b7a72c3f23c3e265caa74c60acbef350b268745c1e451a27e915011c720155f8

Resubmissions

13/10/2024, 11:52

241013-n15qrsvdrc 5

13/10/2024, 11:50

241013-nzlaqszcqk 5

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BDCAMSETUP_ENG_4_1_2_1385.exe
Size

17.1MB
MD5

f16613c3a3b77319538c9d5aaa2901b8
SHA1

64c2e645d00f5cabee070dec31527e021ba2edc3
SHA256

b7a72c3f23c3e265caa74c60acbef350b268745c1e451a27e915011c720155f8
SHA512

34593fcb6738acbd3fb455c03a018648d2650c7c589de000d3fdfa6bc4b29364eeffd962f106870e5868af8dd941a858ee6b8e27d9759e79bccaa222a1fffaa1
SSDEEP

393216:xHtmmkxvpntFfcAeBhgUDnuUS+qjkS5LsTQAqy0hPusNfznm4h4:jmmkxx0D7uU+hAqy0jNr/h4

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	bdcam.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\system32\vcomp140.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\system32\D3DCompiler_47.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3036	bdcam.exe
700	bdcam.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bandicam\lang\Serbian(Cyrillic).ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovenian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Turkish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Urdu.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\sample.png	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdfix.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bandicam.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Armenian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Indonesian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\skin.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Arabic.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Croatian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Kurdish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Russian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Swedish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\camera.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcap64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Dutch.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Hebrew.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Hungarian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Lithuanian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\German.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese(BR).ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Simplified_Chinese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\language.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\stop.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam64.bin	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Italian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Vietnamese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\effects.dat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Farsi.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Thai.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcam_nonadmin.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk64.json	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Belarusian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Malay.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Norwegian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovak.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\uninstall.exe	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcap32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Burmese.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Uzbek.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk32.json	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\khmer.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Ukrainian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\amf-core-windesktop32.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Danish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\English.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Finnish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\French.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Polish.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\lang\Romanian.ini	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\data\start.wav	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdcam64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\amf-component-vce-windesktop64.dll	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\RegVulkanLayer.bat	BDCAMSETUP_ENG_4_1_2_1385.exe
File created	C:\Program Files (x86)\Bandicam\translators.txt	BDCAMSETUP_ENG_4_1_2_1385.exe

Executes dropped EXE 4 IoCs

pid	Process
4276	BDMPEG1SETUP.EXE
3036	bdcam.exe
700	bdcam.exe
4180	bdcam64.bin

Loads dropped DLL 27 IoCs

pid	Process
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
4276	BDMPEG1SETUP.EXE
3472	regsvr32.exe
436	regsvr32.exe
4276	BDMPEG1SETUP.EXE
2248	rundll32.exe
3036	bdcam.exe
3924	rundll32.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
2340	BDCAMSETUP_ENG_4_1_2_1385.exe
700	bdcam.exe
700	bdcam.exe
4180	bdcam64.bin
700	bdcam.exe
3356	msedge.exe
448	WerFault.exe
3488	Process not Found
5116	identity_helper.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
448	700	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDMPEG1SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDCAMSETUP_ENG_4_1_2_1385.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	BDCAMSETUP_ENG_4_1_2_1385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	BDCAMSETUP_ENG_4_1_2_1385.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	BDCAMSETUP_ENG_4_1_2_1385.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	BDCAMSETUP_ENG_4_1_2_1385.exe

