b7a72c3f23c3e265caa74c60acbef350b268745c1e451a27e915011c720155f8

Resubmissions

13-10-2024 11:52

241013-n15qrsvdrc 5

13-10-2024 11:50

241013-nzlaqszcqk 5

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BDCAMSETUP_ENG_4_1_2_1385.exe
Size

17.1MB
MD5

f16613c3a3b77319538c9d5aaa2901b8
SHA1

64c2e645d00f5cabee070dec31527e021ba2edc3
SHA256

b7a72c3f23c3e265caa74c60acbef350b268745c1e451a27e915011c720155f8
SHA512

34593fcb6738acbd3fb455c03a018648d2650c7c589de000d3fdfa6bc4b29364eeffd962f106870e5868af8dd941a858ee6b8e27d9759e79bccaa222a1fffaa1
SSDEEP

393216:xHtmmkxvpntFfcAeBhgUDnuUS+qjkS5LsTQAqy0hPusNfznm4h4:jmmkxx0D7uU+hAqy0jNr/h4

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	bdcam.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\D3DCompiler_47.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\vcomp140.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\vcomp140.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	BDCAMSETUP_ENG_4_1_2_1385.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3508	bdcam.exe
1052	bdcam.exe
3628	bdcam.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bandicam\lang\Spanish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Swedish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Urdu.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Simplified_Chinese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\RegVulkanLayer.bat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Armenian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Kurdish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Farsi.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\khmer.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Czech.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Dutch.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\amf-core-windesktop32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdfix.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bandicam.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovak.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Thai.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Uzbek.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Hebrew.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Indonesian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian(Cyrillic).ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Arabic.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Croatian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\German.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese(BR).ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\stop.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\BandiMPEG1\uninstall.exe	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdcam64.bin	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\translators.txt	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\skin.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Belarusian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Bosnian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Greek.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Latvian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\sample.png	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcap32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\lclick.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Vietnamese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\English.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Italian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Turkish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Ukrainian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\effects.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\uninstall.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Danish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Georgian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Russian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Norwegian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Polish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdcamvk64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Lithuanian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Romanian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\language.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\start.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Azerbaijani.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Bulgarian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Burmese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamih.dll	BDCAMSETUP_ENG_4_1_2_1385.exe

Executes dropped EXE 6 IoCs

pid	Process
3188	BDMPEG1SETUP.EXE
3508	bdcam.exe
1052	bdcam.exe
892	bdcam64.bin
3628	bdcam.exe
4944	bdcam64.bin

Loads dropped DLL 32 IoCs

pid	Process
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
3188	BDMPEG1SETUP.EXE
5068	regsvr32.exe
1980	regsvr32.exe
3188	BDMPEG1SETUP.EXE
1216	rundll32.exe
3916	rundll32.exe
3508	bdcam.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
4052	BDCAMSETUP_ENG_4_1_2_1385.exe
1052	bdcam.exe
1052	bdcam.exe
892	bdcam64.bin
2652	msedge.exe
1052	bdcam.exe
3344	WerFault.exe
2868	identity_helper.exe
3628	bdcam.exe
3628	bdcam.exe
4944	bdcam64.bin
3512	Process not Found
3628	bdcam.exe
3368	WerFault.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3344	1052	WerFault.exe	99
3368	3628	WerFault.exe	131

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDCAMSETUP_ENG_4_1_2_1385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDMPEG1SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcam.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	BDCAMSETUP_ENG_4_1_2_1385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	BDCAMSETUP_ENG_4_1_2_1385.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	BDCAMSETUP_ENG_4_1_2_1385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	BDCAMSETUP_ENG_4_1_2_1385.exe

Modifies registry class 56 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
2652	msedge.exe
2652	msedge.exe
1052	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
892	bdcam64.bin
892	bdcam64.bin
2868	identity_helper.exe
2868	identity_helper.exe
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
4944	bdcam64.bin
4944	bdcam64.bin

