Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    1799s
  • max time network
    1704s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26/07/2024, 17:24

General

  • Target

    bdcamsetup.exe

  • Size

    31.5MB

  • MD5

    cbb2dc1b64c5a21da53d79f0ad2e1bdb

  • SHA1

    b2e411fcbccedef4d3a64133aff5d5502291b24f

  • SHA256

    5aa1234eb23bef8628cdc9189879d629b418cd1d176c99c024a15c3bfe5e413a

  • SHA512

    73391f29a027f1184d2ed673667b86bd96eaf97df94e4fc13c03ec8913c9ff36f3a549b7a4f79f67755cdd8f61fe906e61de1559dd884f2623add72413b4841c

  • SSDEEP

    786432:fmDBQyG/qdx5SFTFI/Xoa74EJCvBLRUH0PYNr/h4vW:+D0qd/SFTFIcGyIpr/v

Malware Config

Signatures

  • Drops file in System32 directory 14 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 18 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
      "C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /S
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Windows\SysWOW64\regsvr32.exe
        "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:4436
    • C:\Program Files\Bandicam\bdcam.exe
      "C:\Program Files\Bandicam\bdcam.exe" /install
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4224
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk64.dll",RegDll
        3⤵
        • Loads dropped DLL
        PID:4984
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk32.dll",RegDll
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4552
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2&lang=en
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8196f3cb8,0x7ff8196f3cc8,0x7ff8196f3cd8
        3⤵
          PID:3620
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
          3⤵
            PID:4644
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2028
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
            3⤵
              PID:1124
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
              3⤵
                PID:5008
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
                3⤵
                  PID:2924
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
                  3⤵
                    PID:2308
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
                    3⤵
                      PID:720
                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1828
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
                      3⤵
                        PID:880
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
                        3⤵
                          PID:448
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3168
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
                          3⤵
                            PID:1844
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
                            3⤵
                              PID:3036
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4740 /prefetch:2
                              3⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:752
                        • C:\Program Files\Bandicam\bdcam.exe
                          "C:\Program Files\Bandicam\bdcam.exe" 0x0001A5D3
                          1⤵
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of SetWindowsHookEx
                          PID:1276
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1672
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3952
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004F4 0x00000000000004C8
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4992

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Program Files (x86)\BandiMPEG1\bdfilters.dll

                              Filesize

                              4.1MB

                              MD5

                              ed730387fdcd684b756601b863c47417

                              SHA1

                              c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

                              SHA256

                              9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

                              SHA512

                              e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

                            • C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

                              Filesize

                              4.6MB

                              MD5

                              13f7a29baa1e04f74151737cb71bd0e5

                              SHA1

                              0bc8682c6c96923a729aa6239aa53d95221b13ab

                              SHA256

                              008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

                              SHA512

                              4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

                            • C:\Program Files\Bandicam\bandicam.ini

                              Filesize

                              27B

                              MD5

                              d025f448d8dde9678a0bf6dac26a61fa

                              SHA1

                              c457f5ceffb60e233e131187bb7d11e20ce831f2

                              SHA256

                              cac812c36cbbe7821ac92669643572fd33002815976a43d1820d47205f264f6b

                              SHA512

                              e5ed08fe970d0f2293792982a52616efc69fc0cf3e3b3a2e96f083ed72fe06e4bfa6ae23d7c04d6a0483eb402d43c37cd1e4bf73334a116368cc097ce4c81adf

                            • C:\Program Files\Bandicam\bdcam.exe

                              Filesize

                              13.4MB

                              MD5

                              995a92cc9018419ee100c0f19f40fc7f

                              SHA1

                              6a6347ac627a9fd035945c4a22b30a6d089a070a

                              SHA256

                              a8c3439c80e27c0a9eea4c13dd0fc263476a9d39ac7b0d3278be62e6e14f9ec0

                              SHA512

                              47ecd16b5d7fa1fdaedaebc075d5f12a6fed150e5309139a2d3c0559a04ced202788d24f252e7b0a775682adf90444cb1ad8be643f145dc91ab47ede55c00935

