b7a72c3f23c3e265caa74c60acbef350b268745c1e451a27e915011c720155f8

Resubmissions

13-10-2024 11:52

241013-n15qrsvdrc 5

13-10-2024 11:50

241013-nzlaqszcqk 5

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BDCAMSETUP_ENG_4_1_2_1385.exe
Size

17.1MB
MD5

f16613c3a3b77319538c9d5aaa2901b8
SHA1

64c2e645d00f5cabee070dec31527e021ba2edc3
SHA256

b7a72c3f23c3e265caa74c60acbef350b268745c1e451a27e915011c720155f8
SHA512

34593fcb6738acbd3fb455c03a018648d2650c7c589de000d3fdfa6bc4b29364eeffd962f106870e5868af8dd941a858ee6b8e27d9759e79bccaa222a1fffaa1
SSDEEP

393216:xHtmmkxvpntFfcAeBhgUDnuUS+qjkS5LsTQAqy0hPusNfznm4h4:jmmkxx0D7uU+hAqy0jNr/h4

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\vcomp140.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\system32\vcomp140.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\D3DCompiler_47.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1224	bdcam.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bandicam\bdcam.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Azerbaijani.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovak.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Greek.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Kurdish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bandicam.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\amf-component-vce-windesktop32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Bulgarian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Czech.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Latvian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\effects.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam_safemode.lnk	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk64.json	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese(BR).ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Uzbek.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdcamih.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Farsi.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Simplified_Chinese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\BandiMPEG1\uninstall.exe	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\lang\German.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Romanian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Armenian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Russian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Traditional_Chinese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Ukrainian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Lithuanian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Malay.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\amf-core-windesktop64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\RegVulkanLayer.bat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\translators.txt	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Belarusian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Bosnian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Finnish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Thai.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\camera.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\start.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\French.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Japanese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\lclick.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\stop.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam64.bin	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcap32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Hebrew.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Polish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Urdu.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\sample.png	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Swedish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Vietnamese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdfix.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Burmese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Croatian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovenian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\language.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\skin.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\UnregVulkanLayer.bat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Danish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Georgian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe

Executes dropped EXE 2 IoCs

pid	Process
3024	BDMPEG1SETUP.EXE
1224	bdcam.exe

Loads dropped DLL 33 IoCs

pid	Process
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
3024	BDMPEG1SETUP.EXE
3024	BDMPEG1SETUP.EXE
3024	BDMPEG1SETUP.EXE
3024	BDMPEG1SETUP.EXE
3024	BDMPEG1SETUP.EXE
3024	BDMPEG1SETUP.EXE
1276	regsvr32.exe
2740	regsvr32.exe
3024	BDMPEG1SETUP.EXE
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
1224	bdcam.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
692	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe
2292	BDCAMSETUP_ENG_4_1_2_1385.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDCAMSETUP_ENG_4_1_2_1385.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDMPEG1SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcam.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	BDCAMSETUP_ENG_4_1_2_1385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	BDCAMSETUP_ENG_4_1_2_1385.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	BDCAMSETUP_ENG_4_1_2_1385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	BDCAMSETUP_ENG_4_1_2_1385.exe