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
1052	bdcam.exe
3628	bdcam.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
1052	bdcam.exe
3628	bdcam.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
3508	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
892	bdcam64.bin
892	bdcam64.bin
892	bdcam64.bin
892	bdcam64.bin
892	bdcam64.bin
1052	bdcam.exe
1052	bdcam.exe
892	bdcam64.bin
892	bdcam64.bin
892	bdcam64.bin
892	bdcam64.bin
1052	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
1052	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
4944	bdcam64.bin
4944	bdcam64.bin
4944	bdcam64.bin
3628	bdcam.exe
3628	bdcam.exe
4944	bdcam64.bin
4944	bdcam64.bin
4944	bdcam64.bin
4944	bdcam64.bin
4944	bdcam64.bin
4944	bdcam64.bin
4944	bdcam64.bin
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe
3628	bdcam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3188	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	88
PID 4052 wrote to memory of 3188	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	88
PID 4052 wrote to memory of 3188	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	88
PID 3188 wrote to memory of 5068	3188	BDMPEG1SETUP.EXE	89
PID 3188 wrote to memory of 5068	3188	BDMPEG1SETUP.EXE	89
PID 3188 wrote to memory of 5068	3188	BDMPEG1SETUP.EXE	89
PID 5068 wrote to memory of 1980	5068	regsvr32.exe	90
PID 5068 wrote to memory of 1980	5068	regsvr32.exe	90
PID 4052 wrote to memory of 3508	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	91
PID 4052 wrote to memory of 3508	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	91
PID 4052 wrote to memory of 3508	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	91
PID 3508 wrote to memory of 1216	3508	bdcam.exe	94
PID 3508 wrote to memory of 1216	3508	bdcam.exe	94
PID 3508 wrote to memory of 3916	3508	bdcam.exe	95
PID 3508 wrote to memory of 3916	3508	bdcam.exe	95
PID 3508 wrote to memory of 3916	3508	bdcam.exe	95
PID 4052 wrote to memory of 1052	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	99
PID 4052 wrote to memory of 1052	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	99
PID 4052 wrote to memory of 1052	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	99
PID 4052 wrote to memory of 2652	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	100
PID 4052 wrote to memory of 2652	4052	BDCAMSETUP_ENG_4_1_2_1385.exe	100
PID 2652 wrote to memory of 3128	2652	msedge.exe	101
PID 2652 wrote to memory of 3128	2652	msedge.exe	101
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 2092	2652	msedge.exe	102
PID 2652 wrote to memory of 4524	2652	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\BDCAMSETUP_ENG_4_1_2_1385.exe
"C:\Users\Admin\AppData\Local\Temp\BDCAMSETUP_ENG_4_1_2_1385.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE /S
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3188
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:1980
- C:\Program Files (x86)\Bandicam\bdcam.exe
  "C:\Program Files (x86)\Bandicam\bdcam.exe" /install
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:1216
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3916
- C:\Program Files (x86)\Bandicam\bdcam.exe
  "C:\Program Files (x86)\Bandicam\bdcam.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1052
- - C:\Program Files (x86)\Bandicam\bdcam64.bin
    "C:\Program Files (x86)\Bandicam\bdcam64.bin" 1052
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 2656
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2
  2⤵
  - Loads dropped DLL
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe035946f8,0x7ffe03594708,0x7ffe03594718
    3⤵
    PID:3128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:2092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:2684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
    3⤵
    PID:4088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    PID:3220
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
    3⤵
    PID:3212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
    3⤵
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
    3⤵
    PID:1332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,2730090632569040086,18142174952222246920,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
    3⤵
    PID:1612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1052 -ip 1052
1⤵
PID:452

C:\Program Files (x86)\Bandicam\bdcam.exe
"C:\Program Files (x86)\Bandicam\bdcam.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3628
- C:\Program Files (x86)\Bandicam\bdcam64.bin
  "C:\Program Files (x86)\Bandicam\bdcam64.bin" 3628
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 2516
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3628 -ip 3628
1⤵
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BandiMPEG1\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files (x86)\Bandicam\amf-component-vce-windesktop32.dll

Filesize
198KB

MD5
6ef74574e1b3b95d4a76a7496531180b

SHA1
00bbdf84eef8e5c3763801cba3bc9e75677ed2b5

SHA256
ca1e172624ac5ec0255c98acbe10d3b046c55d34df1f346189ada3701f32cb28

SHA512
d2feae0282480e7dcd016009171c5ff0feef61302be32f04fe0a12b8cae242f4cbf7893f8942ccf82d5767c21ce0a1185b89ff341ca2d833cb12d4902957fe83

Download Submit
C:\Program Files (x86)\Bandicam\amf-core-windesktop32.dll

Filesize
610KB

MD5
3042c4a93c54c99e77278dcd73a10814

SHA1
ebea3f630a2ff94699a6c6ac420f7076519a9a18

SHA256
72da60e16b8530cebe0db160409ccecfc0adbc8778ffa13e08ec48eb028c457a

SHA512
6f8accf66ccf56c396ef4028bdde10ca7c2a2bc0a3e77250c22a06f27aecaaef23238c3ffcaa212b99d05b5da10b2ed6fdaa97d81b756121e0836c49812ec18e

