hxxps://mega[.]nz/file/46ZGQCKB#zHMV6WUwjsY1dFiGsyrxVbkJKkyYf_PFEsdAaKlvL1M

Resubmissions

25/10/2022, 11:52

221025-n176wscfa9 8

25/10/2022, 11:49

221025-ny5b8acehl 1

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/46ZGQCKB#zHMV6WUwjsY1dFiGsyrxVbkJKkyYf_PFEsdAaKlvL1M

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
8896	bdcamsetup.exe
9056	BDMPEG1SETUP.EXE
9156	bdcam.exe
5688	bdcam.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bdcam.exe

Loads dropped DLL 18 IoCs

pid	Process
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
9056	BDMPEG1SETUP.EXE
9096	regsvr32.exe
9120	regsvr32.exe
9056	BDMPEG1SETUP.EXE
5936	rundll32.exe
6016	rundll32.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe
8896	bdcamsetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\system32\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
9156	bdcam.exe
9156	bdcam.exe
5688	bdcam.exe
5688	bdcam.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Bandicam\bdcam_admin.lnk	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Bulgarian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Greek.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Portuguese(BR).ini	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\uninstall.exe	BDMPEG1SETUP.EXE
File created	C:\Program Files\Bandicam\bandicam.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Norwegian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Serbian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects30.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam32.bin	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Arabic.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Indonesian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Simplified_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Traditional_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\lclick.wav	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam.exe	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Uzbek.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\sample.png	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\camera.wav	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam32.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Lithuanian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\language_bdfix.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Czech.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Hebrew.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Italian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Portuguese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Romanian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\highlight30.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\uninstall.exe	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Bosnian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamih.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk32.json	bdcamsetup.exe
File created	C:\Program Files\Bandicam\translators.txt	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Belarusian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Georgian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Slovak.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Swedish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221025135501.pma	setup.exe
File created	C:\Program Files\Bandicam\lang\Russian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Turkish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\language.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\French.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcap64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\UnregVulkanLayer.bat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Azerbaijani.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Burmese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Danish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Malay.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\highlight10.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdfix.exe	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\highlight20.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\German.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Hungarian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Luxembourgish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Polish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Vietnamese.ini	bdcamsetup.exe
File opened for modification	C:\Program Files\Bandicam\data\language.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Finnish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk32.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Armenian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Dutch.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Farsi.ini	bdcamsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	bdcamsetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	bdcamsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	bdcamsetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	bdcamsetup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix\Shell	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix\Shell\Open	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.bfix	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix\DefaultIcon\ = "C:\\Program Files\\Bandicam\\bdfix.exe"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix\DefaultIcon	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Program Files\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64).zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
9156	bdcam.exe
9156	bdcam.exe
5688	bdcam.exe
5688	bdcam.exe
5688	bdcam.exe
5688	bdcam.exe
6132	msedge.exe
6132	msedge.exe
5812	msedge.exe
5812	msedge.exe
8232	identity_helper.exe
8232	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
8796	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	firefox.exe
Token: SeDebugPrivilege	4496	firefox.exe
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE
Token: SeDebugPrivilege	4496	firefox.exe
Token: SeRestorePrivilege	5484	7zG.exe
Token: 35	5484	7zG.exe
Token: SeSecurityPrivilege	5484	7zG.exe
Token: SeSecurityPrivilege	5484	7zG.exe
Token: SeRestorePrivilege	8796	7zFM.exe
Token: 35	8796	7zFM.exe
Token: SeRestorePrivilege	8860	7zG.exe
Token: 35	8860	7zG.exe
Token: SeSecurityPrivilege	8860	7zG.exe
Token: SeSecurityPrivilege	8860	7zG.exe
Token: 33	5688	bdcam.exe
Token: SeIncBasePriorityPrivilege	5688	bdcam.exe
Token: SeDebugPrivilege	4496	firefox.exe
Token: SeDebugPrivilege	4496	firefox.exe

