Analysis

  • max time kernel
    1686s
  • max time network
    1693s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2024 17:24

General

  • Target

    bdcamsetup.exe

  • Size

    31.5MB

  • MD5

    cbb2dc1b64c5a21da53d79f0ad2e1bdb

  • SHA1

    b2e411fcbccedef4d3a64133aff5d5502291b24f

  • SHA256

    5aa1234eb23bef8628cdc9189879d629b418cd1d176c99c024a15c3bfe5e413a

  • SHA512

    73391f29a027f1184d2ed673667b86bd96eaf97df94e4fc13c03ec8913c9ff36f3a549b7a4f79f67755cdd8f61fe906e61de1559dd884f2623add72413b4841c

  • SSDEEP

    786432:fmDBQyG/qdx5SFTFI/Xoa74EJCvBLRUH0PYNr/h4vW:+D0qd/SFTFIcGyIpr/v

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 14 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 18 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
      "C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /S
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\regsvr32.exe
        "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:4552
    • C:\Program Files\Bandicam\bdcam.exe
      "C:\Program Files\Bandicam\bdcam.exe" /install
      2⤵
      • Checks computer location settings
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk64.dll",RegDll
        3⤵
        • Loads dropped DLL
        PID:4300
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk32.dll",RegDll
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3544
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2&lang=en
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffdecda46f8,0x7ffdecda4708,0x7ffdecda4718
        3⤵
          PID:1396
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
          3⤵
            PID:2236
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1128
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
            3⤵
              PID:2112
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
              3⤵
                PID:5116
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                3⤵
                  PID:2900
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
                  3⤵
                    PID:1712
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                    3⤵
                      PID:4328
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
                      3⤵
                        PID:4844
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
                        3⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3052
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
                        3⤵
                          PID:4148
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
                          3⤵
                            PID:116
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
                            3⤵
                              PID:4452
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
                              3⤵
                                PID:3812
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11280190242327863523,13483539868710576969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
                                3⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:864
                          • C:\Program Files\Bandicam\bdcam.exe
                            "C:\Program Files\Bandicam\bdcam.exe" 0x0001A5D3
                            1⤵
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of SetWindowsHookEx
                            PID:1048
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x4fc 0x520
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2880
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1720
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:2636

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Program Files (x86)\BandiMPEG1\bdfilters.dll

                                Filesize

                                4.1MB

                                MD5

                                ed730387fdcd684b756601b863c47417

                                SHA1

                                c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

                                SHA256

                                9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

                                SHA512

                                e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

                              • C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

                                Filesize

                                4.6MB

                                MD5

                                13f7a29baa1e04f74151737cb71bd0e5

                                SHA1

                                0bc8682c6c96923a729aa6239aa53d95221b13ab

                                SHA256

                                008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

                                SHA512

                                4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

                              • C:\Program Files\Bandicam\bandicam.ini

                                Filesize

                                27B

                                MD5

                                d025f448d8dde9678a0bf6dac26a61fa

                                SHA1

                                c457f5ceffb60e233e131187bb7d11e20ce831f2

                                SHA256

                                cac812c36cbbe7821ac92669643572fd33002815976a43d1820d47205f264f6b

                                SHA512

                                e5ed08fe970d0f2293792982a52616efc69fc0cf3e3b3a2e96f083ed72fe06e4bfa6ae23d7c04d6a0483eb402d43c37cd1e4bf73334a116368cc097ce4c81adf

                              • C:\Program Files\Bandicam\bdcam.exe

                                Filesize

                                13.4MB

                                MD5

                                995a92cc9018419ee100c0f19f40fc7f

                                SHA1

                                6a6347ac627a9fd035945c4a22b30a6d089a070a

                                SHA256

                                a8c3439c80e27c0a9eea4c13dd0fc263476a9d39ac7b0d3278be62e6e14f9ec0

                                SHA512

                                47ecd16b5d7fa1fdaedaebc075d5f12a6fed150e5309139a2d3c0559a04ced202788d24f252e7b0a775682adf90444cb1ad8be643f145dc91ab47ede55c00935

