1815488eaf4f43b667859b509e09cf1049b801fe8d46e3a190f2c40271b5b37d

Resubmissions

05-02-2023 21:06

230205-zx85kaah38 7

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdcamsetup.exe
Size

21.3MB
MD5

ff33a6101796fe31cfadbe2fc3e3a822
SHA1

3476419775cfa638711d340eab1a12397eaf14a7
SHA256

1815488eaf4f43b667859b509e09cf1049b801fe8d46e3a190f2c40271b5b37d
SHA512

f919bcd718ffce33147e834e1c089587d1cb037ba03073be1858df0afd02b17e5e07102dbe830c517a45892c9443766e64097c4cea5c519ee38452a4aedbe82b
SSDEEP

393216:ptmgrOepJCO8Vk5PATwZJ2Zi53woEYxJEspG3JhPuXHvtWNfznm4h4vv:nmg1Dx8GBAyci53wDmehJ0PYNr/h4vv

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
268	BDMPEG1SETUP.EXE
1204	bdcam.exe
1324	bdcam.exe

Loads dropped DLL 35 IoCs

pid	Process
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
268	BDMPEG1SETUP.EXE
268	BDMPEG1SETUP.EXE
268	BDMPEG1SETUP.EXE
268	BDMPEG1SETUP.EXE
268	BDMPEG1SETUP.EXE
268	BDMPEG1SETUP.EXE
1368	regsvr32.exe
764	regsvr32.exe
268	BDMPEG1SETUP.EXE
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1072	rundll32.exe
1072	rundll32.exe
1072	rundll32.exe
1072	rundll32.exe
1204	bdcam.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
1252	bdcamsetup.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
820	rundll32.exe
1252	bdcamsetup.exe
1324	bdcam.exe

