e5736a3647f36c366a1515c19d1ebc6b9d5d9a053f5cd467c7a80b13d83143f7

Analysis

max time kernel
119s
max time network
146s
platform
windows10_x64
resource
win10v20201028
submitted
17-11-2020 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

512dcdde20ea7d71a0fcb599b0ba603d.exe
Size

12.5MB
MD5

67424ac60a8cebcee28124b353bb49cb
SHA1

67eec0b4efdb102f12a57f3347876f8db91271a8
SHA256

e5736a3647f36c366a1515c19d1ebc6b9d5d9a053f5cd467c7a80b13d83143f7
SHA512

ce3ee51d762f1de4916274940ff4d60b075a29279e04d688bf39b2f07200c2107568f449a3640ed8fa15682b30817ad6e2b2d116882c88b6aaed2fe12fe31c10

Score

9^/10

discovery

Malware Config

Signatures

ServiceHost packer 114 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/184-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-23-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-25-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-27-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-29-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-28-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-30-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-32-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-33-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-34-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-36-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-37-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-38-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-39-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-41-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-42-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-43-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-45-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-47-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-48-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-46-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-50-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-52-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-51-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-55-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-56-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-57-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-58-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-60-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-61-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-62-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-64-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-65-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-66-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-67-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-68-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-71-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-72-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-73-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-70-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-74-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-78-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-77-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-79-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-80-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-76-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-82-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-83-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-84-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-85-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-87-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-88-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-89-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-90-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-91-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-93-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-94-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-96-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-95-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/184-98-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 3 IoCs

Processes:

512dcdde20ea7d71a0fcb599b0ba603d.tmpwmfdist.exeVideoConverter.exe

pid process

1332 512dcdde20ea7d71a0fcb599b0ba603d.tmp
2556 wmfdist.exe
184 VideoConverter.exe
Loads dropped DLL 3 IoCs

Processes:

512dcdde20ea7d71a0fcb599b0ba603d.tmpregsvr32.exeVideoConverter.exe

pid process

1332 512dcdde20ea7d71a0fcb599b0ba603d.tmp
2584 regsvr32.exe
184 VideoConverter.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

512dcdde20ea7d71a0fcb599b0ba603d.tmp

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\xvidvfw.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Windows\SysWOW64\xvidcore.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Windows\SysWOW64\is-FJ352.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Windows\SysWOW64\is-VOR7E.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Windows\SysWOW64\is-MHDKM.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp

Drops file in Program Files directory 49 IoCs

Processes:

512dcdde20ea7d71a0fcb599b0ba603d.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\libffplay.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\Log.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-S1H7L.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-VPELV.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-IDMU9.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\MediaAssist.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\libffmpeg.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\avformat-52.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-2G7T4.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-OQD4K.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-DA0JM.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\unins000.dat	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\avdevice-52.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-51J20.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-10E6T.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-OM4FU.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-LJB7B.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-L0JT6.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-BIF0S.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-4BK52.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\ImageEx.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\SDL.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\SkinMagicU.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-O0QP0.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-O2PJ3.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-G7OHV.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\avfilter-0.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-GT6DG.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-CN9K0.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\update.EXE	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-H5MQL.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-511LU.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\avutil-49.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\SkinScroll.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-E7R6P.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-CCQUG.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-SDF32.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-KQMST.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\sqlite3.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-0CT1T.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\Common.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\CrashReport.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-Q3D9I.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\is-QCR51.tmp	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\swscale-0.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File opened for modification	C:\Program Files (x86)\Isoft Free Video Converter\xvidcore.dll	512dcdde20ea7d71a0fcb599b0ba603d.tmp
File created	C:\Program Files (x86)\Isoft Free Video Converter\unins000.dat	512dcdde20ea7d71a0fcb599b0ba603d.tmp