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
4496	firefox.exe
4496	firefox.exe
4496	firefox.exe
4496	firefox.exe
5484	7zG.exe
8796	7zFM.exe
8860	7zG.exe
5688	bdcam.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe
5812	msedge.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4496	firefox.exe
4496	firefox.exe
4496	firefox.exe
5688	bdcam.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4496	firefox.exe
4496	firefox.exe
4496	firefox.exe
4496	firefox.exe
8896	bdcamsetup.exe
9056	BDMPEG1SETUP.EXE
9156	bdcam.exe
9156	bdcam.exe
5688	bdcam.exe
5688	bdcam.exe
5688	bdcam.exe
5688	bdcam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4912 wrote to memory of 4496	4912	firefox.exe	82
PID 4496 wrote to memory of 3320	4496	firefox.exe	83
PID 4496 wrote to memory of 3320	4496	firefox.exe	83
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 1288	4496	firefox.exe	86
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87
PID 4496 wrote to memory of 356	4496	firefox.exe	87

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/46ZGQCKB#zHMV6WUwjsY1dFiGsyrxVbkJKkyYf_PFEsdAaKlvL1M
1⤵
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://mega.nz/file/46ZGQCKB#zHMV6WUwjsY1dFiGsyrxVbkJKkyYf_PFEsdAaKlvL1M
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4496.0.1424619747\1154729010" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4496 "\\.\pipe\gecko-crash-server-pipe.4496" 1800 gpu
    3⤵
    PID:3320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4496.3.1983051813\1472374868" -childID 1 -isForBrowser -prefsHandle 2364 -prefMapHandle 2440 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4496 "\\.\pipe\gecko-crash-server-pipe.4496" 2468 tab
    3⤵
    PID:1288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4496.13.1868780568\730227167" -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4496 "\\.\pipe\gecko-crash-server-pipe.4496" 3664 tab
    3⤵
    PID:356

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\" -spe -an -ai#7zMap24561:112:7zEvent13124
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5484

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\Activation.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\" -an -ai#7zMap845:212:7zEvent29640
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8860

C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\bdcamsetup.exe
"C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\bdcamsetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:8896
- C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:9056
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
    3⤵
    - Loads dropped DLL
    PID:9096
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
      4⤵
      Registers COM server for autorun
      Loads dropped DLL
      Modifies registry class
      PID:9120
- C:\Program Files\Bandicam\bdcam.exe
  "C:\Program Files\Bandicam\bdcam.exe" /install
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:9156
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:5936
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2&lang=en
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbff4d46f8,0x7ffbff4d4708,0x7ffbff4d4718
    3⤵
    PID:5848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
    3⤵
    PID:6344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
    3⤵
    PID:2432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
    3⤵
    PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5384 /prefetch:8
    3⤵
    PID:4672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
    3⤵
    PID:7804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 /prefetch:8
    3⤵
    PID:7876
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
    3⤵
    PID:6756
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:7012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7ab195460,0x7ff7ab195470,0x7ff7ab195480
      4⤵
      PID:6120
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,738620013413122010,3492015309709843549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8232

C:\Program Files\Bandicam\bdcam.exe
"C:\Program Files\Bandicam\bdcam.exe" 0x00019AAA
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\Readme.txt
1⤵
PID:6592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BandiMPEG1\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files\Bandicam\bandicam.ini

Filesize
25B

MD5
6676fadc1fa1cbc89f584e5e14be325b

SHA1
b453bd962a08a001b57f875f598ca82bffc8a335

SHA256
37e7118f51f4268a76948e66b2fb5aad7e8ae2224a2e624d1329679222f4a988

SHA512
94c18c86ee0c9d4e310108fe4545ac99ac941d33b45ccd88bbeade78695e3236631fadde3509123b246859d0353b188d8d3cfaacb79b7fbb1c344287d89222b7

Download Submit
C:\Program Files\Bandicam\bdcam.exe

Filesize
12.8MB

MD5
7e2b7ca7248d26e0c54c9d9fdb7cf906

SHA1
1b30523c9efe2adb741dd7ff6bcedc91bb435a7e

SHA256
1c2a53c6bbf0ecdc42a34a7aafbfe06a16bcf3012ac649bab4c4aa3fe777689e

SHA512
c8051ea6fed9d75c8317630f9e92119c18a575bb0b31f8d8e716ad1aab1ef560969aaf6d332a8a83e65060f55d0fdd09feb35387a617f5f04102a251d60efa39