                              • C:\Program Files\Bandicam\bdcamvk32.dll

                                Filesize

                                1.5MB

                                MD5

                                9051ce47609c3670afedce797b9cc1c3

                                SHA1

                                6e7929058c8e011b1ac24e72f5c32570fb17b2b6

                                SHA256

                                07cfb828516e8ab690933df6012c97375b2825fa8784965eab2a4198b9b290da

                                SHA512

                                8f6712cbc68bdfb1c2b33a6231e33c57d476f20fe05299a22e95e6f47c4115a86efb750a97970aaec5132f99ff073aaa358fba63835fc1e3ef2cbce0a5009922

                              • C:\Program Files\Bandicam\bdcamvk64.dll

                                Filesize

                                1.9MB

                                MD5

                                f488d01d37cdab9bbecf59632343f12f

                                SHA1

                                7d2914422378a17fa0551b71336a053e94d5a1c7

                                SHA256

                                7e3f8e9cb1c074af15384312568ff9b181cebcc452756d229adfd22fb163a1eb

                                SHA512

                                b605ba7aa17fe43a389061a77e21791845dccd55ca8a2e98cd38e0f730fe73560014de57f9069ae93906dd215c63b4f53b64b63849cdbdc13dce71052d7824b2

                              • C:\Program Files\Bandicam\bdcap64.dll

                                Filesize

                                21.2MB

                                MD5

                                7214c7b4d2064db6827e2c3308a740de

                                SHA1

                                45bc92de40161252010dbde86a6637f34bcc46cb

                                SHA256

                                a7c59f782bc88f2fa39d7e7c8ec2fd2189325eb70c9e4b2dea1434cad1b768bc

                                SHA512

                                ef0ca3b5cdb5980586d886fa091efd67a51f031764628df01f3f7afb21c26484823bd86a6d29f2434b55fc766e101d80a1197d186404fe332fb1b4b0156700b6

                              • C:\Program Files\Bandicam\data\language.dat

                                Filesize

                                97KB

                                MD5

                                1a2907234b069c1e52ad296bceb630f0

                                SHA1

                                202f189aa148ab080225c6fb351b5e664847f8ea

                                SHA256

                                789704bfc14da7326bb4756b7339026d8915914905e821d57a69804b11a27bf0

                                SHA512

                                27a8b36ccf0353cb0fc41d1b41f0c66cfe7c41e95a79918498051c1c70b08d9a76ca0c9ca3f5361bf12a5f26be919766a84831ed4171690ab545f68c88612c85

                              • C:\Program Files\Bandicam\data\skin.dat

                                Filesize

                                886KB

                                MD5

                                2ebf0e7158b899a32ac072cc7d5f8d9b

                                SHA1

                                1b677c3e9fda3593f1fcbcc4b429800f06f3d5f7

                                SHA256

                                1814cfd6c5b79f65880fad7558a1cef35fd5f8f1f06f60e61945b58ab29f6ecd

                                SHA512

                                4b3fe1e6737296216e81b750ccac01a3ce77848fc7f6cb9344ea7ff6c352b988e8c8fe889ad7a850285e8b0fed90808aca12bfbcab206c4fdecb4b3b3f085e8d

                              • C:\Program Files\Bandicam\lang\English.ini

                                Filesize

                                135KB

                                MD5

                                4eaf9f783fe06f5ed362cdcf735687af

                                SHA1

                                28a76602a253fc165c83a8026037bbb8d4594242

                                SHA256

                                a6b5b9dbfb7a51aa91cea093e05699b28b55c92878b04887c72d7a23cfcb07b3

                                SHA512

                                286db775c95c171cbd4adde118b7af7616530ffeb4d337069b323f73ae966e2de9a75934a1af80c7f103c954c838e8e56acf020c21f65aa789a77bb9fb1ff0e5

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

                                Filesize

                                471B

                                MD5

                                299868876d41f6e81bfdd0219ac691c7

                                SHA1

                                8348f369d6b61959f1246e46e6c8af2267904123

                                SHA256

                                865f91ecd933366ac960decb8e5e332d103f47c50eedf31101e63b6709462ce3

                                SHA512

                                3227aff461fccbdacfb9509a5319a0ab7da45c34ec2b1b3db2246a1da85df86df42137f86a6ff7925fdf63e36619d0b37d40b7a9b53afe75f6e57a0fb912b79d