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\system32\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\system32\vcomp140.dll	bdcamsetup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1204	bdcam.exe
1324	bdcam.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bandicam\lang\Arabic.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Latvian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Polish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian(Cyrillic).ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\effects15.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\uninstall.exe	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcamvk64.json	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Croatian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Indonesian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Russian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovenian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\sample.png	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\lclick.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcam.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\English.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Finnish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Norwegian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Romanian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Ukrainian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Danish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese(BR).ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Swedish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\highlight15.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Portuguese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\highlight20.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\uninstall.exe	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\bdfix.exe	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcamih.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcap32.dll	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Czech.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Georgian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Greek.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\rclick.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\start.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\UnregVulkanLayer.bat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\stop.wav	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\highlight10.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcam_nonadmin.exe	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Armenian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Burmese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\khmer.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Urdu.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Uzbek.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Italian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Serbian.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\effects20.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\effects\effects30.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Hebrew.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Malay.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files (x86)\Bandicam\RegVulkanLayer.bat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\translators.txt	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Azerbaijani.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Dutch.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\German.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Traditional_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\data\skin.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Lithuanian.ini	bdcamsetup.exe
File opened for modification	C:\Program Files (x86)\Bandicam\data\language.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\bdcam.exe	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Kazakh.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Kurdish.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Sinhala.ini	bdcamsetup.exe
File created	C:\Program Files (x86)\Bandicam\lang\Slovak.ini	bdcamsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	bdcam.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{91829021-A5A1-11ED-BF99-4ED4A804E0FC} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix\DefaultIcon\ = "C:\\Program Files (x86)\\Bandicam\\bdfix.exe"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix\Shell\Open	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\.bfix	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix\DefaultIcon	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\BANDICAM.bfix\Shell	bdcam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	bdcam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	bdcam.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1760	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1324	bdcam.exe
1324	bdcam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1760	vlc.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	268	BDMPEG1SETUP.EXE
Token: SeBackupPrivilege	268	BDMPEG1SETUP.EXE
Token: 33	1228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1228	AUDIODG.EXE
Token: 33	1228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1228	AUDIODG.EXE
Token: 33	1324	bdcam.exe
Token: SeIncBasePriorityPrivilege	1324	bdcam.exe
Token: 33	1760	vlc.exe
Token: SeIncBasePriorityPrivilege	1760	vlc.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1384	iexplore.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe
1760	vlc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1204	bdcam.exe
1384	iexplore.exe
1384	iexplore.exe
1600	IEXPLORE.EXE
1600	IEXPLORE.EXE
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1324	bdcam.exe
1760	vlc.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 268	1252	bdcamsetup.exe	28
PID 1252 wrote to memory of 268	1252	bdcamsetup.exe	28
PID 1252 wrote to memory of 268	1252	bdcamsetup.exe	28
PID 1252 wrote to memory of 268	1252	bdcamsetup.exe	28
PID 1252 wrote to memory of 268	1252	bdcamsetup.exe	28
PID 1252 wrote to memory of 268	1252	bdcamsetup.exe	28
PID 1252 wrote to memory of 268	1252	bdcamsetup.exe	28
PID 268 wrote to memory of 1368	268	BDMPEG1SETUP.EXE	29
PID 268 wrote to memory of 1368	268	BDMPEG1SETUP.EXE	29
PID 268 wrote to memory of 1368	268	BDMPEG1SETUP.EXE	29
PID 268 wrote to memory of 1368	268	BDMPEG1SETUP.EXE	29
PID 268 wrote to memory of 1368	268	BDMPEG1SETUP.EXE	29
PID 268 wrote to memory of 1368	268	BDMPEG1SETUP.EXE	29
PID 268 wrote to memory of 1368	268	BDMPEG1SETUP.EXE	29
PID 1368 wrote to memory of 764	1368	regsvr32.exe	30
PID 1368 wrote to memory of 764	1368	regsvr32.exe	30
PID 1368 wrote to memory of 764	1368	regsvr32.exe	30
PID 1368 wrote to memory of 764	1368	regsvr32.exe	30
PID 1368 wrote to memory of 764	1368	regsvr32.exe	30
PID 1368 wrote to memory of 764	1368	regsvr32.exe	30
PID 1368 wrote to memory of 764	1368	regsvr32.exe	30
PID 1252 wrote to memory of 1204	1252	bdcamsetup.exe	31
PID 1252 wrote to memory of 1204	1252	bdcamsetup.exe	31
PID 1252 wrote to memory of 1204	1252	bdcamsetup.exe	31
PID 1252 wrote to memory of 1204	1252	bdcamsetup.exe	31
PID 1204 wrote to memory of 1072	1204	bdcam.exe	32
PID 1204 wrote to memory of 1072	1204	bdcam.exe	32
PID 1204 wrote to memory of 1072	1204	bdcam.exe	32
PID 1204 wrote to memory of 1072	1204	bdcam.exe	32
PID 1204 wrote to memory of 820	1204	bdcam.exe	33
PID 1204 wrote to memory of 820	1204	bdcam.exe	33
PID 1204 wrote to memory of 820	1204	bdcam.exe	33
PID 1204 wrote to memory of 820	1204	bdcam.exe	33
PID 1204 wrote to memory of 820	1204	bdcam.exe	33
PID 1204 wrote to memory of 820	1204	bdcam.exe	33
PID 1204 wrote to memory of 820	1204	bdcam.exe	33
PID 1252 wrote to memory of 1324	1252	bdcamsetup.exe	35
PID 1252 wrote to memory of 1324	1252	bdcamsetup.exe	35
PID 1252 wrote to memory of 1324	1252	bdcamsetup.exe	35
PID 1252 wrote to memory of 1324	1252	bdcamsetup.exe	35
PID 1252 wrote to memory of 1384	1252	bdcamsetup.exe	36
PID 1252 wrote to memory of 1384	1252	bdcamsetup.exe	36
PID 1252 wrote to memory of 1384	1252	bdcamsetup.exe	36
PID 1252 wrote to memory of 1384	1252	bdcamsetup.exe	36
PID 1384 wrote to memory of 1600	1384	iexplore.exe	38
PID 1384 wrote to memory of 1600	1384	iexplore.exe	38
PID 1384 wrote to memory of 1600	1384	iexplore.exe	38
PID 1384 wrote to memory of 1600	1384	iexplore.exe	38
PID 1324 wrote to memory of 1760	1324	bdcam.exe	41
PID 1324 wrote to memory of 1760	1324	bdcam.exe	41
PID 1324 wrote to memory of 1760	1324	bdcam.exe	41
PID 1324 wrote to memory of 1760	1324	bdcam.exe	41

