263d6b2245bb27595fc36a4f9d06817219bcc59c782fb9f551de7fbb0ac013d8

Analysis

max time kernel
99s
max time network
137s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e1f84cf304b5797d62d52f8dcc7c415.exe
Size

11.4MB
MD5

80110d66d054e0874e345ab990460189
SHA1

04d91a89a9c8fea438d46e25a38d3a54664d718a
SHA256

263d6b2245bb27595fc36a4f9d06817219bcc59c782fb9f551de7fbb0ac013d8
SHA512

c384f9202446dd4e7d77aa3b96e6c26dd7104436f75c9e745733a048e57495dc53dd077fd54a3f8594470ee4fd61df2235d7fe15c302cec4d282c744ed26b951

Score

9^/10

discovery

Malware Config

Signatures

ServiceHost packer 112 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/2624-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-25-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-26-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-27-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-29-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-30-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-31-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-36-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-40-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-43-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-44-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-45-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-46-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-47-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-50-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-49-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-51-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-52-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-53-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-56-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-57-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-58-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-55-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-59-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-60-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-62-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-63-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-64-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-65-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-66-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-67-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-69-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-70-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-72-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-73-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-71-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-74-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-75-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-76-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-78-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-79-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-80-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-81-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-83-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-84-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-82-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-86-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-87-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-88-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-89-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-90-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/2624-91-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 3 IoCs

Processes:

9e1f84cf304b5797d62d52f8dcc7c415.tmpwmfdist.exeAVSVideoBurner.exe

pid process

3548 9e1f84cf304b5797d62d52f8dcc7c415.tmp
2892 wmfdist.exe
2624 AVSVideoBurner.exe

Loads dropped DLL 4 IoCs

Processes:

9e1f84cf304b5797d62d52f8dcc7c415.tmpAVSVideoBurner.exe

pid	process
3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp
3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp
3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp
2624	AVSVideoBurner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

Processes:

9e1f84cf304b5797d62d52f8dcc7c415.tmp

description	ioc	process
File created	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\is-J0COL.tmp	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File created	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\is-6HQ15.tmp	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File created	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\is-7E9C1.tmp	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File created	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\is-GT3NP.tmp	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File created	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\is-P7AA2.tmp	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File opened for modification	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\sqlite3.dll	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File created	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\unins000.dat	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File created	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\is-LCLQP.tmp	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File opened for modification	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\unins000.dat	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File opened for modification	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\AVSVideoBurner.exe	9e1f84cf304b5797d62d52f8dcc7c415.tmp
File opened for modification	C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\wmfdist.exe	9e1f84cf304b5797d62d52f8dcc7c415.tmp

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2972	2624	WerFault.exe	AVSVideoBurner.exe
1492	2624	WerFault.exe	AVSVideoBurner.exe
3864	2624	WerFault.exe	AVSVideoBurner.exe
3672	2624	WerFault.exe	AVSVideoBurner.exe
632	2624	WerFault.exe	AVSVideoBurner.exe
736	2624	WerFault.exe	AVSVideoBurner.exe
3912	2624	WerFault.exe	AVSVideoBurner.exe
3592	2624	WerFault.exe	AVSVideoBurner.exe

Suspicious behavior: EnumeratesProcesses 118 IoCs

Processes:

9e1f84cf304b5797d62d52f8dcc7c415.tmpAVSVideoBurner.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp
3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp
2624	AVSVideoBurner.exe
2624	AVSVideoBurner.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
1492	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3864	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
3672	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	2972	WerFault.exe
Token: SeBackupPrivilege	2972	WerFault.exe
Token: SeDebugPrivilege	2972	WerFault.exe
Token: SeDebugPrivilege	1492	WerFault.exe
Token: SeDebugPrivilege	3864	WerFault.exe
Token: SeDebugPrivilege	3672	WerFault.exe
Token: SeDebugPrivilege	632	WerFault.exe
Token: SeDebugPrivilege	736	WerFault.exe
Token: SeDebugPrivilege	3912	WerFault.exe
Token: SeDebugPrivilege	3592	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

9e1f84cf304b5797d62d52f8dcc7c415.tmp

pid process

3548 9e1f84cf304b5797d62d52f8dcc7c415.tmp

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9e1f84cf304b5797d62d52f8dcc7c415.exe9e1f84cf304b5797d62d52f8dcc7c415.tmp

description	pid	process	target process
PID 728 wrote to memory of 3548	728	9e1f84cf304b5797d62d52f8dcc7c415.exe	9e1f84cf304b5797d62d52f8dcc7c415.tmp
PID 728 wrote to memory of 3548	728	9e1f84cf304b5797d62d52f8dcc7c415.exe	9e1f84cf304b5797d62d52f8dcc7c415.tmp
PID 728 wrote to memory of 3548	728	9e1f84cf304b5797d62d52f8dcc7c415.exe	9e1f84cf304b5797d62d52f8dcc7c415.tmp
PID 3548 wrote to memory of 2892	3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp	wmfdist.exe
PID 3548 wrote to memory of 2892	3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp	wmfdist.exe
PID 3548 wrote to memory of 2892	3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp	wmfdist.exe
PID 3548 wrote to memory of 2624	3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp	AVSVideoBurner.exe
PID 3548 wrote to memory of 2624	3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp	AVSVideoBurner.exe
PID 3548 wrote to memory of 2624	3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp	AVSVideoBurner.exe