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3644	184	WerFault.exe	VideoConverter.exe
8	184	WerFault.exe	VideoConverter.exe
2052	184	WerFault.exe	VideoConverter.exe
2796	184	WerFault.exe	VideoConverter.exe
3184	184	WerFault.exe	VideoConverter.exe
1352	184	WerFault.exe	VideoConverter.exe
2220	184	WerFault.exe	VideoConverter.exe
2516	184	WerFault.exe	VideoConverter.exe
1260	184	WerFault.exe	VideoConverter.exe
2108	184	WerFault.exe	VideoConverter.exe
2608	184	WerFault.exe	VideoConverter.exe
856	184	WerFault.exe	VideoConverter.exe
1900	184	WerFault.exe	VideoConverter.exe

Modifies registry class 14 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\FriendlyName = "Xvid MPEG-4 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\ = "Xvid MPEG-4 Video DecoderAbout"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32\ = "C:\\Windows\\SysWow64\\xvid.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\CLSID = "{64697678-0000-0010-8000-00AA00389B71}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\InprocServer32\ = "C:\\Windows\\SysWow64\\xvid.ax"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64697678-0000-0010-8000-00AA00389B71}\ = "Xvid MPEG-4 Video Decoder"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{64697678-0000-0010-8000-00AA00389B71}\FilterData = 020000000000800002000000000000003070693300000000000000000800000000000000000000003074793300000000d0000000e00000003174793300000000d0000000f00000003274793300000000d0000000000100003374793300000000d0000000100100003474793300000000d0000000200100003574793300000000d0000000300100003674793300000000d0000000400100003774793300000000d0000000500100003170693308000000000000000100000000000000000000003074793300000000d0000000600100007669647300001000800000aa00389b717876696400001000800000aa00389b715856494400001000800000aa00389b716469767800001000800000aa00389b714449565800001000800000aa00389b716478353000001000800000aa00389b714458353000001000800000aa00389b716d70347600001000800000aa00389b714d50345600001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 198 IoCs

Processes:

512dcdde20ea7d71a0fcb599b0ba603d.tmpVideoConverter.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp
1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp
184	VideoConverter.exe
184	VideoConverter.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
3644	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2052	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3644	WerFault.exe
Token: SeBackupPrivilege	3644	WerFault.exe
Token: SeDebugPrivilege	3644	WerFault.exe
Token: SeDebugPrivilege	8	WerFault.exe
Token: SeDebugPrivilege	2052	WerFault.exe
Token: SeDebugPrivilege	2796	WerFault.exe
Token: SeDebugPrivilege	3184	WerFault.exe
Token: SeDebugPrivilege	1352	WerFault.exe
Token: SeDebugPrivilege	2220	WerFault.exe
Token: SeDebugPrivilege	2516	WerFault.exe
Token: SeDebugPrivilege	1260	WerFault.exe
Token: SeDebugPrivilege	2108	WerFault.exe
Token: SeDebugPrivilege	2608	WerFault.exe
Token: SeDebugPrivilege	856	WerFault.exe
Token: SeDebugPrivilege	1900	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