C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe
"C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /S
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:764
- C:\Program Files (x86)\Bandicam\bdcam.exe
  "C:\Program Files (x86)\Bandicam\bdcam.exe" /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:1072
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:820
- C:\Program Files (x86)\Bandicam\bdcam.exe
  "C:\Program Files (x86)\Bandicam\bdcam.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bandicam 2023-02-05 22-09-07-153.avi"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1760
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2&lang=en
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1384 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files (x86)\Bandicam\bandicam.ini

Filesize
25B

MD5
27040420efe98196ff3abd332cdc4458

SHA1
7d2e66c6d72ea6a514c217b6564daeb6b8fe7d5a

SHA256
7381638423ad67db8d63c778874de39c91b08797ee80707c7f2c5e096fbe1420

SHA512
919b9a718559a7bbadc50ab85a58c3971d09cd3f45a17a94319868a859997ac0e44cfe31dd14fe480f938b665e97a02bb93705666b35b7cae49edf76fbd0505f

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.dll

Filesize
18.4MB

MD5
73f85513be1f1a05271e74b804f7f82f

SHA1
ff63590d5a4c23158de6a147f9bcb12b370dec02

SHA256
2b401cb041e5450c47b87e07d82defeda2761f0c945b268d30fc64fb4632ab41

SHA512
d51a5840dd322cffddd1707bdb67b268f21adec4790f88b6372a4bb468ab247127f890bd8aa7c3d03bdf756405654449d1c67cd306f580ecf7afda9c6204b110

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.exe

Filesize
6.7MB

MD5
48c906ce763f5a3170a5f6819c619e6f

SHA1
afdae638675676ac10e8f864a6d96346c03b77b9

SHA256
8a6f0f84a3519d34a7a66c967bb926606399f4f8ab80ba036d5316ab2e5d6a34

SHA512
b2cb66005066befc0ed6043559c6801bc73f597be85d812185c2355df4b40c2fd8d018acce86147b01d8feb8d81d2a3be19204b5d3c0fdd103d40abe48373b77

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.exe

Filesize
6.7MB

MD5
48c906ce763f5a3170a5f6819c619e6f

SHA1
afdae638675676ac10e8f864a6d96346c03b77b9

SHA256
8a6f0f84a3519d34a7a66c967bb926606399f4f8ab80ba036d5316ab2e5d6a34

SHA512
b2cb66005066befc0ed6043559c6801bc73f597be85d812185c2355df4b40c2fd8d018acce86147b01d8feb8d81d2a3be19204b5d3c0fdd103d40abe48373b77

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.exe

Filesize
6.7MB

MD5
48c906ce763f5a3170a5f6819c619e6f

SHA1
afdae638675676ac10e8f864a6d96346c03b77b9

SHA256
8a6f0f84a3519d34a7a66c967bb926606399f4f8ab80ba036d5316ab2e5d6a34

SHA512
b2cb66005066befc0ed6043559c6801bc73f597be85d812185c2355df4b40c2fd8d018acce86147b01d8feb8d81d2a3be19204b5d3c0fdd103d40abe48373b77

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
7c790924f093ee3f05efc7e054bf848f

SHA1
6579535137b389d8b9c70879e2b2c66a9753643b

SHA256
7d43059abc6d8caadd1201e4ed22fe955a4b5aa36f22214cba6eb6c2a12f5662

SHA512
f2c6068184632e23efc9db407c89592b18fb9f348e7c0fa0847e4a27b1d994d48192ea89c3f52253c264474546a2d555997cd51a1e37730d8f9abded912d81c7

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
93b822cd5bcf89bbf319789d00960cd4