Modifies registry class 56 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
700	bdcam.exe
700	bdcam.exe
700	bdcam.exe
700	bdcam.exe
4180	bdcam64.bin
4180	bdcam64.bin
5116	identity_helper.exe
5116	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
700	bdcam.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
700	bdcam.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3036	bdcam.exe
700	bdcam.exe
700	bdcam.exe
4180	bdcam64.bin
4180	bdcam64.bin
4180	bdcam64.bin
4180	bdcam64.bin
4180	bdcam64.bin
700	bdcam.exe
700	bdcam.exe
4180	bdcam64.bin
4180	bdcam64.bin
4180	bdcam64.bin
4180	bdcam64.bin
700	bdcam.exe
700	bdcam.exe
700	bdcam.exe
700	bdcam.exe
700	bdcam.exe
700	bdcam.exe
700	bdcam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 4276	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	89
PID 2340 wrote to memory of 4276	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	89
PID 2340 wrote to memory of 4276	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	89
PID 4276 wrote to memory of 3472	4276	BDMPEG1SETUP.EXE	90
PID 4276 wrote to memory of 3472	4276	BDMPEG1SETUP.EXE	90
PID 4276 wrote to memory of 3472	4276	BDMPEG1SETUP.EXE	90
PID 3472 wrote to memory of 436	3472	regsvr32.exe	91
PID 3472 wrote to memory of 436	3472	regsvr32.exe	91
PID 2340 wrote to memory of 3036	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	92
PID 2340 wrote to memory of 3036	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	92
PID 2340 wrote to memory of 3036	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	92
PID 3036 wrote to memory of 2248	3036	bdcam.exe	93
PID 3036 wrote to memory of 2248	3036	bdcam.exe	93
PID 3036 wrote to memory of 3924	3036	bdcam.exe	94
PID 3036 wrote to memory of 3924	3036	bdcam.exe	94
PID 3036 wrote to memory of 3924	3036	bdcam.exe	94
PID 2340 wrote to memory of 700	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	96
PID 2340 wrote to memory of 700	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	96
PID 2340 wrote to memory of 700	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	96
PID 2340 wrote to memory of 3356	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	97
PID 2340 wrote to memory of 3356	2340	BDCAMSETUP_ENG_4_1_2_1385.exe	97
PID 3356 wrote to memory of 2744	3356	msedge.exe	98
PID 3356 wrote to memory of 2744	3356	msedge.exe	98
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 2720	3356	msedge.exe	99
PID 3356 wrote to memory of 536	3356	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\BDCAMSETUP_ENG_4_1_2_1385.exe
"C:\Users\Admin\AppData\Local\Temp\BDCAMSETUP_ENG_4_1_2_1385.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
  C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE /S
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:436
- C:\Program Files (x86)\Bandicam\bdcam.exe
  "C:\Program Files (x86)\Bandicam\bdcam.exe" /install
  2⤵
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:2248
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3924
- C:\Program Files (x86)\Bandicam\bdcam.exe
  "C:\Program Files (x86)\Bandicam\bdcam.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:700
- - C:\Program Files (x86)\Bandicam\bdcam64.bin
    "C:\Program Files (x86)\Bandicam\bdcam64.bin" 700
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 2648
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2
  2⤵
  - Loads dropped DLL
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3ea546f8,0x7ffc3ea54708,0x7ffc3ea54718
    3⤵
    PID:2744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
    3⤵
    PID:2720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
    3⤵
    PID:4928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:4992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
    3⤵
    PID:3360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
    3⤵
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:3740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16576977943363401547,2869187460558091981,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
    3⤵
    PID:3428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 700 -ip 700
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BandiMPEG1\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files (x86)\Bandicam\amf-component-vce-windesktop32.dll

Filesize
198KB

MD5
6ef74574e1b3b95d4a76a7496531180b

SHA1
00bbdf84eef8e5c3763801cba3bc9e75677ed2b5

SHA256
ca1e172624ac5ec0255c98acbe10d3b046c55d34df1f346189ada3701f32cb28

SHA512
d2feae0282480e7dcd016009171c5ff0feef61302be32f04fe0a12b8cae242f4cbf7893f8942ccf82d5767c21ce0a1185b89ff341ca2d833cb12d4902957fe83

Download Submit
C:\Program Files (x86)\Bandicam\amf-core-windesktop32.dll

Filesize
610KB

MD5
3042c4a93c54c99e77278dcd73a10814

SHA1
ebea3f630a2ff94699a6c6ac420f7076519a9a18

SHA256
72da60e16b8530cebe0db160409ccecfc0adbc8778ffa13e08ec48eb028c457a

SHA512
6f8accf66ccf56c396ef4028bdde10ca7c2a2bc0a3e77250c22a06f27aecaaef23238c3ffcaa212b99d05b5da10b2ed6fdaa97d81b756121e0836c49812ec18e