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

                                Filesize

                                412B

                                MD5

                                e550413634bf34295a08ab015f2d7fff

                                SHA1

                                0bd5d81b5fcdafa8ae1fc854148eda69d061d265

                                SHA256

                                7a86dd73e4ccbb5e75370f736dbf1d8c7fb7f7dcb17eb60abca74991f6bfe5aa

                                SHA512

                                694a9720b9d58fa573d0d6f350f713a1f15bb5517e90939965db347c5aceee7dc93adaa6b84d3ceaa1e0f0b7f0963eecc2931f4b90c8e4d555aca750950a8621

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                b28ef7d9f6d74f055cc49876767c886c

                                SHA1

                                d6b3267f36c340979f8fc3e012fdd02c468740bf

                                SHA256

                                fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

                                SHA512

                                491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                584971c8ba88c824fd51a05dddb45a98

                                SHA1

                                b7c9489b4427652a9cdd754d1c1b6ac4034be421

                                SHA256

                                e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

                                SHA512

                                5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                Filesize

                                360B

                                MD5

                                b7b1f6d94ee837201f0db4917e2b24e8

                                SHA1

                                1c19ab18977b4b7f3b417175d0dafb2e449108a7

                                SHA256

                                3867cd4ecbd7de7f156112ce434241bec0285801b4c5f87ad90eb4f4769040df

                                SHA512

                                9d90ffd581da857d3dcd16b540f6894a4a3123ec0bf2209d1e39fe638ac9b21c5abf1b5dd80137a15c7b0d16366e5cfb67f128f50b1ced22d126edb0734e8570

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                Filesize

                                1KB

                                MD5

                                15c72c7209cf8933dccecc5f7f7e058e

                                SHA1

                                712697d59a21591261c30d9690ef9a8549b7115c

                                SHA256

                                1016470075cd6796cdceb00af27f8419b5d1f267229187c43fc790a89964c0d1

                                SHA512

                                77e8fb55e77d54edf4b76b47a2601f3d6bd7f791249f72bf474b9f7a196cce6f6b0d8cdebe0b5816b64168a9f36745e7a65e758ef13682aa1fc599210c9f2797

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                4467439c9e50d080078d1c2b05003bda

                                SHA1

                                6902a3c4b7a8201d2dbbf3028d151be3892919e9

                                SHA256

                                5d7fdc29930f4399be49d9d4accfad2d11e88bf1b3eb65892ee05f5792ce747f

                                SHA512

                                f03ad4ba0cffb13eb04ec4b30abf40a8669d3ba677496fbb99a324b783e23be398cd820772978486cb95042a1d6771f0e31bb057fdfa1e8ef64c697d50d999ed

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                7KB

                                MD5

                                8aa6f7b10a4fbc75eaf9f648c408c9af

                                SHA1

                                c7e7c7bcefc7828c52b205a110e3b361253bf94c

                                SHA256

                                c3c367d46d1a54734e24e24ce3d7d8419ebe154c2ba41d8c65938d8ea844fb52

                                SHA512

                                ca7f8a5cb055014c8b750cae9da5f0be125959f3abea359a9be82d62c473107338327c919216498f0a5c6ac3c129b38744110bbf9b82278ad752067c14885249

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                dd69001f2b4802c124ea40588b703876

                                SHA1

                                6f5c72a2c24dc12a68ba0d2757916f1a1ea8ab55

                                SHA256

                                a7a1a4f0e84b5da68b577def54f2a09e4a65a460aaa084fa5051d6bdc1557976

                                SHA512

                                8accdded8150291bda9a865cb4f96f4e4f7096323a18ca773344829bc778b2ab8d072cb02fc823d905d49de5dc33d1b7219447c25b6fb87b3d9ea51f59b7f118