512dcdde20ea7d71a0fcb599b0ba603d.tmp

pid process

1332 512dcdde20ea7d71a0fcb599b0ba603d.tmp

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

512dcdde20ea7d71a0fcb599b0ba603d.exe512dcdde20ea7d71a0fcb599b0ba603d.tmp

description	pid	process	target process
PID 3980 wrote to memory of 1332	3980	512dcdde20ea7d71a0fcb599b0ba603d.exe	512dcdde20ea7d71a0fcb599b0ba603d.tmp
PID 3980 wrote to memory of 1332	3980	512dcdde20ea7d71a0fcb599b0ba603d.exe	512dcdde20ea7d71a0fcb599b0ba603d.tmp
PID 3980 wrote to memory of 1332	3980	512dcdde20ea7d71a0fcb599b0ba603d.exe	512dcdde20ea7d71a0fcb599b0ba603d.tmp
PID 1332 wrote to memory of 2584	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	regsvr32.exe
PID 1332 wrote to memory of 2584	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	regsvr32.exe
PID 1332 wrote to memory of 2584	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	regsvr32.exe
PID 1332 wrote to memory of 2556	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	wmfdist.exe
PID 1332 wrote to memory of 2556	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	wmfdist.exe
PID 1332 wrote to memory of 2556	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	wmfdist.exe
PID 1332 wrote to memory of 184	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	VideoConverter.exe
PID 1332 wrote to memory of 184	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	VideoConverter.exe
PID 1332 wrote to memory of 184	1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp	VideoConverter.exe

C:\Users\Admin\AppData\Local\Temp\512dcdde20ea7d71a0fcb599b0ba603d.exe
"C:\Users\Admin\AppData\Local\Temp\512dcdde20ea7d71a0fcb599b0ba603d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\is-CSUBD.tmp\512dcdde20ea7d71a0fcb599b0ba603d.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CSUBD.tmp\512dcdde20ea7d71a0fcb599b0ba603d.tmp" /SL5="$70062,12352160,776192,C:\Users\Admin\AppData\Local\Temp\512dcdde20ea7d71a0fcb599b0ba603d.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\xvid.ax"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2584

C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe
"C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe" /Q:A /R:N
3⤵
- Executes dropped EXE
PID:2556

C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe
"C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe" 512dcdde20ea7d71a0fcb599b0ba603d.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 804
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 840
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 844
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 876
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 796
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 848
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 876
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 836
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 868
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 840
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 764
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 892
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 184 -s 820
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe
MD5
a0f772011c6d3d25790bae20747f9236

SHA1
a9ca396ac93c5c852d349fb19e00fe96184d877d

SHA256
c7f2fea3c643b5223d67a0a56ea43177b5f8a16d606dc14927c0324f96eb545d

SHA512
4fac2558abbbe29bc50e35415383af00d7c2cbb0f326c304b7f27414695dc398e203f9212c1919919a1c7089bf1517dea0077e785d67fdd099c0806b580a2c0c

Download Submit
C:\Program Files (x86)\Isoft Free Video Converter\VideoConverter.exe
MD5
a0f772011c6d3d25790bae20747f9236

SHA1
a9ca396ac93c5c852d349fb19e00fe96184d877d

SHA256
c7f2fea3c643b5223d67a0a56ea43177b5f8a16d606dc14927c0324f96eb545d

SHA512
4fac2558abbbe29bc50e35415383af00d7c2cbb0f326c304b7f27414695dc398e203f9212c1919919a1c7089bf1517dea0077e785d67fdd099c0806b580a2c0c

Download Submit
C:\Program Files (x86)\Isoft Free Video Converter\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Program Files (x86)\Isoft Free Video Converter\wmfdist.exe
MD5
f59090e9a8070d7fbbdcc8895d2169a3

SHA1
370e62290cac6a6c7aa13442741caf6671437a54

SHA256
a6b53074cb4a3f9885f6e7d52c9e893b44cf4965000d899b2bf21508ac320023

SHA512
45b9d9bd43b67c39b35a0f4007a2800847e65da8f818bef4b2f5858d95235fca34708ab9b774324bc7e1eb9519ce5d2f4634034f7987c17e788d017f2fdf7d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CSUBD.tmp\512dcdde20ea7d71a0fcb599b0ba603d.tmp
MD5
4376b4cecb5244d11c5a7d8c465ca6ae

SHA1
8e56aba0def557e49a018766baa329f7cf71f225

SHA256
021bf86aac9942dffa5040f33324d240f655e11321d92e73ebc4177858ff9689

SHA512
d4f1338c2f7cff4731f7dd1ae7f4a717763cc82cd727f4caad82e37733842bd4afd446d94a465a3b41ebfeb1d96abd3a308fa7891a1a20eff89752f56851a2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CSUBD.tmp\512dcdde20ea7d71a0fcb599b0ba603d.tmp
MD5
4376b4cecb5244d11c5a7d8c465ca6ae

