	2192	WerFault.exe	VideoConverter.exe

Modifies registry class 14 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\ = "Xvid MPEG-4 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32\ = "C:\\Windows\\SysWow64\\xvid.ax"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\CLSID = "{64697678-0000-0010-8000-00AA00389B71}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32\ = "C:\\Windows\\SysWow64\\xvid.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\ = "Xvid MPEG-4 Video DecoderAbout"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\FilterData = 020000000000800002000000000000003070693300000000000000000800000000000000000000003074793300000000d0000000e00000003174793300000000d0000000f00000003274793300000000d0000000000100003374793300000000d0000000100100003474793300000000d0000000200100003574793300000000d0000000300100003674793300000000d0000000400100003774793300000000d0000000500100003170693308000000000000000100000000000000000000003074793300000000d0000000600100007669647300001000800000aa00389b717876696400001000800000aa00389b715856494400001000800000aa00389b716469767800001000800000aa00389b714449565800001000800000aa00389b716478353000001000800000aa00389b714458353000001000800000aa00389b716d70347600001000800000aa00389b714d50345600001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\FriendlyName = "Xvid MPEG-4 Video Decoder"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

setup-watch_9082033929.bin.tmpVideoConverter.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3888	setup-watch_9082033929.bin.tmp
3888	setup-watch_9082033929.bin.tmp
2192	VideoConverter.exe
2192	VideoConverter.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
3944	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
2284	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
1980	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe
2260	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3944	WerFault.exe
Token: SeBackupPrivilege	3944	WerFault.exe
Token: SeDebugPrivilege	3944	WerFault.exe
Token: SeDebugPrivilege	2284	WerFault.exe
Token: SeDebugPrivilege	1980	WerFault.exe
Token: SeDebugPrivilege	2260	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

setup-watch_9082033929.bin.tmp

pid process

3888 setup-watch_9082033929.bin.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

setup-watch_9082033929.bin.exesetup-watch_9082033929.bin.tmp

description	pid	process	target process
PID 3304 wrote to memory of 3888	3304	setup-watch_9082033929.bin.exe	setup-watch_9082033929.bin.tmp
PID 3304 wrote to memory of 3888	3304	setup-watch_9082033929.bin.exe	setup-watch_9082033929.bin.tmp
PID 3304 wrote to memory of 3888	3304	setup-watch_9082033929.bin.exe	setup-watch_9082033929.bin.tmp
PID 3888 wrote to memory of 2980	3888	setup-watch_9082033929.bin.tmp	regsvr32.exe
PID 3888 wrote to memory of 2980	3888	setup-watch_9082033929.bin.tmp	regsvr32.exe
PID 3888 wrote to memory of 2980	3888	setup-watch_9082033929.bin.tmp	regsvr32.exe
PID 3888 wrote to memory of 676	3888	setup-watch_9082033929.bin.tmp	wmfdist.exe
PID 3888 wrote to memory of 676	3888	setup-watch_9082033929.bin.tmp	wmfdist.exe
PID 3888 wrote to memory of 676	3888	setup-watch_9082033929.bin.tmp	wmfdist.exe
PID 3888 wrote to memory of 2192	3888	setup-watch_9082033929.bin.tmp	VideoConverter.exe
PID 3888 wrote to memory of 2192	3888	setup-watch_9082033929.bin.tmp	VideoConverter.exe
PID 3888 wrote to memory of 2192	3888	setup-watch_9082033929.bin.tmp	VideoConverter.exe

C:\Users\Admin\AppData\Local\Temp\setup-watch_9082033929.bin.exe
"C:\Users\Admin\AppData\Local\Temp\setup-watch_9082033929.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3304

C:\Users\Admin\AppData\Local\Temp\is-F3N99.tmp\setup-watch_9082033929.bin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F3N99.tmp\setup-watch_9082033929.bin.tmp" /SL5="$6005E,12470195,777216,C:\Users\Admin\AppData\Local\Temp\setup-watch_9082033929.bin.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\xvid.ax"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2980

C:\Program Files (x86)\Wisoft Free Video Converter\wmfdist.exe
"C:\Program Files (x86)\Wisoft Free Video Converter\wmfdist.exe" /Q:A /R:N
3⤵
- Executes dropped EXE
PID:676

C:\Program Files (x86)\Wisoft Free Video Converter\VideoConverter.exe
"C:\Program Files (x86)\Wisoft Free Video Converter\VideoConverter.exe" setup-watch_9082033929.bin.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 812
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 784
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 848
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 904
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wisoft Free Video Converter\VideoConverter.exe
MD5
d0c59b8b26c470aba063081b7f0131c0

SHA1
593d34f4e376534c079f48cb5ce64b43371082e2

SHA256
bb9c8ff96f41e58d770a77f7d858f7935b3f79b1f5067070a4ee2215bc9862b7

SHA512
abae72b5f43e171ee3bf7d2dd0d1941be2fcef956db6d65a4ff5b2259bc9fca0d6645b88813593ea1ce00c430f761bdb357bebd279a808395e3ca2fb6722f6fb

Download Submit
C:\Program Files (x86)\Wisoft Free Video Converter\VideoConverter.exe
MD5
d0c59b8b26c470aba063081b7f0131c0