Download Submit
C:\Program Files\Bandicam\bdcam.exe

Filesize
12.8MB

MD5
7e2b7ca7248d26e0c54c9d9fdb7cf906

SHA1
1b30523c9efe2adb741dd7ff6bcedc91bb435a7e

SHA256
1c2a53c6bbf0ecdc42a34a7aafbfe06a16bcf3012ac649bab4c4aa3fe777689e

SHA512
c8051ea6fed9d75c8317630f9e92119c18a575bb0b31f8d8e716ad1aab1ef560969aaf6d332a8a83e65060f55d0fdd09feb35387a617f5f04102a251d60efa39

Download Submit
C:\Program Files\Bandicam\bdcam.exe

Filesize
12.8MB

MD5
7e2b7ca7248d26e0c54c9d9fdb7cf906

SHA1
1b30523c9efe2adb741dd7ff6bcedc91bb435a7e

SHA256
1c2a53c6bbf0ecdc42a34a7aafbfe06a16bcf3012ac649bab4c4aa3fe777689e

SHA512
c8051ea6fed9d75c8317630f9e92119c18a575bb0b31f8d8e716ad1aab1ef560969aaf6d332a8a83e65060f55d0fdd09feb35387a617f5f04102a251d60efa39

Download Submit
C:\Program Files\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
f137e192539efe8eaaff0d62f27e3307

SHA1
b1e34de4f409164bed877f40f32bbe5df565cfcb

SHA256
5a4038aa825caf75c00d12df3f3c01751c1513f53b2597b5518e562fcd8e0eb5

SHA512
12140265dfad47972544c45190fc6e6bad5580741cdc3fe66c8caa6aec687b160a21c132e62e383341d42f2d6d7203be3390ef315f60ba7a482427c757a9e7f1

Download Submit
C:\Program Files\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
f137e192539efe8eaaff0d62f27e3307

SHA1
b1e34de4f409164bed877f40f32bbe5df565cfcb

SHA256
5a4038aa825caf75c00d12df3f3c01751c1513f53b2597b5518e562fcd8e0eb5

SHA512
12140265dfad47972544c45190fc6e6bad5580741cdc3fe66c8caa6aec687b160a21c132e62e383341d42f2d6d7203be3390ef315f60ba7a482427c757a9e7f1

Download Submit
C:\Program Files\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
1a8f20cc84e2702c31faf78add988488

SHA1
bc670af7cc1fb749cc0a9b78d37cfb3f6a99a347

SHA256
18fb083309a8962524d17006f7583b8f67d2b2e8d8a39bbaeb199de8e6784940

SHA512
b0d88e81ffb690893cc7bac85a80461d3eccdba0affbc396158922abb555133caf3750941d4a50f22af07c658c9b38ba16ff08599aceea7719e270713b3bd33b

Download Submit
C:\Program Files\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
1a8f20cc84e2702c31faf78add988488

SHA1
bc670af7cc1fb749cc0a9b78d37cfb3f6a99a347

SHA256
18fb083309a8962524d17006f7583b8f67d2b2e8d8a39bbaeb199de8e6784940

SHA512
b0d88e81ffb690893cc7bac85a80461d3eccdba0affbc396158922abb555133caf3750941d4a50f22af07c658c9b38ba16ff08599aceea7719e270713b3bd33b

Download Submit
C:\Program Files\Bandicam\bdcap64.dll

Filesize
20.7MB

MD5
f7a1998413f3370d71aed29436034895

SHA1
1be3ea601d350bcbd6ec9760c6f87c4ed25dabeb

SHA256
33e67a894a75437dd70d57e61efc3c4bf7922502a2fe1c56e07c06dbd660b7fc

SHA512
f66c1959d566d0f5683d7dc5b8de8cdc60db52cfb551fb8cbeedec92dc23fe2f25adb0be643058cab9f44c2fa60e9d55d3855c6813a7d8416c4440e76c5f9fd1

Download Submit
C:\Program Files\Bandicam\data\language.dat

Filesize
82KB

MD5
18e394966900ff1cadfdf34c6b936296

SHA1
49622980113b20e2664ef84a5aee6741d5c98076

SHA256
bde6f741c5371718aa5cb4ba83ad51b8911ed65c7a82097df29e7c743f554842

SHA512
cdb0da2b158febe9968aaca17ba6aad135eb6bac78da5518804e8b377887147c3e5a91b233f89946f1294cf0c11088692b836e21484a1bf3f7a267a908776c73