SHA1
8e56aba0def557e49a018766baa329f7cf71f225

SHA256
021bf86aac9942dffa5040f33324d240f655e11321d92e73ebc4177858ff9689

SHA512
d4f1338c2f7cff4731f7dd1ae7f4a717763cc82cd727f4caad82e37733842bd4afd446d94a465a3b41ebfeb1d96abd3a308fa7891a1a20eff89752f56851a2e6

Download Submit
C:\Windows\SysWOW64\xvid.ax
MD5
1dfc887cb243a525675ce04787dedf8b

SHA1
69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

SHA256
0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

SHA512
160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

Download Submit
\Program Files (x86)\Isoft Free Video Converter\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\Users\Admin\AppData\Local\Temp\is-JB01V.tmp\_isetup\_iscrypt.dll
MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Windows\SysWOW64\xvid.ax
MD5
1dfc887cb243a525675ce04787dedf8b

SHA1
69163fbf6a40a34ae9f27e652b01b4cc8fb2cc5f

SHA256
0969d1f5501ad4be6f969ce45f44a739b2d61a50237f75ae7b77626d6a0aff11

SHA512
160a6df0774c359a3959088fe478d237b4fa597eaa0cf1b084b77ba8fcdb08137387fa3ce91bd40e3af6d2992be048e583368644fe6fa627918e8900833adde4

Download Submit
memory/8-26-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/8-31-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/184-87-0x0000000000000000-mapping.dmp