SHA1
593d34f4e376534c079f48cb5ce64b43371082e2

SHA256
bb9c8ff96f41e58d770a77f7d858f7935b3f79b1f5067070a4ee2215bc9862b7

SHA512
abae72b5f43e171ee3bf7d2dd0d1941be2fcef956db6d65a4ff5b2259bc9fca0d6645b88813593ea1ce00c430f761bdb357bebd279a808395e3ca2fb6722f6fb

Download Submit
C:\Program Files (x86)\Wisoft Free Video Converter\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Program Files (x86)\Wisoft Free Video Converter\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Program Files (x86)\Wisoft Free Video Converter\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F3N99.tmp\setup-watch_9082033929.bin.tmp
MD5
67b502b6730f1e4c337f733c17d491b1

SHA1
dc7f8a86903583c3ad3031098869c44a75246aba

SHA256
5065225ea82e1f4d851fe503bd7469a72229e7ef98b1e079904a2483af0d4dea

SHA512
896dd8166619140ce66c0075a5bdfe12090840e364623da7558ddb4d7206e9aaa46f6ee472f9336bb8681808b1c863328ddb193a125bd741754de5051eefff59

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F3N99.tmp\setup-watch_9082033929.bin.tmp
MD5
67b502b6730f1e4c337f733c17d491b1

SHA1
dc7f8a86903583c3ad3031098869c44a75246aba

SHA256
5065225ea82e1f4d851fe503bd7469a72229e7ef98b1e079904a2483af0d4dea

SHA512
896dd8166619140ce66c0075a5bdfe12090840e364623da7558ddb4d7206e9aaa46f6ee472f9336bb8681808b1c863328ddb193a125bd741754de5051eefff59

Download Submit
C:\Windows\SysWOW64\xvid.ax
MD5
1dfc887cb243a525675ce04787dedf8b

SHA1
69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

SHA256
0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

SHA512
160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

Download Submit
\Program Files (x86)\Wisoft Free Video Converter\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\is-76NR1.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Windows\SysWOW64\xvid.ax
MD5
1dfc887cb243a525675ce04787dedf8b

SHA1
69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

SHA256
0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

SHA512
160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

Download Submit
memory/676-7-0x0000000000000000-mapping.dmp

Download
memory/1980-41-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/1980-47-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/2192-32-0x0000000000000000-mapping.dmp

Download
memory/2192-38-0x0000000000000000-mapping.dmp

Download
memory/2192-131-0x0000000000000000-mapping.dmp

Download
memory/2192-15-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/2192-19-0x0000000000000000-mapping.dmp

Download
memory/2192-18-0x0000000000000000-mapping.dmp

Download
memory/2192-20-0x0000000000000000-mapping.dmp

Download
memory/2192-22-0x0000000000000000-mapping.dmp

Download
memory/2192-21-0x0000000000000000-mapping.dmp

Download
memory/2192-130-0x0000000000000000-mapping.dmp

Download
memory/2192-24-0x0000000000000000-mapping.dmp

Download
memory/2192-25-0x0000000000000000-mapping.dmp

Download
memory/2192-27-0x0000000000000000-mapping.dmp

Download
memory/2192-26-0x0000000000000000-mapping.dmp

Download
memory/2192-58-0x0000000000000000-mapping.dmp

Download
memory/2192-56-0x0000000000000000-mapping.dmp

Download
memory/2192-31-0x0000000000000000-mapping.dmp

Download
memory/2192-57-0x0000000000000000-mapping.dmp

Download
memory/2192-33-0x0000000000000000-mapping.dmp

Download
memory/2192-34-0x0000000000000000-mapping.dmp

Download
memory/2192-35-0x0000000000000000-mapping.dmp

Download
memory/2192-55-0x0000000000000000-mapping.dmp

Download
memory/2192-37-0x0000000000000000-mapping.dmp

Download
memory/2192-14-0x0000000004780000-0x0000000004781000-memory.dmp

Filesize
4KB

Download
memory/2192-39-0x0000000000000000-mapping.dmp

Download
memory/2192-40-0x0000000000000000-mapping.dmp

Download
memory/2192-10-0x0000000000000000-mapping.dmp

Download
memory/2192-42-0x0000000000000000-mapping.dmp

Download
memory/2192-43-0x0000000000000000-mapping.dmp

Download
memory/2192-45-0x0000000000000000-mapping.dmp

Download
memory/2192-44-0x0000000000000000-mapping.dmp

Download
memory/2192-46-0x0000000000000000-mapping.dmp

Download
memory/2192-53-0x0000000000000000-mapping.dmp

Download
memory/2192-48-0x0000000000000000-mapping.dmp

Download
memory/2192-49-0x0000000000000000-mapping.dmp

Download
memory/2192-50-0x0000000000000000-mapping.dmp

Download
memory/2192-51-0x0000000000000000-mapping.dmp

Download
memory/2192-52-0x0000000000000000-mapping.dmp

Download
memory/2260-54-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/2260-60-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/2284-36-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/2284-29-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/2284-28-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/2980-4-0x0000000000000000-mapping.dmp

Download
memory/3888-0-0x0000000000000000-mapping.dmp

Download
memory/3944-23-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/3944-16-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download

pid	process
3888	setup-watch_9082033929.bin.tmp
2980	regsvr32.exe
2192	VideoConverter.exe