Download Submit
C:\Program Files (x86)\Bandicam\bandicam.ini

Filesize
25B

MD5
6eec14bac1ea1289156f202fa3239df0

SHA1
1785063fb758b84b0d7f393d45283afaba04e2f3

SHA256
6488b7fe5bee8f80efd4b92154a4c27b109d57e0624fa286695d7fc05fdcdedd

SHA512
30ee0d463cfc79326681fa3ae78ea155f79edf1117d3f5e40e079cbff2fc459bbe7efe246573a7947dc0e6de05db65209240ea5d31f991cdbf446454cd737c46

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.dll

Filesize
865KB

MD5
82fdf4dc9379cd57397d219db198e452

SHA1
ad97eb3b40d79f896a9a5938123dac5caa810d91

SHA256
c2e252da1d1bec27259d40cf7f4feff04e9c9646208f2255fd00a9f434c3c089

SHA512
977803334bbc9a1e9ea96a44cc804a8af0dfb70c86716a7288c833a2e615ae640d18a8005b0c6563a99cfaee7ff3af9cdcd41a4f4098174cd54b0a55df1e7688

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.exe

Filesize
3.3MB

MD5
ea4dc53939edb03e0e0178fa01312dc7

SHA1
eaa6dd933ebd48254aaa16087b88191b8bcb2319

SHA256
ef13c9316861cb8f03ce4b3c65a22eb97128a2da42400f86ade6dc90ef36de3a

SHA512
8ebfc2f23d96336756c89fcc612c223e35a534fdf362a932ef1c08816d5668932137c15fddee4961c73c7895beeafe682aafa95466574e6a14632dd8b2a58987

Download Submit
C:\Program Files (x86)\Bandicam\bdcam64.bin

Filesize
2.9MB

MD5
59ce17c72b23238b6c7a8bdc93dc3fce

SHA1
54fb55b07f2fb1b1acae2befcac2c8d8b17e73ad

SHA256
a213faac438ddbf330c3f81d6fb7ad5af81578011045fb60b7f66773f51092fb

SHA512
9ec761ecf2617483bf258c47dca046ca2a1cbb1e92f1ac11038136fea1dcb77bc93b68a82b2a5957e97ab8a979e95dfd3483f3c246ba517016605f6daaf48cd9

Download Submit
C:\Program Files (x86)\Bandicam\bdcam64.dll

Filesize
1.0MB

MD5
99b6a1cc8d325a60c545e59c8bdee580

SHA1
e1587949ab54573ff1edfe7ff56b4f3237f55bed

SHA256
88b087f69c972ea7e64f8dd406852aa4b8f7badf09c3f5c55988e7f62cc5020a

SHA512
751eb9bc936b34f3c5e918d98c01b34830fbec1f7f5c702d5ca2c38d4de0f49ce90486512d2b600b932af0086700460426610f1641cabfaa0c904757b726849d

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
123KB

MD5
68f13d7e357a25bc18843a950bb8fb0b

SHA1
405910b130871ad2fecf35bf0afa6c9f43db84b9

SHA256
4111741fea81ed8b1ec29187a4e04afa0e5f19db438d1b67e360a074facbee8d

SHA512
da8f8f861e8c0f91048922e274dc6f7d1425ee3fa850b380360c8e67ce58fabc7145ea3620765051888491f07c44b63180ecdc6cfbc607bd68fba0ebd0d8ca39

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
147KB

MD5
38888a6fad9af55a90ebed93644ae843

SHA1
a0bb3971afbab9382df7eb98fcf3904333952e5f

SHA256
98e355aa821547d1d690031aa4b839c16cc8ad02a9a855a92ee3e5a628a5d56f

SHA512
d522e3059dcd460e2dfa80f06a947f140b8bcec43014e12f48cc79f8cb9689e3918752182b18a6edfeef65c9f7b353ef1f157a0f81d593c24706d78d4d6b3540