                            • C:\Program Files\Bandicam\bdcamvk32.dll

                              Filesize

                              1.5MB

                              MD5

                              9051ce47609c3670afedce797b9cc1c3

                              SHA1

                              6e7929058c8e011b1ac24e72f5c32570fb17b2b6

                              SHA256

                              07cfb828516e8ab690933df6012c97375b2825fa8784965eab2a4198b9b290da

                              SHA512

                              8f6712cbc68bdfb1c2b33a6231e33c57d476f20fe05299a22e95e6f47c4115a86efb750a97970aaec5132f99ff073aaa358fba63835fc1e3ef2cbce0a5009922

                            • C:\Program Files\Bandicam\bdcamvk64.dll

                              Filesize

                              1.9MB

                              MD5

                              f488d01d37cdab9bbecf59632343f12f

                              SHA1

                              7d2914422378a17fa0551b71336a053e94d5a1c7

                              SHA256

                              7e3f8e9cb1c074af15384312568ff9b181cebcc452756d229adfd22fb163a1eb

                              SHA512

                              b605ba7aa17fe43a389061a77e21791845dccd55ca8a2e98cd38e0f730fe73560014de57f9069ae93906dd215c63b4f53b64b63849cdbdc13dce71052d7824b2

                            • C:\Program Files\Bandicam\bdcap64.dll

                              Filesize

                              21.2MB

                              MD5

                              7214c7b4d2064db6827e2c3308a740de

                              SHA1

                              45bc92de40161252010dbde86a6637f34bcc46cb

                              SHA256

                              a7c59f782bc88f2fa39d7e7c8ec2fd2189325eb70c9e4b2dea1434cad1b768bc

                              SHA512

                              ef0ca3b5cdb5980586d886fa091efd67a51f031764628df01f3f7afb21c26484823bd86a6d29f2434b55fc766e101d80a1197d186404fe332fb1b4b0156700b6

                            • C:\Program Files\Bandicam\data\language.dat

                              Filesize

                              97KB

                              MD5

                              1a2907234b069c1e52ad296bceb630f0

                              SHA1

                              202f189aa148ab080225c6fb351b5e664847f8ea

                              SHA256

                              789704bfc14da7326bb4756b7339026d8915914905e821d57a69804b11a27bf0

                              SHA512

                              27a8b36ccf0353cb0fc41d1b41f0c66cfe7c41e95a79918498051c1c70b08d9a76ca0c9ca3f5361bf12a5f26be919766a84831ed4171690ab545f68c88612c85

                            • C:\Program Files\Bandicam\data\skin.dat

                              Filesize

                              886KB

                              MD5

                              2ebf0e7158b899a32ac072cc7d5f8d9b

                              SHA1

                              1b677c3e9fda3593f1fcbcc4b429800f06f3d5f7

                              SHA256

                              1814cfd6c5b79f65880fad7558a1cef35fd5f8f1f06f60e61945b58ab29f6ecd

                              SHA512

                              4b3fe1e6737296216e81b750ccac01a3ce77848fc7f6cb9344ea7ff6c352b988e8c8fe889ad7a850285e8b0fed90808aca12bfbcab206c4fdecb4b3b3f085e8d

                            • C:\Program Files\Bandicam\lang\English.ini

                              Filesize

                              135KB

                              MD5

                              4eaf9f783fe06f5ed362cdcf735687af

                              SHA1

                              28a76602a253fc165c83a8026037bbb8d4594242

                              SHA256

                              a6b5b9dbfb7a51aa91cea093e05699b28b55c92878b04887c72d7a23cfcb07b3

                              SHA512

                              286db775c95c171cbd4adde118b7af7616530ffeb4d337069b323f73ae966e2de9a75934a1af80c7f103c954c838e8e56acf020c21f65aa789a77bb9fb1ff0e5

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

                              Filesize

                              471B

                              MD5

                              299868876d41f6e81bfdd0219ac691c7

                              SHA1

                              8348f369d6b61959f1246e46e6c8af2267904123

                              SHA256

                              865f91ecd933366ac960decb8e5e332d103f47c50eedf31101e63b6709462ce3

                              SHA512

                              3227aff461fccbdacfb9509a5319a0ab7da45c34ec2b1b3db2246a1da85df86df42137f86a6ff7925fdf63e36619d0b37d40b7a9b53afe75f6e57a0fb912b79d