C:\Users\Admin\AppData\Local\Temp\9e1f84cf304b5797d62d52f8dcc7c415.exe
"C:\Users\Admin\AppData\Local\Temp\9e1f84cf304b5797d62d52f8dcc7c415.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\is-D2ECT.tmp\9e1f84cf304b5797d62d52f8dcc7c415.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D2ECT.tmp\9e1f84cf304b5797d62d52f8dcc7c415.tmp" /SL5="$6005E,11206721,1061376,C:\Users\Admin\AppData\Local\Temp\9e1f84cf304b5797d62d52f8dcc7c415.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3548

C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\wmfdist.exe
"C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\wmfdist.exe" /Q:A /R:N
3⤵
- Executes dropped EXE
PID:2892

C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\AVSVideoBurner.exe
"C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\AVSVideoBurner.exe" 9e1f84cf304b5797d62d52f8dcc7c415.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 844
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 824
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 848
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 860
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 868
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 768
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 892
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 880
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\AVSVideoBurner.exe
MD5
3459ed26c46c1beb98cc6f0b551b5e96

SHA1
019c4316755d04bd75ec058b7c1c94de56eecfc0

SHA256
ef8a0a3eb0fdd2134b3095e89af7f3dc4165394d6c652b14518dc4442f3ac6d0

SHA512
a2f0d3e445e739c05d33ad4240daf5ab4d63e8d54f71588ec2d60d11cdbe26dd99d3709b045f8cbc6bfbfb6f45cb98c46757d31c588e9e3c1bd1c425e1a896fe

Download Submit
C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\AVSVideoBurner.exe
MD5
3459ed26c46c1beb98cc6f0b551b5e96

SHA1
019c4316755d04bd75ec058b7c1c94de56eecfc0

SHA256
ef8a0a3eb0fdd2134b3095e89af7f3dc4165394d6c652b14518dc4442f3ac6d0

SHA512
a2f0d3e445e739c05d33ad4240daf5ab4d63e8d54f71588ec2d60d11cdbe26dd99d3709b045f8cbc6bfbfb6f45cb98c46757d31c588e9e3c1bd1c425e1a896fe

Download Submit
C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Program Files (x86)\Common Files\AVSMedia\BurnerService\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D2ECT.tmp\9e1f84cf304b5797d62d52f8dcc7c415.tmp
MD5
24ab457083d41b6fe33984e472849f80

SHA1
6018bb3406f75d31c8624cba1d41931d583f7f7f

SHA256
4f36947eb15991ea817310e90277ec972dd46fa9fe17b8bfe8a6c7173beaf71f

SHA512
94a54565347b20f74683e8b165ded24011faca9d34f576daefd7dded5d026619729f7ad0a6edb51c738f11c81bfbcc72f63b84f13cacab981298c873277507ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D2ECT.tmp\9e1f84cf304b5797d62d52f8dcc7c415.tmp
MD5
24ab457083d41b6fe33984e472849f80

SHA1
6018bb3406f75d31c8624cba1d41931d583f7f7f

SHA256
4f36947eb15991ea817310e90277ec972dd46fa9fe17b8bfe8a6c7173beaf71f

SHA512
94a54565347b20f74683e8b165ded24011faca9d34f576daefd7dded5d026619729f7ad0a6edb51c738f11c81bfbcc72f63b84f13cacab981298c873277507ac

Download Submit
\Program Files (x86)\Common Files\AVSMedia\BurnerService\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\is-RD7KV.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-RD7KV.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
\Users\Admin\AppData\Local\Temp\is-RD7KV.tmp\_isetup\_isdecmp.dll
MD5
77d6d961f71a8c558513bed6fd0ad6f1

SHA1
122bb9ed6704b72250e4e31b5d5fc2f0476c4b6a

SHA256
5da7c8d33d3b7db46277012d92875c0b850c8abf1eb3c8c9c5b9532089a0bcf0

SHA512
b0921e2442b4cdec8cc479ba3751a01c0646a4804e2f4a5d5632fa2dbf54cc45d4cccffa4d5b522d42afc2f6a622e07882ed7e663c8462333b082e82503f335a