                              • C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

                                Filesize

                                1.4MB

                                MD5

                                461d135a4fccd51bbae38f742e123fd3

                                SHA1

                                c12a442fbcd4a9c44102f0a560ba03d59bc501ed

                                SHA256

                                4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

                                SHA512

                                41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\Dialer.dll

                                Filesize

                                3KB

                                MD5

                                6e7e197ffa13cea15434b221b96b3202

                                SHA1

                                5fc93dca4a33d79d8601e888daa21a1d0e02eab3

                                SHA256

                                cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

                                SHA512

                                4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\InstallOptions.dll

                                Filesize

                                15KB

                                MD5

                                720304c57dcfa17751ed455b3bb9c10a

                                SHA1

                                59a1c3a746de10b8875229ff29006f1fd36b1e41

                                SHA256

                                6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

                                SHA512

                                c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\LangDLL.dll

                                Filesize

                                5KB

                                MD5

                                f1e9eed02db3a822a7ddef0c724e5f1f

                                SHA1

                                65864992f5b6c79c5efbefb5b1354648a8a86709

                                SHA256

                                6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

                                SHA512

                                c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\ShellExecAsUser.dll

                                Filesize

                                43KB

                                MD5

                                552cba3c6c9987e01be178e1ee22d36b

                                SHA1

                                4c0ab0127453b0b53aeb27e407859bccb229ea1b

                                SHA256

                                1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

                                SHA512

                                9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\System.dll

                                Filesize

                                11KB

                                MD5

                                17ed1c86bd67e78ade4712be48a7d2bd

                                SHA1

                                1cc9fe86d6d6030b4dae45ecddce5907991c01a0

                                SHA256

                                bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

                                SHA512

                                0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\UserInfo.dll

                                Filesize

                                4KB

                                MD5

                                1b446b36f5b4022d50ffdc0cf567b24a

                                SHA1

                                d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

                                SHA256

                                2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

                                SHA512

                                04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\ioSpecial.ini

                                Filesize

                                1KB

                                MD5

                                e38407b342e60a8b7473854cd1f62a82

                                SHA1

                                6f2f3bdda616d068a372271a80dd516165a29598

                                SHA256

                                91e6fc93960755bf87766c895b885517e97482e4e4c01de5f91935fab4448346

                                SHA512

                                b6653cce940427510718d685a01c7a92460809f5c5c16e3cd9a59a485b73aaefcef4755e2d2928a03c949c2c9f1686e06f2b94eb4cab1ac6883408d465898073

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\ioSpecial.ini

                                Filesize

                                1KB

                                MD5

                                13e3889d79801561e0a2a65ec89bcb70

                                SHA1

                                11f66015c4cfb3ba078c3458ef73a27b4083010d

                                SHA256

                                ba3d1f06fde9130754c852d698f860e2674ce249792a1e356ec2fd91f2f46573

                                SHA512

                                87ff66a631ca4666a71cf826ec27a35ab128642570f0af601bce8dc3b97087c16e3903a15af3d8816fd04842517fbc0f74370e622a8dc90b785eda93e371da4e

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\ioSpecial.ini

                                Filesize

                                1KB

                                MD5

                                8e8d8ad770a68dc2b9fed2f380e36851

                                SHA1

                                013c3ff4c9b0c848e07c2e02cba5c221deb3017e

                                SHA256

                                f4631091df1c7613d8288255038f9845d52afbda7ae001a8dbf1d777c05e6694

                                SHA512

                                aa54b8c48db5b92526983e0ec5408a43189b1df7f4584f526ff8fa86fade6cd6ba53d8716eb80fa5c9c5cf0533cb0d46922d918fcd56bcae91949fcf2c459f58

                              • C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\ioSpecial.ini

                                Filesize

                                1KB

                                MD5

                                a1411bc3cbcc8b9badcdb558aa5685ca

                                SHA1

                                0378d445fc2148946e47425692f3078377d0206d

                                SHA256

                                320c6a71733d142a706244a7caa06de3eaf809e7fdcd5a336a858aabb9fddbf7

                                SHA512

                                d1a3eb19d67cab1f520b053a6ff0e15c4c44748843fe206f98cd85092baff070935d6e35493f6511f040c1f1d87b43a6bfd17f59ebbfcc41509a82503af5c5bc

                              • C:\Users\Admin\AppData\Local\Temp\nsuF8B2.tmp\System.dll

                                Filesize

                                11KB

                                MD5

                                959ea64598b9a3e494c00e8fa793be7e

                                SHA1

                                40f284a3b92c2f04b1038def79579d4b3d066ee0

                                SHA256

                                03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

                                SHA512

                                5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

                              • memory/1048-440-0x00007FF718250000-0x00007FF718FB9000-memory.dmp

                                Filesize

                                13.4MB

                              • memory/1048-528-0x000001F655670000-0x000001F655B27000-memory.dmp

                                Filesize

                                4.7MB

                              • memory/3952-236-0x00007FF718250000-0x00007FF718FB9000-memory.dmp

                                Filesize

                                13.4MB

                              • memory/3952-235-0x00007FFE0C2B0000-0x00007FFE0C2B2000-memory.dmp

                                Filesize

                                8KB