Download Submit
C:\Program Files\Bandicam\data\skin.dat

Filesize
694KB

MD5
430dd2a572989902e5f702265fd167e2

SHA1
1dec6989772862a81bced3ae47cca2b6c64826b4

SHA256
d44c8df500ccc4f3bd661fc8df788c27f6a1062bfef58a1ae930a69f16b718a3

SHA512
bc29f8f93d0e01ab943db631616d52693a3881cc95eda9d4ffbe0dfc1e763dc33c0a3f8d23d35f71ad1c49766b992cc3e6da7774b6d88450c38ec48cad2627ef

Download Submit
C:\Program Files\Bandicam\lang\English.ini

Filesize
122KB

MD5
121bcceff9b47e860b6ee51f7848629e

SHA1
6c402afc458ed55fa6e5d7acf9f5d71ce494418b

SHA256
47d1aacbacb3936af6be7135f1b2f32468aad41efce9a02b2051cdfcf37a0e08

SHA512
831b158735c9158a7750196877d06e8aa2622686cb3741277af6dbd02098ddc5f979904a270faf0f1ff91dff19df4e52c4c1c22742ab186467671fe9c49646b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
969abded1a3dcfa2a7d77814e2cfe79c

SHA1
91f9899976b37267575ba5ac4be5fe8044a565ca

SHA256
cf94012210a19d9f1285a8261fb68b0aead3b4ac2face5ff4bba6d01f6d1b3d4

SHA512
34cc5ed1a7f1f99516ba1e5305abbd8ae257cab2699abafedfe512ce9a918542d1dbcf55ddf1183b1f4a89a09919c0c8056b4af74d8ec399d5156058a781b426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
5363446b702e3c614326be3f10012d8e

SHA1
ffe96680da2bf6f332c18a2bc10443e76fbbbc14

SHA256
4bd0f847436ff140dfd6ed92ca38c358d66eb753d5fa048cac234fccbe1723d6

SHA512
2fcc7633ee56a301d67be334ac4600c5538f5557c284d6643d010241910999f915b4b90966747574b3157f4c255cd079fb6080dea4e04a0749de566b7b61fb8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_5D83FDF122B63B34F40B405089AC36F1

Filesize
472B

MD5
f1ae675435a8f16bc0b04ec012c41979

SHA1
182f87a81464c80b0b25fb524c59592cd40b0ef4

SHA256
9191ced121d8740b4ed3af75db3033e72c0c44c0b45004abd714583deaa749a4

SHA512
1f934b47be6dbc53b3a6eb2a4fbcd019d69fdf150110e02b185d24a4551433671efd883fcd131d41a62aa598b4485ccdcc7b22cd49491070e8df5968af87d365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
239ca1e34cb104930d0ca1ca07da13c9

SHA1
2b8e2397f5308baebfb0bbc761e9239622faed3e

SHA256
10dab09419d1b9602d03df938d446a77948fdb92586f32237c458b0cbffb659e

SHA512
2173bad1b8d42579f2e03ebe99d6c7bd50f61db2b253b47681980d880e5dbf2f203a2bc818245299356a083f3292d8b0bab610910f35fb538143d02eebc9316f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
430B

MD5
d33695008f3416c594cf4ea08799e013

SHA1
b954a1c1b26759357952c4e89b464474b15211eb

SHA256
7d97f19beff29b25a4d9d980c095bd948e30cb1b81f3b6dacae7fa77a95eac60

SHA512
e400487f3dccca231ff91fb59757630c850022768cf6505894956efc363ea42c87f6d88762495a689cb4168e7b90f5dd0337100f3dfb1d8d3f2038c88153f54e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
c6ab78bae119b474fbe4363294d8a3b6

SHA1
13ba40efbf20e0b38d0c5972accce73d562d3809

SHA256
5dc9f6ed2fc5cb8415c564ee7e47034fdda3fc8a159c574f65e794a581d2e25e

SHA512
1c6d48f8ff2ce990dd2332485352e438195d0b19587aad9c9bb6732784c0e73a0d5f94d7fd5485b9632643334963b9cb4108cd3df899a191c2501b04084e3f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_5D83FDF122B63B34F40B405089AC36F1