SHA1
6722785ee4c306fd2906251e1af39b451a1776f5

SHA256
5c9a6b23151109adaf881b68e02102ec08aaf04396e0449e17246dc03993da8c

SHA512
20d41244cb997827e5de134c387344e3c1c8a693bf1575b53538b22bb870a9ff9ee1063a67a56c980de029192499fdfd0e0c8a910d5fb6b378f7057ded1e2d77

Download Submit
C:\Program Files (x86)\Bandicam\bdcap32.dll

Filesize
11.0MB

MD5
f4f24338b748f9b35c1704ce3537c312

SHA1
059e4656ab987e84fe950db13b2b339e6c9c94cd

SHA256
f71f1aaba8a41830feb16927f8e6a40469beb6a6e996548367c3786f3459145a

SHA512
a838c10f7669c48e62d416f087d4a5f084eaa092abb8db7a648d84765489af47490e1c6bb8003527ddeb12617409209f61e5610932d12ee9ad8db50d41acca2e

Download Submit
C:\Program Files (x86)\Bandicam\bdcap64.dll

Filesize
15.6MB

MD5
2ad27be6464160e1ceb5a02d665d4b85

SHA1
e56f5f9e2665d2513db59f72bbde51f70dc9628e

SHA256
6b9ab4c92a9b0ccfe1afbb0c9ef5320bc2a9a10829fd370ee3f47fc1628f30af

SHA512
0a1c6bf909e4b25d9e790c95cccdd047e333b76057b024b69c5731cfe966874addc46a24962dd6bd667509e8eb58d0ef8aacae6958492acc1824bd00df025429

Download Submit
C:\Program Files (x86)\Bandicam\data\effects\effects10.dat

Filesize
58KB

MD5
fe3d7459d1e60f1a3a9f4de092e46ba7

SHA1
c8545c0873e896d9549c9a66f099b67f36ba461e

SHA256
184bd469a52b67c553fb934bf4122334449f6b6bff86c07ba193eab2ee617427

SHA512
77eba3abacf6db565dbe8dd6f9107cabcb390c40512aca9c09d7d1d590f522cbfa97940d4f06cec71022053af4b13176183997fa14c7a10531cc5511709c8d86

Download Submit
C:\Program Files (x86)\Bandicam\data\effects\highlight10.dat

Filesize
3KB

MD5
e734e8f933a0f60adcc30c465bbe1c4c

SHA1
d7722aafbf6a2aacec2c1740e99a23af7d01b966

SHA256
a2b6a948b305d71bb8cf7bde3a79a3194ee29562e5c447a46b7efac831aee5c7

SHA512
802c993816d3e6aa868f67c384f3702af636415560f10de8336eb226639b180da4b2211b922bcfbb0d4accb3111a450603f20437f46436a067f05356f0752d2a

Download Submit
C:\Program Files (x86)\Bandicam\data\language.dat

Filesize
74KB

MD5
3086a9603248ca63af3fc75816c381d6

SHA1
6b32a9673a8feffc985ef15b5a65a4a7a4dfbc31

SHA256
f074c2ed73dc4853afec8a6289b167b179148c7c069d618b27d474c842dc3fd5

SHA512
da62cdb5d4fa730cee2dfbce687754011b07ad705edb4c2946f834ea370b33b992286505052d06065820b52746c227d55f3a7c6c3c9ec08d164eb7e6469941dc

Download Submit
C:\Program Files (x86)\Bandicam\data\skin.dat

Filesize
616KB

MD5
4bab7d2dea98555798921832a76029d6

SHA1
8529990d7913907cadbc5261431c9ce14d12f8d2

SHA256
d96739906ff2eb34382dbf92809c69adadc959f46c1206e670d8464d20792466

SHA512
7cbdd243799769eaa08822c4c2441ef92e36abc3acdc15a00a3496ed5c02e0388fca8e5aefdd9f27bbef12ebce3dc7322794fb8ce3ff0c950cc6ad07eeb8f978