Download
memory/184-135-0x0000000000000000-mapping.dmp

Download
memory/184-14-0x0000000004630000-0x0000000004631000-memory.dmp

Filesize
4KB

Download
memory/184-243-0x0000000000000000-mapping.dmp

Download
memory/184-10-0x0000000000000000-mapping.dmp

Download
memory/184-18-0x0000000000000000-mapping.dmp

Download
memory/184-20-0x0000000000000000-mapping.dmp

Download
memory/184-19-0x0000000000000000-mapping.dmp

Download
memory/184-21-0x0000000000000000-mapping.dmp

Download
memory/184-246-0x0000000000000000-mapping.dmp

Download
memory/184-23-0x0000000000000000-mapping.dmp

Download
memory/184-24-0x0000000000000000-mapping.dmp

Download
memory/184-25-0x0000000000000000-mapping.dmp

Download
memory/184-245-0x0000000000000000-mapping.dmp

Download
memory/184-27-0x0000000000000000-mapping.dmp

Download
memory/184-29-0x0000000000000000-mapping.dmp

Download
memory/184-28-0x0000000000000000-mapping.dmp

Download
memory/184-30-0x0000000000000000-mapping.dmp

Download
memory/184-244-0x0000000000000000-mapping.dmp

Download
memory/184-32-0x0000000000000000-mapping.dmp

Download
memory/184-33-0x0000000000000000-mapping.dmp

Download
memory/184-34-0x0000000000000000-mapping.dmp

Download
memory/184-93-0x0000000000000000-mapping.dmp

Download
memory/184-36-0x0000000000000000-mapping.dmp

Download
memory/184-37-0x0000000000000000-mapping.dmp

Download
memory/184-38-0x0000000000000000-mapping.dmp

Download
memory/184-39-0x0000000000000000-mapping.dmp

Download
memory/184-242-0x0000000000000000-mapping.dmp

Download
memory/184-41-0x0000000000000000-mapping.dmp

Download
memory/184-42-0x0000000000000000-mapping.dmp

Download
memory/184-43-0x0000000000000000-mapping.dmp

Download
memory/184-170-0x0000000000000000-mapping.dmp

Download
memory/184-45-0x0000000000000000-mapping.dmp

Download
memory/184-47-0x0000000000000000-mapping.dmp

Download
memory/184-48-0x0000000000000000-mapping.dmp

Download
memory/184-46-0x0000000000000000-mapping.dmp

Download
memory/184-169-0x0000000000000000-mapping.dmp

Download
memory/184-50-0x0000000000000000-mapping.dmp

Download
memory/184-168-0x0000000000000000-mapping.dmp

Download
memory/184-51-0x0000000000000000-mapping.dmp

Download
memory/184-167-0x0000000000000000-mapping.dmp

Download
memory/184-166-0x0000000000000000-mapping.dmp

Download
memory/184-55-0x0000000000000000-mapping.dmp

Download
memory/184-56-0x0000000000000000-mapping.dmp

Download
memory/184-57-0x0000000000000000-mapping.dmp

Download
memory/184-58-0x0000000000000000-mapping.dmp

Download
memory/184-165-0x0000000000000000-mapping.dmp

Download
memory/184-60-0x0000000000000000-mapping.dmp

Download
memory/184-61-0x0000000000000000-mapping.dmp

Download
memory/184-62-0x0000000000000000-mapping.dmp

Download
memory/184-161-0x0000000000000000-mapping.dmp

Download
memory/184-64-0x0000000000000000-mapping.dmp

Download
memory/184-65-0x0000000000000000-mapping.dmp

Download
memory/184-66-0x0000000000000000-mapping.dmp

Download
memory/184-67-0x0000000000000000-mapping.dmp

Download
memory/184-68-0x0000000000000000-mapping.dmp

Download
memory/184-163-0x0000000000000000-mapping.dmp

Download
memory/184-71-0x0000000000000000-mapping.dmp

Download
memory/184-72-0x0000000000000000-mapping.dmp

Download
memory/184-73-0x0000000000000000-mapping.dmp

Download
memory/184-70-0x0000000000000000-mapping.dmp

Download
memory/184-74-0x0000000000000000-mapping.dmp

Download
memory/184-162-0x0000000000000000-mapping.dmp

Download
memory/184-78-0x0000000000000000-mapping.dmp

Download
memory/184-77-0x0000000000000000-mapping.dmp

Download
memory/184-79-0x0000000000000000-mapping.dmp

Download
memory/184-80-0x0000000000000000-mapping.dmp

Download
memory/184-76-0x0000000000000000-mapping.dmp

Download
memory/184-160-0x0000000000000000-mapping.dmp

Download
memory/184-82-0x0000000000000000-mapping.dmp

Download
memory/184-83-0x0000000000000000-mapping.dmp

Download
memory/184-84-0x0000000000000000-mapping.dmp

Download
memory/184-85-0x0000000000000000-mapping.dmp

Download
memory/184-159-0x0000000000000000-mapping.dmp

Download
memory/184-155-0x0000000000000000-mapping.dmp

Download
memory/184-88-0x0000000000000000-mapping.dmp

Download
memory/184-89-0x0000000000000000-mapping.dmp

Download
memory/184-90-0x0000000000000000-mapping.dmp

Download
memory/184-100-0x0000000000000000-mapping.dmp

Download
memory/184-52-0x0000000000000000-mapping.dmp

Download
memory/184-157-0x0000000000000000-mapping.dmp

Download
memory/184-94-0x0000000000000000-mapping.dmp

Download
memory/184-96-0x0000000000000000-mapping.dmp

Download
memory/184-95-0x0000000000000000-mapping.dmp

Download