Modifies registry class 56 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	BDMPEG1SETUP.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2292	BDCAMSETUP_ENG_4_1_2_1385.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	3024	BDMPEG1SETUP.EXE
Token: SeBackupPrivilege	3024	BDMPEG1SETUP.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1224	bdcam.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3024	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	31
PID 2292 wrote to memory of 3024	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	31
PID 2292 wrote to memory of 3024	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	31
PID 2292 wrote to memory of 3024	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	31
PID 2292 wrote to memory of 3024	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	31
PID 2292 wrote to memory of 3024	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	31
PID 2292 wrote to memory of 3024	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	31
PID 3024 wrote to memory of 1276	3024	BDMPEG1SETUP.EXE	32
PID 3024 wrote to memory of 1276	3024	BDMPEG1SETUP.EXE	32
PID 3024 wrote to memory of 1276	3024	BDMPEG1SETUP.EXE	32
PID 3024 wrote to memory of 1276	3024	BDMPEG1SETUP.EXE	32
PID 3024 wrote to memory of 1276	3024	BDMPEG1SETUP.EXE	32
PID 3024 wrote to memory of 1276	3024	BDMPEG1SETUP.EXE	32
PID 3024 wrote to memory of 1276	3024	BDMPEG1SETUP.EXE	32
PID 1276 wrote to memory of 2740	1276	regsvr32.exe	33
PID 1276 wrote to memory of 2740	1276	regsvr32.exe	33
PID 1276 wrote to memory of 2740	1276	regsvr32.exe	33
PID 1276 wrote to memory of 2740	1276	regsvr32.exe	33
PID 1276 wrote to memory of 2740	1276	regsvr32.exe	33
PID 1276 wrote to memory of 2740	1276	regsvr32.exe	33
PID 1276 wrote to memory of 2740	1276	regsvr32.exe	33
PID 2292 wrote to memory of 1224	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	34
PID 2292 wrote to memory of 1224	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	34
PID 2292 wrote to memory of 1224	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	34
PID 2292 wrote to memory of 1224	2292	BDCAMSETUP_ENG_4_1_2_1385.exe	34
PID 1224 wrote to memory of 560	1224	bdcam.exe	35
PID 1224 wrote to memory of 560	1224	bdcam.exe	35
PID 1224 wrote to memory of 560	1224	bdcam.exe	35
PID 1224 wrote to memory of 560	1224	bdcam.exe	35
PID 1224 wrote to memory of 692	1224	bdcam.exe	36
PID 1224 wrote to memory of 692	1224	bdcam.exe	36
PID 1224 wrote to memory of 692	1224	bdcam.exe	36
PID 1224 wrote to memory of 692	1224	bdcam.exe	36
PID 1224 wrote to memory of 692	1224	bdcam.exe	36
PID 1224 wrote to memory of 692	1224	bdcam.exe	36
PID 1224 wrote to memory of 692	1224	bdcam.exe	36

C:\Users\Admin\AppData\Local\Temp\BDCAMSETUP_ENG_4_1_2_1385.exe
"C:\Users\Admin\AppData\Local\Temp\BDCAMSETUP_ENG_4_1_2_1385.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE /S
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2740
- C:\Program Files (x86)\Bandicam\bdcam.exe
  "C:\Program Files (x86)\Bandicam\bdcam.exe" /install
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:560
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.dll

Filesize
865KB

MD5
82fdf4dc9379cd57397d219db198e452

SHA1
ad97eb3b40d79f896a9a5938123dac5caa810d91

SHA256
c2e252da1d1bec27259d40cf7f4feff04e9c9646208f2255fd00a9f434c3c089

SHA512
977803334bbc9a1e9ea96a44cc804a8af0dfb70c86716a7288c833a2e615ae640d18a8005b0c6563a99cfaee7ff3af9cdcd41a4f4098174cd54b0a55df1e7688

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
123KB

MD5
68f13d7e357a25bc18843a950bb8fb0b

SHA1
405910b130871ad2fecf35bf0afa6c9f43db84b9

SHA256
4111741fea81ed8b1ec29187a4e04afa0e5f19db438d1b67e360a074facbee8d

SHA512
da8f8f861e8c0f91048922e274dc6f7d1425ee3fa850b380360c8e67ce58fabc7145ea3620765051888491f07c44b63180ecdc6cfbc607bd68fba0ebd0d8ca39

Download Submit
C:\Program Files (x86)\Bandicam\bdcap32.dll

Filesize
11.7MB

MD5
96c68a89a3141293884294d2a8940231

SHA1
3b40d1ae530659dcf211cef5b7e5c7078d5630e2

SHA256
58db20c5c6b81b55bdea5fa9761b16007ace964b69fe26e69dbbbbfc88989fd7

SHA512
1de178b9a27affb73c8483cab5bc7ab05a94f09b811722d9d62479f938a0c2704584a3df7e71fca510a172c10ce52bd049585da394d241e57ac0da961bbbd9a8

Download Submit
C:\Program Files (x86)\Bandicam\bdcap64.dll

Filesize
14.0MB

MD5
5776d02703df7878442b12d08af01a87

SHA1
40ad6ce94f05193e70f5189640e7816a7e65f6db

SHA256
4e4929e1f5399594654e407091b14f94faeb9d446c75df4890b4f2ef7a86f6a3

SHA512
6cd21cacaf9735cfe6efc22f8666aa978b3e367b2eee7b1da8f894d0f32679cba85ad6acb1619b9284b05b6edf741178b99a5e82dacaf7966ac5be47a0a37f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjD644.tmp\ioSpecial.ini

Filesize
1KB

MD5
8d9e55e15d3425e6a6c742c5a4a28638

SHA1
3fe1aaa4528ec3c0a3752c70820243c9c40c5edb

SHA256
ca955d735dff117ccc7232c8f6673daf43b05e4fd50568f54a593b3c2853b31d

SHA512
17827e164d464a8bf78b6fe0265c2a677e0683e32f7c180347eb2a1ee63eecb1426d69083914685924d3191d5a14ecd6cfa2f48f58fdb2389a6d263f7e16aa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjD644.tmp\ioSpecial.ini