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

                              Filesize

                              412B

                              MD5

                              1d1c869d85ae11559e4398e89f9dfc37

                              SHA1

                              55a5fe9e9fc086a0ab1eada0f20d7eb8d50c9f56

                              SHA256

                              c2be584720d733967489560e6e39268114df5b04f549716cea162da72a5b50a9

                              SHA512

                              91e28acbb91eb8e7966f016d96d57575009b135fbaa7aab5483e49b31c6b0ffbfec18ad533a08ac147557eddb917582743d3da3dc7ff478b83c380474daec0ff

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              f53eb880cad5acef8c91684b1a94eed6

                              SHA1

                              afab2b1015fecbc986c1f4a8a6d27adff6f6fde9

                              SHA256

                              5cb8554e763313f3d46766ab868f9d481e3644bfc037f7b8fe43d75d87405a27

                              SHA512

                              d53f3965428f73c0dfed1d941a9ff06eb70b254732410b815bc759b8c7904e11292ad7e9624c12cccaed6763e7bea68208bc0b67fc70b7616d25bda143833794

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              b0499f1feacbab5a863b23b1440161a5

                              SHA1

                              37a982ece8255b9e0baadb9c596112395caf9c12

                              SHA256

                              41799b5bbdb95da6a57ae553b90de65b80264ca65406f11eea46bcb87a5882a7

                              SHA512

                              4cf9a8547a1527b1df13905c2a206a6e24e706e0bc174550caeefabfc8c1c8a40030e8958680cd7d34e815873a7a173abe40c03780b1c4c2564382f1ceed9260

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              384B

                              MD5

                              8a416e4e7407956dc38ef2d8649af474

                              SHA1

                              4b7890b6c7f800615d0ae3473331d3a3871ceafb

                              SHA256

                              5fe6b45f72ec98753eccf894cbd3d20b8241c0831391e0af0c55499170beb40f

                              SHA512

                              ea183e8cc7d10c805cd6df728bf16956e5129faf1c998007e138b5b118ae21c1b1a3d4007d7da506276fe8b2d8ecc3cb56b5a32dc3715478d5b837ac7132ad1f

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              1KB

                              MD5

                              6ff995b2299b4a8c41119e6c1535bb09

                              SHA1

                              f196ffb5c443e17327a37825fa28fc6897a99cb4

                              SHA256

                              0daea310e307973f9f5fb533a9af46946ffd65f962441f225823cae8dd6787f0

                              SHA512

                              b210f5beabe534e7c7a4a89c0f834fec7b835e024b3679bb32683a65e6f992c43a24b6b590e6efe539c15643599246214476a6313092f89b436015bf71780b62

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              50125b51ae62ddd1ee43bd61c79732bf

                              SHA1

                              8b4726579398801ef0f65171796476461e736bbc

                              SHA256

                              775f7b1bffc66148a71691e9e0a81629bc7d42348693de02a59f86e004787d64

                              SHA512

                              f014196d50b900f7912c4b39d97791e9f962cdeb7d7fc1f34debff2bc7ed9cc69d63259a83119fa2375dfc71adcad5358f4d4691858c7f81b62e14eff36cff8c

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              8b125aa06bc8e09081a3275b966ebea2

                              SHA1

                              b4987d4a63a5c2714d411355577d6d4e0a82a23a

                              SHA256

                              85ea78f26f73bea84cb80f125bce57895f2d4050534aee471ad5dcbe15f00c1e

                              SHA512

                              3e4e03faf920bc5fe28df99aac906bf933eeff380fe29564f5871ae0492711533654a1e3b3a15f1aa6a19ea04ce751d8ff0d7a15682509366330af74d3632146

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              46295cac801e5d4857d09837238a6394

                              SHA1

                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                              SHA256

                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                              SHA512

                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              206702161f94c5cd39fadd03f4014d98

                              SHA1

                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                              SHA256

                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                              SHA512

                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              a3eeb0d2edd03f754367fe5457885635

                              SHA1

                              fbc2fa450ad16e3249d00a416e87b637331a158c

                              SHA256

                              951439aa5fc78efd1f29b563b66a52b8e13fda191494d1f50efad2d3aa0ba163

                              SHA512

                              82ee0f0fa3cfe021803e6c7e5c75ceb0582517abf8948df92fc4f240b682193a9b515efd71715063a1b2f4585d23c607c80b2dfd01e9ea652fceabd584f87410