Download Submit
C:\Program Files (x86)\Bandicam\bandicam.ini

Filesize
25B

MD5
6eec14bac1ea1289156f202fa3239df0

SHA1
1785063fb758b84b0d7f393d45283afaba04e2f3

SHA256
6488b7fe5bee8f80efd4b92154a4c27b109d57e0624fa286695d7fc05fdcdedd

SHA512
30ee0d463cfc79326681fa3ae78ea155f79edf1117d3f5e40e079cbff2fc459bbe7efe246573a7947dc0e6de05db65209240ea5d31f991cdbf446454cd737c46

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.dll

Filesize
865KB

MD5
82fdf4dc9379cd57397d219db198e452

SHA1
ad97eb3b40d79f896a9a5938123dac5caa810d91

SHA256
c2e252da1d1bec27259d40cf7f4feff04e9c9646208f2255fd00a9f434c3c089

SHA512
977803334bbc9a1e9ea96a44cc804a8af0dfb70c86716a7288c833a2e615ae640d18a8005b0c6563a99cfaee7ff3af9cdcd41a4f4098174cd54b0a55df1e7688

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.exe

Filesize
3.3MB

MD5
ea4dc53939edb03e0e0178fa01312dc7

SHA1
eaa6dd933ebd48254aaa16087b88191b8bcb2319

SHA256
ef13c9316861cb8f03ce4b3c65a22eb97128a2da42400f86ade6dc90ef36de3a

SHA512
8ebfc2f23d96336756c89fcc612c223e35a534fdf362a932ef1c08816d5668932137c15fddee4961c73c7895beeafe682aafa95466574e6a14632dd8b2a58987

Download Submit
C:\Program Files (x86)\Bandicam\bdcam64.bin

Filesize
2.9MB

MD5
59ce17c72b23238b6c7a8bdc93dc3fce

SHA1
54fb55b07f2fb1b1acae2befcac2c8d8b17e73ad

SHA256
a213faac438ddbf330c3f81d6fb7ad5af81578011045fb60b7f66773f51092fb

SHA512
9ec761ecf2617483bf258c47dca046ca2a1cbb1e92f1ac11038136fea1dcb77bc93b68a82b2a5957e97ab8a979e95dfd3483f3c246ba517016605f6daaf48cd9

Download Submit
C:\Program Files (x86)\Bandicam\bdcam64.dll

Filesize
1.0MB

MD5
99b6a1cc8d325a60c545e59c8bdee580

SHA1
e1587949ab54573ff1edfe7ff56b4f3237f55bed

SHA256
88b087f69c972ea7e64f8dd406852aa4b8f7badf09c3f5c55988e7f62cc5020a

SHA512
751eb9bc936b34f3c5e918d98c01b34830fbec1f7f5c702d5ca2c38d4de0f49ce90486512d2b600b932af0086700460426610f1641cabfaa0c904757b726849d

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
123KB

MD5
68f13d7e357a25bc18843a950bb8fb0b

SHA1
405910b130871ad2fecf35bf0afa6c9f43db84b9

SHA256
4111741fea81ed8b1ec29187a4e04afa0e5f19db438d1b67e360a074facbee8d

SHA512
da8f8f861e8c0f91048922e274dc6f7d1425ee3fa850b380360c8e67ce58fabc7145ea3620765051888491f07c44b63180ecdc6cfbc607bd68fba0ebd0d8ca39

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
147KB

MD5
38888a6fad9af55a90ebed93644ae843

SHA1
a0bb3971afbab9382df7eb98fcf3904333952e5f

SHA256
98e355aa821547d1d690031aa4b839c16cc8ad02a9a855a92ee3e5a628a5d56f

SHA512
d522e3059dcd460e2dfa80f06a947f140b8bcec43014e12f48cc79f8cb9689e3918752182b18a6edfeef65c9f7b353ef1f157a0f81d593c24706d78d4d6b3540

Download Submit
C:\Program Files (x86)\Bandicam\bdcap32.dll

Filesize
11.7MB

MD5
96c68a89a3141293884294d2a8940231

SHA1
3b40d1ae530659dcf211cef5b7e5c7078d5630e2

SHA256
58db20c5c6b81b55bdea5fa9761b16007ace964b69fe26e69dbbbbfc88989fd7

SHA512
1de178b9a27affb73c8483cab5bc7ab05a94f09b811722d9d62479f938a0c2704584a3df7e71fca510a172c10ce52bd049585da394d241e57ac0da961bbbd9a8