Filesize
1KB

MD5
fa60d0f82c0201dd5a3a6f84da3f3184

SHA1
9091d2a7aa31c344b9eede23dd9e8f1953d2c12d

SHA256
cafd126daaf780e48fe0c5126f1cb76e7d0cfbd93ca15b87cbcd02b0b67bf1a3

SHA512
a12fe3ddb6520cd695ed2a34555626fc367178cfc9d606775cad5babffe2ce8cf5c8ff6374f89c7f645029d1d38a66fb761d3f5cda9556dc2572700d040bae2f

Download Submit
\Program Files (x86)\Bandicam\bdcam.exe

Filesize
3.3MB

MD5
ea4dc53939edb03e0e0178fa01312dc7

SHA1
eaa6dd933ebd48254aaa16087b88191b8bcb2319

SHA256
ef13c9316861cb8f03ce4b3c65a22eb97128a2da42400f86ade6dc90ef36de3a

SHA512
8ebfc2f23d96336756c89fcc612c223e35a534fdf362a932ef1c08816d5668932137c15fddee4961c73c7895beeafe682aafa95466574e6a14632dd8b2a58987

Download Submit
\Program Files (x86)\Bandicam\bdcam_nonadmin.exe

Filesize
150KB

MD5
cfd060be6ccb4859edf73a91db415cf3

SHA1
70049f6e03e16d394a0d5325e2ec5816ab5713b9

SHA256
262825b33825dc29076036e9111eabcaa5a981bfae4be0c0ad9f6760101f1a3a

SHA512
23e227137781c220d60d4bc595e25d6df7c7c325a896d3ef0eaffdc96549726dbacba345588de1f4230e98ece4377439a56b7e2f5a8c59a3399c284b48aa2d62

Download Submit
\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
147KB

MD5
38888a6fad9af55a90ebed93644ae843

SHA1
a0bb3971afbab9382df7eb98fcf3904333952e5f

SHA256
98e355aa821547d1d690031aa4b839c16cc8ad02a9a855a92ee3e5a628a5d56f

SHA512
d522e3059dcd460e2dfa80f06a947f140b8bcec43014e12f48cc79f8cb9689e3918752182b18a6edfeef65c9f7b353ef1f157a0f81d593c24706d78d4d6b3540

Download Submit
\Program Files (x86)\Bandicam\bdfix.exe

Filesize
2.2MB

MD5
8004f292c1c1e2f0cdf59c9e28f99d27

SHA1
de954f78e571be589d07e57e87706f668265c53a

SHA256
512d11aa774cca841d916173bf0331035edf8ecad20f00a37c0f6553f381323b

SHA512
9a9c1ab6dfc0a8eff21551821a4f4c8ce7af2049c50cb915188b784bceba97c7a20ce7a06f1d737b5594f56451ee3a9525e908a9e1a66ab22bb5970600c88ecc

Download Submit
\Program Files (x86)\Bandicam\uninstall.exe

Filesize
176KB

MD5
5f009d9588de6f30d955633c0325e124

SHA1
5e72acbad1f6d8952c3f159cabb7689ccc73e42f

SHA256
48f1d8ff637df24b71517d362bd2525311358d8ab531cd11ad1824ba78ebce26

SHA512
8edc374f362b690675cb3c408afa6a6c05916c5cc615bfbcdaa0ffccf5ef83737117caba2b11a5b6ab6725b29a8065a21c104c2cab3b63ef19720af2815e1415

Download Submit
\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
\Users\Admin\AppData\Local\Temp\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4FD7.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD644.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD644.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD644.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsjD644.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
memory/1224-233-0x0000000000D30000-0x00000000015FC000-memory.dmp

Filesize
8.8MB

Download
memory/1224-245-0x0000000000D30000-0x00000000015FC000-memory.dmp

Filesize
8.8MB

Download
memory/1224-235-0x0000000000D30000-0x00000000015FC000-memory.dmp

Filesize
8.8MB

Download
memory/2292-436-0x0000000004080000-0x000000000494C000-memory.dmp

Filesize
8.8MB

Download
memory/2292-330-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2292-438-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2292-435-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2292-231-0x0000000004080000-0x000000000494C000-memory.dmp

Filesize
8.8MB

Download
memory/2292-437-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download
memory/2292-153-0x00000000029B0000-0x00000000029C0000-memory.dmp

Filesize
64KB

Download