Download Submit
memory/632-77-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/632-68-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/736-94-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/736-85-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1492-28-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/1492-35-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1820-154-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1820-146-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2624-78-0x0000000000000000-mapping.dmp

Download
memory/2624-88-0x0000000000000000-mapping.dmp

Download
memory/2624-21-0x0000000000000000-mapping.dmp

Download
memory/2624-22-0x0000000000000000-mapping.dmp

Download
memory/2624-156-0x0000000000000000-mapping.dmp

Download
memory/2624-24-0x0000000000000000-mapping.dmp

Download
memory/2624-25-0x0000000000000000-mapping.dmp

Download
memory/2624-26-0x0000000000000000-mapping.dmp

Download
memory/2624-27-0x0000000000000000-mapping.dmp

Download
memory/2624-18-0x0000000000000000-mapping.dmp

Download
memory/2624-29-0x0000000000000000-mapping.dmp

Download
memory/2624-30-0x0000000000000000-mapping.dmp

Download
memory/2624-31-0x0000000000000000-mapping.dmp

Download
memory/2624-32-0x0000000000000000-mapping.dmp

Download
memory/2624-33-0x0000000000000000-mapping.dmp

Download
memory/2624-34-0x0000000000000000-mapping.dmp

Download
memory/2624-19-0x0000000000000000-mapping.dmp

Download
memory/2624-36-0x0000000000000000-mapping.dmp

Download
memory/2624-37-0x0000000000000000-mapping.dmp

Download
memory/2624-38-0x0000000000000000-mapping.dmp

Download
memory/2624-39-0x0000000000000000-mapping.dmp

Download
memory/2624-40-0x0000000000000000-mapping.dmp

Download
memory/2624-158-0x0000000000000000-mapping.dmp

Download
memory/2624-42-0x0000000000000000-mapping.dmp

Download
memory/2624-43-0x0000000000000000-mapping.dmp

Download
memory/2624-44-0x0000000000000000-mapping.dmp

Download
memory/2624-45-0x0000000000000000-mapping.dmp

Download
memory/2624-46-0x0000000000000000-mapping.dmp

Download
memory/2624-47-0x0000000000000000-mapping.dmp

Download
memory/2624-157-0x0000000000000000-mapping.dmp

Download
memory/2624-50-0x0000000000000000-mapping.dmp

Download
memory/2624-49-0x0000000000000000-mapping.dmp

Download
memory/2624-51-0x0000000000000000-mapping.dmp

Download
memory/2624-52-0x0000000000000000-mapping.dmp

Download
memory/2624-53-0x0000000000000000-mapping.dmp

Download
memory/2624-155-0x0000000000000000-mapping.dmp

Download
memory/2624-56-0x0000000000000000-mapping.dmp

Download
memory/2624-57-0x0000000000000000-mapping.dmp

Download
memory/2624-58-0x0000000000000000-mapping.dmp

Download
memory/2624-55-0x0000000000000000-mapping.dmp

Download
memory/2624-59-0x0000000000000000-mapping.dmp

Download
memory/2624-60-0x0000000000000000-mapping.dmp

Download
memory/2624-148-0x0000000000000000-mapping.dmp

Download
memory/2624-62-0x0000000000000000-mapping.dmp

Download
memory/2624-63-0x0000000000000000-mapping.dmp

Download
memory/2624-64-0x0000000000000000-mapping.dmp

Download
memory/2624-65-0x0000000000000000-mapping.dmp

Download
memory/2624-66-0x0000000000000000-mapping.dmp

Download
memory/2624-67-0x0000000000000000-mapping.dmp

Download
memory/2624-153-0x0000000000000000-mapping.dmp

Download
memory/2624-69-0x0000000000000000-mapping.dmp

Download
memory/2624-70-0x0000000000000000-mapping.dmp

Download
memory/2624-72-0x0000000000000000-mapping.dmp

Download
memory/2624-73-0x0000000000000000-mapping.dmp

Download
memory/2624-71-0x0000000000000000-mapping.dmp

Download
memory/2624-74-0x0000000000000000-mapping.dmp

Download
memory/2624-75-0x0000000000000000-mapping.dmp

Download
memory/2624-76-0x0000000000000000-mapping.dmp

Download
memory/2624-152-0x0000000000000000-mapping.dmp

Download
memory/2624-151-0x0000000000000000-mapping.dmp

Download
memory/2624-79-0x0000000000000000-mapping.dmp

Download
memory/2624-80-0x0000000000000000-mapping.dmp

Download
memory/2624-81-0x0000000000000000-mapping.dmp

Download
memory/2624-83-0x0000000000000000-mapping.dmp

Download
memory/2624-84-0x0000000000000000-mapping.dmp

Download
memory/2624-82-0x0000000000000000-mapping.dmp

Download
memory/2624-13-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/2624-86-0x0000000000000000-mapping.dmp