                            • C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

                              Filesize

                              1.4MB

                              MD5

                              461d135a4fccd51bbae38f742e123fd3

                              SHA1

                              c12a442fbcd4a9c44102f0a560ba03d59bc501ed

                              SHA256

                              4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

                              SHA512

                              41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

                            • C:\Users\Admin\AppData\Local\Temp\nsb7CF5.tmp\System.dll

                              Filesize

                              11KB

                              MD5

                              959ea64598b9a3e494c00e8fa793be7e

                              SHA1

                              40f284a3b92c2f04b1038def79579d4b3d066ee0

                              SHA256

                              03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

                              SHA512

                              5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\Dialer.dll

                              Filesize

                              3KB

                              MD5

                              6e7e197ffa13cea15434b221b96b3202

                              SHA1

                              5fc93dca4a33d79d8601e888daa21a1d0e02eab3

                              SHA256

                              cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

                              SHA512

                              4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\InstallOptions.dll

                              Filesize

                              15KB

                              MD5

                              720304c57dcfa17751ed455b3bb9c10a

                              SHA1

                              59a1c3a746de10b8875229ff29006f1fd36b1e41

                              SHA256

                              6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

                              SHA512

                              c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\LangDLL.dll

                              Filesize

                              5KB

                              MD5

                              f1e9eed02db3a822a7ddef0c724e5f1f

                              SHA1

                              65864992f5b6c79c5efbefb5b1354648a8a86709

                              SHA256

                              6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

                              SHA512

                              c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ShellExecAsUser.dll

                              Filesize

                              43KB

                              MD5

                              552cba3c6c9987e01be178e1ee22d36b

                              SHA1

                              4c0ab0127453b0b53aeb27e407859bccb229ea1b

                              SHA256

                              1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

                              SHA512

                              9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\System.dll

                              Filesize

                              11KB

                              MD5

                              17ed1c86bd67e78ade4712be48a7d2bd

                              SHA1

                              1cc9fe86d6d6030b4dae45ecddce5907991c01a0

                              SHA256

                              bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

                              SHA512

                              0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\UserInfo.dll

                              Filesize

                              4KB

                              MD5

                              1b446b36f5b4022d50ffdc0cf567b24a

                              SHA1

                              d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

                              SHA256

                              2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

                              SHA512

                              04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ioSpecial.ini

                              Filesize

                              1KB

                              MD5

                              e78ca9704d25f8c56df8369cc6c2a071

                              SHA1

                              cf286bf7a7134ea8e1704d54855d41e6f0e12beb

                              SHA256

                              dcb74a57f74f8eb1c3dedc18ab248309b60f1b551a8b8d3e1a9913a08ed3ba2a

                              SHA512

                              0aab4d2a71cc0ef29cbd2dd1ea351feaa99db5231cac0163d2d826dd5b9b4784b78d593ff11d3b5d6dae4e140800af78415e450b3e30137dc9dc4e188e22bb4b

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ioSpecial.ini

                              Filesize

                              1KB

                              MD5

                              bfbd2151d94842168ecc6d2f5dca0358

                              SHA1

                              e57f8865401592d2758fdf276a4043e905267dcd

                              SHA256

                              0a614f51564588b9c95893174cd618e936a1f8e56b6c7ae07fff28ba93efd84c

                              SHA512

                              27790cc08ef482e14e3033f4c0d11cc53737f1122f90ba15ff0a766ef7869f4183b097d32d5756f68f9c8aa59469b57ab06aa8af4949e6f25cb6ac3f605861c5

                            • C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ioSpecial.ini

                              Filesize

                              1KB

                              MD5

                              0475a65cfe471749c783a180bdd6fcb1

                              SHA1

                              c2cd16843314a6ace0dcfe0c1b817c21d2cbe206

                              SHA256

                              b9697c6224681ef586faa150066cb272327552f89ffa5c690805a98c185fab39

                              SHA512

                              79b5a69d6aa503ce603bc6cf86290547ff91a3518c0b712118560af946fa8690119424748234ef534b6e02c6640353fcea980e012b12c24435c49795c36bccf0

                            • memory/1276-459-0x00007FF7863F0000-0x00007FF787159000-memory.dmp

                              Filesize

                              13.4MB

                            • memory/4224-236-0x00007FF7863F0000-0x00007FF787159000-memory.dmp

                              Filesize

                              13.4MB

                            • memory/4224-235-0x00007FF82D510000-0x00007FF82D512000-memory.dmp

                              Filesize

                              8KB