memory/184-156-0x0000000000000000-mapping.dmp

Download
memory/184-98-0x0000000000000000-mapping.dmp

Download
memory/184-99-0x0000000000000000-mapping.dmp

Download
memory/184-91-0x0000000000000000-mapping.dmp

Download
memory/184-101-0x0000000000000000-mapping.dmp

Download
memory/184-102-0x0000000000000000-mapping.dmp

Download
memory/184-103-0x0000000000000000-mapping.dmp

Download
memory/184-104-0x0000000000000000-mapping.dmp

Download
memory/184-106-0x0000000000000000-mapping.dmp

Download
memory/184-107-0x0000000000000000-mapping.dmp

Download
memory/184-108-0x0000000000000000-mapping.dmp

Download
memory/184-110-0x0000000000000000-mapping.dmp

Download
memory/184-111-0x0000000000000000-mapping.dmp

Download
memory/184-109-0x0000000000000000-mapping.dmp

Download
memory/184-113-0x0000000000000000-mapping.dmp

Download
memory/184-114-0x0000000000000000-mapping.dmp

Download
memory/184-115-0x0000000000000000-mapping.dmp

Download
memory/184-116-0x0000000000000000-mapping.dmp

Download
memory/184-118-0x0000000000000000-mapping.dmp

Download
memory/184-117-0x0000000000000000-mapping.dmp

Download
memory/184-120-0x0000000000000000-mapping.dmp

Download
memory/184-121-0x0000000000000000-mapping.dmp

Download
memory/184-122-0x0000000000000000-mapping.dmp

Download
memory/184-123-0x0000000000000000-mapping.dmp

Download
memory/184-124-0x0000000000000000-mapping.dmp

Download
memory/184-152-0x0000000000000000-mapping.dmp

Download
memory/184-127-0x0000000000000000-mapping.dmp

Download
memory/184-128-0x0000000000000000-mapping.dmp

Download
memory/184-129-0x0000000000000000-mapping.dmp

Download
memory/184-130-0x0000000000000000-mapping.dmp

Download
memory/184-131-0x0000000000000000-mapping.dmp

Download
memory/184-126-0x0000000000000000-mapping.dmp

Download
memory/184-133-0x0000000000000000-mapping.dmp

Download
memory/184-154-0x0000000000000000-mapping.dmp

Download
memory/184-134-0x0000000000000000-mapping.dmp

Download
memory/184-15-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/184-136-0x0000000000000000-mapping.dmp

Download
memory/184-137-0x0000000000000000-mapping.dmp

Download
memory/184-153-0x0000000000000000-mapping.dmp

Download
memory/184-139-0x0000000000000000-mapping.dmp

Download
memory/184-140-0x0000000000000000-mapping.dmp

Download
memory/184-141-0x0000000000000000-mapping.dmp

Download
memory/184-143-0x0000000000000000-mapping.dmp

Download
memory/184-144-0x0000000000000000-mapping.dmp

Download
memory/184-142-0x0000000000000000-mapping.dmp

Download
memory/184-146-0x0000000000000000-mapping.dmp

Download
memory/184-148-0x0000000000000000-mapping.dmp

Download
memory/184-147-0x0000000000000000-mapping.dmp

Download
memory/184-150-0x0000000000000000-mapping.dmp

Download
memory/184-149-0x0000000000000000-mapping.dmp

Download
memory/856-138-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/856-145-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1260-97-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/1332-0-0x0000000000000000-mapping.dmp

Download
memory/1352-63-0x00000000045C0000-0x00000000045C1000-memory.dmp

Filesize
4KB

Download
memory/1352-69-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/1900-158-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1900-151-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2052-35-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2052-40-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/2220-81-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2220-75-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2516-86-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/2516-92-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2556-7-0x0000000000000000-mapping.dmp

Download
memory/2584-4-0x0000000000000000-mapping.dmp

Download
memory/2608-125-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2608-132-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/2796-49-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/2796-44-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/3184-53-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3184-54-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3184-59-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3528-172-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3644-22-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3644-16-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download

pid	process
1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp
2556	wmfdist.exe
184	VideoConverter.exe

pid	process
1332	512dcdde20ea7d71a0fcb599b0ba603d.tmp
2584	regsvr32.exe
184	VideoConverter.exe