Download Submit
C:\Program Files (x86)\Bandicam\lang\English.ini

Filesize
110KB

MD5
b7c822379925806136a091c6dfcd3fe2

SHA1
887bea16885863807430a1953ac2625c71c00f54

SHA256
0a04f09e4d2bd95d4b23c1ad1798b7778b470635de04628fef4fa9596e5dcb00

SHA512
bf6310037bfb0c7f3e7a0413b886dac65333b29b6d75ce540e96408d76ba6606f53cecde68e0198604e05da6f63c01c6547f47cd2342e5c2d2747f8b140e604f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
C:\Users\Admin\Documents\Bandicam\bandicam 2023-02-05 22-09-07-153.avi

Filesize
166KB

MD5
97efde78e57c9d3ac1e2a968b28d6c7a

SHA1
4f4bbf98477ab85fc2921af2d1420e64edcf3886

SHA256
fc5655c1c3ce4492802fe0aeb57753ba47351559d6ffd0b277bf8f846024f9f0

SHA512
b68f643a894a071ecdfaf53d9565c42fdab36a0a2d866c1f903c5108b9fcfadc83323365fc32fc0da39fb83e6d5513edfc15b5fda155371fc723147ff1bf64d0

Download Submit
\Program Files (x86)\BandiMPEG1\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
\Program Files (x86)\Bandicam\bdcam.dll

Filesize
18.4MB

MD5
73f85513be1f1a05271e74b804f7f82f

SHA1
ff63590d5a4c23158de6a147f9bcb12b370dec02

SHA256
2b401cb041e5450c47b87e07d82defeda2761f0c945b268d30fc64fb4632ab41

SHA512
d51a5840dd322cffddd1707bdb67b268f21adec4790f88b6372a4bb468ab247127f890bd8aa7c3d03bdf756405654449d1c67cd306f580ecf7afda9c6204b110

Download Submit
\Program Files (x86)\Bandicam\bdcam.exe

Filesize
6.7MB

MD5
48c906ce763f5a3170a5f6819c619e6f

SHA1
afdae638675676ac10e8f864a6d96346c03b77b9

SHA256
8a6f0f84a3519d34a7a66c967bb926606399f4f8ab80ba036d5316ab2e5d6a34

SHA512
b2cb66005066befc0ed6043559c6801bc73f597be85d812185c2355df4b40c2fd8d018acce86147b01d8feb8d81d2a3be19204b5d3c0fdd103d40abe48373b77

Download Submit
\Program Files (x86)\Bandicam\bdcam.exe

Filesize
6.7MB

MD5
48c906ce763f5a3170a5f6819c619e6f

SHA1
afdae638675676ac10e8f864a6d96346c03b77b9

SHA256
8a6f0f84a3519d34a7a66c967bb926606399f4f8ab80ba036d5316ab2e5d6a34

SHA512
b2cb66005066befc0ed6043559c6801bc73f597be85d812185c2355df4b40c2fd8d018acce86147b01d8feb8d81d2a3be19204b5d3c0fdd103d40abe48373b77

Download Submit
\Program Files (x86)\Bandicam\bdcam.exe

Filesize
6.7MB

MD5
48c906ce763f5a3170a5f6819c619e6f

SHA1
afdae638675676ac10e8f864a6d96346c03b77b9

SHA256
8a6f0f84a3519d34a7a66c967bb926606399f4f8ab80ba036d5316ab2e5d6a34

SHA512
b2cb66005066befc0ed6043559c6801bc73f597be85d812185c2355df4b40c2fd8d018acce86147b01d8feb8d81d2a3be19204b5d3c0fdd103d40abe48373b77

Download Submit
\Program Files (x86)\Bandicam\bdcam.exe

Filesize
6.7MB

MD5
48c906ce763f5a3170a5f6819c619e6f

SHA1
afdae638675676ac10e8f864a6d96346c03b77b9

SHA256
8a6f0f84a3519d34a7a66c967bb926606399f4f8ab80ba036d5316ab2e5d6a34

SHA512
b2cb66005066befc0ed6043559c6801bc73f597be85d812185c2355df4b40c2fd8d018acce86147b01d8feb8d81d2a3be19204b5d3c0fdd103d40abe48373b77