Download Submit
C:\Program Files (x86)\Bandicam\bdcap64.dll

Filesize
14.0MB

MD5
5776d02703df7878442b12d08af01a87

SHA1
40ad6ce94f05193e70f5189640e7816a7e65f6db

SHA256
4e4929e1f5399594654e407091b14f94faeb9d446c75df4890b4f2ef7a86f6a3

SHA512
6cd21cacaf9735cfe6efc22f8666aa978b3e367b2eee7b1da8f894d0f32679cba85ad6acb1619b9284b05b6edf741178b99a5e82dacaf7966ac5be47a0a37f2e

Download Submit
C:\Program Files (x86)\Bandicam\data\language.dat

Filesize
64KB

MD5
cec94d3ed63681111c2d2a8e9d0c487c

SHA1
c98cb7a51c3ed6d51c47a6f98882b6f97aef71b3

SHA256
4e11c23a803fe1e5e3d623f2a7f5d6aedc3a19b19912c94f741ba851fbe6c6be

SHA512
a6225408974f9cb12e2049bf36e98e5a0523e315f8a212a84d138a922b131b40eae4b2e29a3cc1a336b21c2468ec702ddae24623f608eb71e28d350cac95c0ce

Download Submit
C:\Program Files (x86)\Bandicam\data\skin.dat

Filesize
536KB

MD5
2660d51ce7bdbed95456dee0f6b8135f

SHA1
ef88c0e6fc986867e5f280aca704ee1932d04278

SHA256
dec938673f210fd04db8ef41f1bc93f2d475c7f3f2c5ed3e3e952bc5e60acf2f

SHA512
3940a7bb1d298c5943493bdb5e26c6ddb695a8ae26ea714fd29611056ef6c0141b7a09ab6b48290b7ec267b509fe9087641a734213b94c15a83e0faae0b55e3a

Download Submit
C:\Program Files (x86)\Bandicam\lang\English.ini

Filesize
88KB

MD5
68dbe5adddc8e5984692de8321fb52bd

SHA1
dd8dbf495e30dbb53b916d6470932ac95d5d54d0

SHA256
de38587db603a9ef6aa470934815a7a9eeae0838087b062732aa0da250c51693

SHA512
97b3a28af1f2ea40e80e5ec5934e8058c683ccac4815a4bf1663ab099abc4ee1d1c18790626af3e045ac9b3fd2a06ef5572a5dcad9a26d6767de978e3d584fd9

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e9cd951dd8114293\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
86984758dc5afeac7e103265abd9cd26

SHA1
13e33067d212dd1fcc97e93a25709b71428af4e3

SHA256
b43fb328c705c67157c08b250049bf28f88949fc5659aa765be419f211e87d4d

SHA512
dfcb04efc16e2723293c8c954835e27cac397bd262a7ec37d33f02d6e5c9f5a7079e039471701fe6571e40955c32d87f58cdad0b661a572587e12e6ae7a04792

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e9cd951dd8114293\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
6332d65b7f73f18112f5f179b3b60572

SHA1
a95b1d08c96d6ab2de9ff1af8af92f4dcfa4636a

SHA256
a3c4ad0d34f6be64dd7c49dd5384d854fb2344f8feb7e64edc8345949d642234

SHA512
13d52b28834ba22462c1ce4b457ba720d12d5c7fcc32168ec63b02ebe925bc1dbb9e13b6bb642c0092965f4e5125ab2f8fbea0be1de6cab6cfe7c821f1f93039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ee7d8634f93a67c8370851bec257136a

SHA1
18186bd2b7681de4ff28c8b9a22753bb62b8e960

SHA256
18ff0f5273016582ca0f2b1ee410db639fa41cdd7a29afa30e4c6e161ae019ff

SHA512
142abcc57b209b84c3bbb912333a3ef8cb7cbbac331d7435ccade7dd783043e935d4807c08fef697e9480edc494dce63c3bf67d4b6d82010e08d411593c14f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
76b7d033893f8ad16c13cfcd74e4d348

SHA1
e51c59ffe3633a250372c07e1769e1523c946f14

SHA256
ea1016eed0f450f40d6a6bd5d331742e2929798c9512c9014d0bccf8a6074524

SHA512
00912361527be6c854b89eb8cd0f268b7ebe55107662851106ba65309c491241123f796c721d2aacfcae3254d141520c943984af45c3c976e1963e670a8830f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b96dc063f8f1576c215691e659fe74bc

SHA1
ad12d7602b502966b31cce75cff98545c6fa933a

SHA256
ef476abb76755decc11cd78e226bc14543e9aa43194d5f9292e6fe381eaaf99e

SHA512
d0d1ba2c9fcc8550f05df7b39690d8272e0cd88c8ad7b6fe509f10110e32fa8a997f8c0de7ac4a95875d642171c6ed1f6b5944f20a81121125535216dbce97f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0168fafd03d4516309d37e8877f017dc