Download
memory/2624-87-0x0000000000000000-mapping.dmp

Download
memory/2624-20-0x0000000000000000-mapping.dmp

Download
memory/2624-89-0x0000000000000000-mapping.dmp

Download
memory/2624-90-0x0000000000000000-mapping.dmp

Download
memory/2624-91-0x0000000000000000-mapping.dmp

Download
memory/2624-92-0x0000000000000000-mapping.dmp

Download
memory/2624-93-0x0000000000000000-mapping.dmp

Download
memory/2624-14-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2624-95-0x0000000000000000-mapping.dmp

Download
memory/2624-96-0x0000000000000000-mapping.dmp

Download
memory/2624-97-0x0000000000000000-mapping.dmp

Download
memory/2624-98-0x0000000000000000-mapping.dmp

Download
memory/2624-99-0x0000000000000000-mapping.dmp

Download
memory/2624-100-0x0000000000000000-mapping.dmp

Download
memory/2624-101-0x0000000000000000-mapping.dmp

Download
memory/2624-150-0x0000000000000000-mapping.dmp

Download
memory/2624-104-0x0000000000000000-mapping.dmp

Download
memory/2624-105-0x0000000000000000-mapping.dmp

Download
memory/2624-106-0x0000000000000000-mapping.dmp

Download
memory/2624-107-0x0000000000000000-mapping.dmp

Download
memory/2624-108-0x0000000000000000-mapping.dmp

Download
memory/2624-109-0x0000000000000000-mapping.dmp

Download
memory/2624-103-0x0000000000000000-mapping.dmp

Download
memory/2624-149-0x0000000000000000-mapping.dmp

Download
memory/2624-112-0x0000000000000000-mapping.dmp

Download
memory/2624-113-0x0000000000000000-mapping.dmp

Download
memory/2624-114-0x0000000000000000-mapping.dmp

Download
memory/2624-115-0x0000000000000000-mapping.dmp

Download
memory/2624-116-0x0000000000000000-mapping.dmp

Download
memory/2624-111-0x0000000000000000-mapping.dmp

Download
memory/2624-147-0x0000000000000000-mapping.dmp

Download
memory/2624-118-0x0000000000000000-mapping.dmp

Download
memory/2624-119-0x0000000000000000-mapping.dmp

Download
memory/2624-120-0x0000000000000000-mapping.dmp

Download
memory/2624-121-0x0000000000000000-mapping.dmp

Download
memory/2624-122-0x0000000000000000-mapping.dmp

Download
memory/2624-123-0x0000000000000000-mapping.dmp

Download
memory/2624-9-0x0000000000000000-mapping.dmp

Download
memory/2624-125-0x0000000000000000-mapping.dmp

Download
memory/2624-126-0x0000000000000000-mapping.dmp

Download
memory/2624-127-0x0000000000000000-mapping.dmp

Download
memory/2624-128-0x0000000000000000-mapping.dmp

Download
memory/2624-129-0x0000000000000000-mapping.dmp

Download
memory/2624-130-0x0000000000000000-mapping.dmp

Download
memory/2624-132-0x0000000000000000-mapping.dmp

Download
memory/2624-133-0x0000000000000000-mapping.dmp

Download
memory/2624-134-0x0000000000000000-mapping.dmp

Download
memory/2624-135-0x0000000000000000-mapping.dmp

Download
memory/2624-136-0x0000000000000000-mapping.dmp

Download
memory/2624-137-0x0000000000000000-mapping.dmp

Download
memory/2624-138-0x0000000000000000-mapping.dmp

Download
memory/2624-140-0x0000000000000000-mapping.dmp

Download
memory/2624-141-0x0000000000000000-mapping.dmp

Download
memory/2624-142-0x0000000000000000-mapping.dmp

Download
memory/2624-143-0x0000000000000000-mapping.dmp

Download
memory/2624-144-0x0000000000000000-mapping.dmp

Download
memory/2624-145-0x0000000000000000-mapping.dmp

Download
memory/2892-6-0x0000000000000000-mapping.dmp

Download
memory/2972-23-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/2972-16-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/2972-15-0x00000000042F0000-0x00000000042F1000-memory.dmp

Filesize
4KB

Download
memory/3548-0-0x0000000000000000-mapping.dmp

Download
memory/3592-117-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/3592-124-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3672-54-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3672-61-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/3864-48-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/3864-41-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/3912-102-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/3912-110-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download

pid	process
3548	9e1f84cf304b5797d62d52f8dcc7c415.tmp
2892	wmfdist.exe
2624	AVSVideoBurner.exe