Download Submit
\Program Files (x86)\Bandicam\bdcam_nonadmin.exe

Filesize
156KB

MD5
aa6f3a6e63e0634f74c0882a771050b8

SHA1
8161fc6214ac0ce307985cdcd006929a62335a09

SHA256
68acc1f23c0685d84bc83f1fa9dc9970c0d0defd902906b64f58f9d0b56b135b

SHA512
52fd53729f38516be00e44033c2050885508dd1da38f92e9ccfedc7359487f8dca5c048e0d2787543cb79460e0925996bf4b64e42f213db55bf120826598f3c8

Download Submit
\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
7c790924f093ee3f05efc7e054bf848f

SHA1
6579535137b389d8b9c70879e2b2c66a9753643b

SHA256
7d43059abc6d8caadd1201e4ed22fe955a4b5aa36f22214cba6eb6c2a12f5662

SHA512
f2c6068184632e23efc9db407c89592b18fb9f348e7c0fa0847e4a27b1d994d48192ea89c3f52253c264474546a2d555997cd51a1e37730d8f9abded912d81c7

Download Submit
\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
7c790924f093ee3f05efc7e054bf848f

SHA1
6579535137b389d8b9c70879e2b2c66a9753643b

SHA256
7d43059abc6d8caadd1201e4ed22fe955a4b5aa36f22214cba6eb6c2a12f5662

SHA512
f2c6068184632e23efc9db407c89592b18fb9f348e7c0fa0847e4a27b1d994d48192ea89c3f52253c264474546a2d555997cd51a1e37730d8f9abded912d81c7

Download Submit
\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
7c790924f093ee3f05efc7e054bf848f

SHA1
6579535137b389d8b9c70879e2b2c66a9753643b

SHA256
7d43059abc6d8caadd1201e4ed22fe955a4b5aa36f22214cba6eb6c2a12f5662

SHA512
f2c6068184632e23efc9db407c89592b18fb9f348e7c0fa0847e4a27b1d994d48192ea89c3f52253c264474546a2d555997cd51a1e37730d8f9abded912d81c7

Download Submit
\Program Files (x86)\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
7c790924f093ee3f05efc7e054bf848f

SHA1
6579535137b389d8b9c70879e2b2c66a9753643b

SHA256
7d43059abc6d8caadd1201e4ed22fe955a4b5aa36f22214cba6eb6c2a12f5662

SHA512
f2c6068184632e23efc9db407c89592b18fb9f348e7c0fa0847e4a27b1d994d48192ea89c3f52253c264474546a2d555997cd51a1e37730d8f9abded912d81c7

Download Submit
\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
93b822cd5bcf89bbf319789d00960cd4

SHA1
6722785ee4c306fd2906251e1af39b451a1776f5

SHA256
5c9a6b23151109adaf881b68e02102ec08aaf04396e0449e17246dc03993da8c

SHA512
20d41244cb997827e5de134c387344e3c1c8a693bf1575b53538b22bb870a9ff9ee1063a67a56c980de029192499fdfd0e0c8a910d5fb6b378f7057ded1e2d77

Download Submit
\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
93b822cd5bcf89bbf319789d00960cd4

SHA1
6722785ee4c306fd2906251e1af39b451a1776f5

SHA256
5c9a6b23151109adaf881b68e02102ec08aaf04396e0449e17246dc03993da8c

SHA512
20d41244cb997827e5de134c387344e3c1c8a693bf1575b53538b22bb870a9ff9ee1063a67a56c980de029192499fdfd0e0c8a910d5fb6b378f7057ded1e2d77

Download Submit
\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
93b822cd5bcf89bbf319789d00960cd4

SHA1
6722785ee4c306fd2906251e1af39b451a1776f5

SHA256
5c9a6b23151109adaf881b68e02102ec08aaf04396e0449e17246dc03993da8c

SHA512
20d41244cb997827e5de134c387344e3c1c8a693bf1575b53538b22bb870a9ff9ee1063a67a56c980de029192499fdfd0e0c8a910d5fb6b378f7057ded1e2d77