SHA1
fc1637b671dea0fdea65fe4864cf206485c78403

SHA256
cad0641617230d4c39d7c056093fe7950acec4ec8464b528ea18067a294e053e

SHA512
be57da4672c33e5abc97503833411af36e68ddcc17909a877dd70be9a0c18005d9728f2ca006675f35127c9d5b69e22da74794332ae073b56b07bdff3c75c875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7a188ad1abbcdbf1c5402007e4eb6659

SHA1
bb2370abee3ecfba81f5444252fb3cb8d62ad8b7

SHA256
d342402a496ee1a79fbc58b43f576958b85aa68012cb425a5caa583c91e26c03

SHA512
7332d218f9a9e5b4fa59755ccb4bf34f30a1fe0709aa9ede20b52229aa5cb787ff2fa0a5f02d9e10e081f1871875f0a778bac3900ab9d66d8aad67b7d00b8e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d80c81960c503af24e994a89b8afb39

SHA1
c93af2613abb766e3e62fc1d07047b481f8e1ac3

SHA256
dbfee9b5f05cbbfe768629752e7ebdab078a7e582ecde7eb7c08bc851ea230d6

SHA512
167eeeb3ca6ce0b1105e8ef18637205cdd0e5594e18f10c5ba8495a689b9904583228e4d2637cef32d94efa90fc001faa44ece37afc7f3e756fac24e0b3021ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf627.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\Dialer.dll

Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\ioSpecial.ini

Filesize
1KB

MD5
2bcc9ebae82f95e0ce21655f6b877aaf

SHA1
6831d38c4cf7476b1c06a643a92add0553c554e9

SHA256
1f696418dcfa3781d8f85a9bf0a4e8aaa82610198df5fc8c697b152353e421f2

SHA512
91720faeaa39fa1f09f5c7b0c891f804a7d97963c4359913c8b4e2b487be2066c9df90615db08bd7dbbbaebb882a1a7aa108146688ffb98624a028238c292edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\ioSpecial.ini

Filesize
1KB

MD5
15dc3d0e385889e7ed85f6c7e89071db

SHA1
9987c96210aedce447427cf71c0e64ac64a04198

SHA256
f3618a72d9d3580024314b714750a507189f01a2b0154ea548730ad0f949718e

SHA512
7f700d45f87fee148b43ab88a18b188bf196fc605c02ca983e167527a66e42ff6d2ee6c3376cd8d943c3af3bbc7e75ef0897e8fa310af8a51376c5774f799e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgA3A3.tmp\ioSpecial.ini

Filesize
1KB

MD5
ef002f8a2aef5bdd4ef1d5e15e481b7b

SHA1
3ecb7325a65c09397e843a594b144888b21222ad

SHA256
61a6a4ed24160227e2298b2d484bdc4cc647f6f8397e2baf48e0bb1608ed52be

SHA512
2729c74060f63accb2402018456f9a23ae46862df31359617a8a521e3a19368e189b10e56da8fb27dcd74118eac9661236e68be9a7744d2be4a97bebd92bdd6e

Download Submit
memory/892-519-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-516-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-517-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-518-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-512-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-520-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-511-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-510-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-521-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/892-522-0x0000027555240000-0x0000027555241000-memory.dmp

Filesize
4KB

Download
memory/1052-526-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-533-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-536-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-537-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-534-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-570-0x00000000007F0000-0x00000000010BC000-memory.dmp

Filesize
8.8MB

Download
memory/1052-535-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-419-0x00000000007F0000-0x00000000010BC000-memory.dmp

Filesize
8.8MB

Download
memory/1052-527-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-528-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1052-532-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3508-225-0x00000000007F0000-0x00000000010BC000-memory.dmp

Filesize
8.8MB

Download
memory/3508-221-0x00000000007F0000-0x00000000010BC000-memory.dmp

Filesize
8.8MB

Download
memory/3508-235-0x00000000007F0000-0x00000000010BC000-memory.dmp

Filesize
8.8MB

Download
memory/3628-672-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-675-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-646-0x00000000007F0000-0x00000000010BC000-memory.dmp

Filesize
8.8MB

Download
memory/3628-679-0x00000000007F0000-0x00000000010BC000-memory.dmp

Filesize
8.8MB

Download
memory/3628-673-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-671-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-674-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-676-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-669-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-668-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/3628-667-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/4944-656-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-661-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-654-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-662-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-663-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-664-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-665-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-655-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download
memory/4944-660-0x000002A2FEE60000-0x000002A2FEE61000-memory.dmp

Filesize
4KB

Download