Download Submit
C:\Program Files (x86)\Bandicam\bdcap32.dll

Filesize
11.7MB

MD5
96c68a89a3141293884294d2a8940231

SHA1
3b40d1ae530659dcf211cef5b7e5c7078d5630e2

SHA256
58db20c5c6b81b55bdea5fa9761b16007ace964b69fe26e69dbbbbfc88989fd7

SHA512
1de178b9a27affb73c8483cab5bc7ab05a94f09b811722d9d62479f938a0c2704584a3df7e71fca510a172c10ce52bd049585da394d241e57ac0da961bbbd9a8

Download Submit
C:\Program Files (x86)\Bandicam\bdcap64.dll

Filesize
14.0MB

MD5
5776d02703df7878442b12d08af01a87

SHA1
40ad6ce94f05193e70f5189640e7816a7e65f6db

SHA256
4e4929e1f5399594654e407091b14f94faeb9d446c75df4890b4f2ef7a86f6a3

SHA512
6cd21cacaf9735cfe6efc22f8666aa978b3e367b2eee7b1da8f894d0f32679cba85ad6acb1619b9284b05b6edf741178b99a5e82dacaf7966ac5be47a0a37f2e

Download Submit
C:\Program Files (x86)\Bandicam\data\language.dat

Filesize
64KB

MD5
cec94d3ed63681111c2d2a8e9d0c487c

SHA1
c98cb7a51c3ed6d51c47a6f98882b6f97aef71b3

SHA256
4e11c23a803fe1e5e3d623f2a7f5d6aedc3a19b19912c94f741ba851fbe6c6be

SHA512
a6225408974f9cb12e2049bf36e98e5a0523e315f8a212a84d138a922b131b40eae4b2e29a3cc1a336b21c2468ec702ddae24623f608eb71e28d350cac95c0ce

Download Submit
C:\Program Files (x86)\Bandicam\data\skin.dat

Filesize
536KB

MD5
2660d51ce7bdbed95456dee0f6b8135f

SHA1
ef88c0e6fc986867e5f280aca704ee1932d04278

SHA256
dec938673f210fd04db8ef41f1bc93f2d475c7f3f2c5ed3e3e952bc5e60acf2f

SHA512
3940a7bb1d298c5943493bdb5e26c6ddb695a8ae26ea714fd29611056ef6c0141b7a09ab6b48290b7ec267b509fe9087641a734213b94c15a83e0faae0b55e3a

Download Submit
C:\Program Files (x86)\Bandicam\lang\English.ini

Filesize
88KB

MD5
68dbe5adddc8e5984692de8321fb52bd

SHA1
dd8dbf495e30dbb53b916d6470932ac95d5d54d0

SHA256
de38587db603a9ef6aa470934815a7a9eeae0838087b062732aa0da250c51693

SHA512
97b3a28af1f2ea40e80e5ec5934e8058c683ccac4815a4bf1663ab099abc4ee1d1c18790626af3e045ac9b3fd2a06ef5572a5dcad9a26d6767de978e3d584fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
9fb51120fd2b06e18bdaa475772ec800

SHA1
4a449f6d9d531cb841a3b4f26ff7d14821921d4a

SHA256
cd90b5f4960325e7a64265a82d3ba672bda01d0fbcdd83884aa02cd1a432790f

SHA512
cd0cd447e9febd389b833b12c71f374286b6e2e1a68fac4da1eba22d2aaedbb6a1f5b767603d9d544325df87461d2e176a30b74d2bec5ed90f1306ce3c0dc62e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6b9470fa7394ab8a461229afd0555669

SHA1
a7ec359ca6966a81ad5faae0aeb9493f6f4052c8

SHA256
5c387b35685be6895ee2e96c9114653294813266fee74a8e972c44b895f84596

SHA512
dcc0aa99f80c6a2a4c9a2d5d24a4f79b6322e8e5020a573b34ec5a96686c9f7c05fb6dfb339c320a9ce8b404a2e6f254280825ddf5ee01d45e9182fb3bf37625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d0102b4e4a2f2c2c834cffb42f17515

SHA1
db3f95c378a754aaf30343ca299c9903338a6c22

SHA256
b88a97d7f4b80409fae297f0ef00f734943ed23f0c0ca68331032ac1204bb09b

SHA512
ff0c621cbbc9f943ce3a6d461966740a557d51902c3246014c72f80e6e5c8ecdeb83091e2653f864fa94a9b55a2c1b15163e04b80a17c7ef052bed0d2bd5e36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
49f6446e58873af6e2c6ed9445e6b5e8