Filesize
402B

MD5
fc3ea83b9f9757165fb41b5edfdbdfee

SHA1
4375828d064c0eef435c3128098cf399f2496a86

SHA256
6c6de2f016800c90c66a54821ab264c5818695d7b35b3759f1a9511a7ff96d05

SHA512
8a80664a1709cb50ce650891e94a949c5814b4b78ea583e5d1d4e32eb0a624d631ae29b4bd0b07ad6a0b1b072555fa70dd2d5538a657e08eab4fabe55827849d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\Dialer.dll

Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\Dialer.dll

Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\ShellExecAsUser.dll

Filesize
43KB

MD5
552cba3c6c9987e01be178e1ee22d36b

SHA1
4c0ab0127453b0b53aeb27e407859bccb229ea1b

SHA256
1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

SHA512
9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC68D.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxF33B.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64).zip

Filesize
30.5MB

MD5
fae72686400d4ae3636705ffa6e84a42

SHA1
44837e5f3227d33c1165612c2f6bc3085496cf40

SHA256
ed7b71655c7fc856052bba9d56d6e304ee835805475c64c537ee9cba2abdc83a

SHA512
e52542911a9dae8044c196f535799df90ee0724ed61c0b3fc970b1a9a089e4e6659d4743931bb0d06a4a2f35879d99fe25e9347c1ed706c45e273940891daca2

Download Submit
C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\Activation.zip

Filesize
381KB

MD5
c9b6e92404ef004ce0bdcaf631628cfd

SHA1
0c20c2ff01089e135aedf572720b20b30f8f2c37

SHA256
48bb58b6807435e3ade5a106102c776d11c7689aa472c2f26afe4d511ee5b3fc

SHA512
15b6922fdfaf5258e8cb5385841093346ee1e01badfc8bee663adb4e1daa34d167a426af54218360568a3f5e777efa7618beddf090eee20b6d2c947da9627fc6

Download Submit
C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\Readme.txt

Filesize
453B

MD5
f1a89bf9290845a2b5b7f8b9614f5f2c

SHA1
91e3c461aea87914cbade42411056813f6e3bc39

SHA256
d6612b93752d6bb2733c1317de2307ee1096f08fcad86fd540db6c1809256386

SHA512
2360f25e5ecf224cac651c35eb618531cec01dec1f780d0ba09cc76fdf35256da0213ef117a35bbada09f57ca6a83abc96f947ea8c9b8904bb3de6cddba595db

Download Submit
C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\bdcamsetup.exe

Filesize
30.4MB

MD5
862d6d08d1a9057fab0c88558a9c799a

SHA1
fa88d2238d2c18dc0109428312e948395ad0ea4a

SHA256
3a8372f3bc05686bc1ccaf7c03bb8951c668408d1dc2bc89709a1bd47894b878

SHA512
83b4221a24d350cc84c54f57f3204954e79d605267df7ca20e6d28d69ed9f0daac3102b79299200b5ff2d839031a1e82f0a971e137fb5bfa8e34afc3a2f25759

Download Submit
C:\Users\Admin\Downloads\Bandicam 5.4.3.1923 (x64)\Bandicam 5.4.3.1923 (x64) Multilingual\bdcamsetup.exe

Filesize
30.4MB

MD5
862d6d08d1a9057fab0c88558a9c799a

SHA1
fa88d2238d2c18dc0109428312e948395ad0ea4a

SHA256
3a8372f3bc05686bc1ccaf7c03bb8951c668408d1dc2bc89709a1bd47894b878

SHA512
83b4221a24d350cc84c54f57f3204954e79d605267df7ca20e6d28d69ed9f0daac3102b79299200b5ff2d839031a1e82f0a971e137fb5bfa8e34afc3a2f25759

Download Submit
memory/5688-172-0x00007FF760990000-0x00007FF76165E000-memory.dmp

Filesize
12.8MB

Download
memory/5688-177-0x00007FF760990000-0x00007FF76165E000-memory.dmp

Filesize
12.8MB

Download
memory/5688-204-0x00007FF760990000-0x00007FF76165E000-memory.dmp

Filesize
12.8MB

Download
memory/8896-145-0x0000000002311000-0x0000000002313000-memory.dmp

Filesize
8KB

Download
memory/9156-159-0x00007FF760990000-0x00007FF76165E000-memory.dmp

Filesize
12.8MB

Download
memory/9156-167-0x00007FF760990000-0x00007FF76165E000-memory.dmp

Filesize
12.8MB

Download