Download Submit
\Program Files (x86)\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
93b822cd5bcf89bbf319789d00960cd4

SHA1
6722785ee4c306fd2906251e1af39b451a1776f5

SHA256
5c9a6b23151109adaf881b68e02102ec08aaf04396e0449e17246dc03993da8c

SHA512
20d41244cb997827e5de134c387344e3c1c8a693bf1575b53538b22bb870a9ff9ee1063a67a56c980de029192499fdfd0e0c8a910d5fb6b378f7057ded1e2d77

Download Submit
\Program Files (x86)\Bandicam\bdcap32.dll

Filesize
11.0MB

MD5
f4f24338b748f9b35c1704ce3537c312

SHA1
059e4656ab987e84fe950db13b2b339e6c9c94cd

SHA256
f71f1aaba8a41830feb16927f8e6a40469beb6a6e996548367c3786f3459145a

SHA512
a838c10f7669c48e62d416f087d4a5f084eaa092abb8db7a648d84765489af47490e1c6bb8003527ddeb12617409209f61e5610932d12ee9ad8db50d41acca2e

Download Submit
\Program Files (x86)\Bandicam\bdfix.exe

Filesize
2.8MB

MD5
dddf65a71f12833e7de66d039e41110d

SHA1
8f6452fccfb8b03b2ab5d5d2be4a9d1648901884

SHA256
e1ce5d710944720cd4edfb2df9164a2d8f235effe518c873caff5fd23a78cf21

SHA512
9c7b2a1b06713f55bf0afbde8fce3b72f5caf48a4b8b77cd5511ce042515d8eae62cc0900a4a42c22a59e5708e527402ae21622cd75398112bd10f307f6ad584

Download Submit
\Program Files (x86)\Bandicam\uninstall.exe

Filesize
173KB

MD5
93e46ed00fdc8d8cd7e2006b8cb799ac

SHA1
5060fdf9d033e245bf3f0e535a957b07f2d1f2b7

SHA256
2178cc1b4d1e9f15f7628121cd29c19e534c057e09a0f81602a100dd1901697e

SHA512
e9cb9a2a92bd993eb059107e298f398e2101fd7721216cff9ad9d8b8f557927179f8ae8534e7d25f6dd9b61f4d3e435dd265df93788e5f25f887102828d7545d

Download Submit
\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
\Users\Admin\AppData\Local\Temp\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
\Users\Admin\AppData\Local\Temp\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6E7F.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\Dialer.dll

Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2B37.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
memory/764-78-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1204-90-0x0000000001370000-0x0000000001A21000-memory.dmp

Filesize
6.7MB

Download
memory/1204-103-0x0000000001370000-0x0000000001A21000-memory.dmp

Filesize
6.7MB

Download
memory/1204-88-0x0000000001370000-0x0000000001A21000-memory.dmp

Filesize
6.7MB

Download
memory/1252-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1252-114-0x0000000001E90000-0x0000000001EA0000-memory.dmp

Filesize
64KB

Download
memory/1252-115-0x0000000001E90000-0x0000000001EA0000-memory.dmp

Filesize
64KB

Download
memory/1252-121-0x0000000001E90000-0x0000000001EA0000-memory.dmp

Filesize
64KB

Download
memory/1252-82-0x0000000001E90000-0x0000000001EA0000-memory.dmp

Filesize
64KB

Download
memory/1252-87-0x0000000003970000-0x0000000004021000-memory.dmp

Filesize
6.7MB

Download
memory/1324-131-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-138-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-129-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-125-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-130-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-124-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-123-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-134-0x00000000013B0000-0x0000000001A61000-memory.dmp

Filesize
6.7MB

Download
memory/1324-135-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-136-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-137-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-126-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-139-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-140-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-141-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-142-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/1324-122-0x00000000013B0000-0x0000000001A61000-memory.dmp

Filesize
6.7MB

Download
memory/1324-120-0x00000000013B0000-0x0000000001A61000-memory.dmp

Filesize
6.7MB

Download