SHA1
6daf96a1a7fdf2703973408deb246ee6720904da

SHA256
a0e38580cdc3d2bf0b64968307b227ee3eabb71d1a679cea1d7345c36165b7c6

SHA512
43d845ceabbb45e5d3119993b16795b97ec2916386913f4380c8eb83c10ae6d1beef0449693754f63bce52cd08ef494699c7d50772d6e93d81d7f9ea480b376d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6e8f12f98380837ab4021724cd8d9071

SHA1
9b65647287131abe465eff521656181e89b72cbd

SHA256
a1f6cdba83c02c475b9835cd13e0421688c2a4614d22036246671c19dfec981e

SHA512
f264cad499aed1fefd47a9c2d63d2c28387eabeedd10f906cb7f02f0fb3ca09aa76d8aae22ee79783ca6abbabea7e0dbe6bbaf0e0dd35b1c0fd747f2d85ed783

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\Dialer.dll

Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\ioSpecial.ini

Filesize
1KB

MD5
00d583cbf656590465b1a1cc447e2ff9

SHA1
353a0d0236b4375e7931e5a977d5984f90e51759

SHA256
2d21e3041af681acd63a18dec1d0219b3f8ae2d77ae020aaf6e8da33cb0025aa

SHA512
d0abfda7b0b15ecea7d928e2859f288800cac4f8446996c7d36de8d75340c897f0ce7c48803eaf6e4723cbefbb42f6793abfbdf194e17a12a86361a18549e18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\ioSpecial.ini

Filesize
774B

MD5
3470b20635bd542566987c678965255f

SHA1
dacea371aeee47b4a2f91d128e6d06b43b0ccd0f

SHA256
9904001e966037fcbef75fdb67677eb566d6fae899cfe4ee3b4008fc6945676f

SHA512
1d3702876442c6665f5bd6832203664b046f7c3bfa43640aaa161773880280c0daf1e218fb78932981394eccc06809d0ac5f3a05604d9dda911acb44edd8c924

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\ioSpecial.ini

Filesize
1KB

MD5
910d272607c888260a3c10aef5e31bfe

SHA1
31bc34c3a2791f80a0fd064589b2eef80d03c093

SHA256
b7f6affde06c1c5cbb35132386cfb522f87e030ab65063addf283cba64ed5a55

SHA512
d4863f753feb0b3702b5830626adbee75b0a207b266e8b82633137f943a00712f4104b47b94bd6243635baeaa3984c5fd0ea9f29ebcadec93bcf81e52f4b669c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaAE13.tmp\ioSpecial.ini

Filesize
1KB

MD5
dd149bfc9f3e4763fd8e9b1f4455a80c

SHA1
c23eb34a79535c82c0cb0b3fbdcb4d7cde7776a9

SHA256
1da40d40af57563d17a14f9c8b4b60ba3b3e710513ab09bb10764fd2d5548c1d

SHA512
fa7d2d1e9aafdd27597256947401d5f988876b19047117d3cb105c8a7e040c4600ce0310c6ba9e7f5ddfafff219d49c9801a04767c98451e0da7635edac76e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2CE9.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
memory/700-535-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-534-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-419-0x0000000000E20000-0x00000000016EC000-memory.dmp

Filesize
8.8MB

Download
memory/700-569-0x0000000000E20000-0x00000000016EC000-memory.dmp

Filesize
8.8MB

Download
memory/700-531-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-532-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-525-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-527-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-526-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-536-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/700-533-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3036-235-0x0000000000E20000-0x00000000016EC000-memory.dmp

Filesize
8.8MB

Download
memory/3036-223-0x0000000000E20000-0x00000000016EC000-memory.dmp

Filesize
8.8MB

Download
memory/3036-222-0x0000000000E20000-0x00000000016EC000-memory.dmp

Filesize
8.8MB

Download
memory/4180-511-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-521-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-522-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-520-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-512-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-518-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-510-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-519-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-517-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download
memory/4180-516-0x000002152E340000-0x000002152E341000-memory.dmp

Filesize
4KB

Download