Malware Analysis Report

2025-08-10 12:06

Sample ID 240222-zmxzjsfa61
Target bandicam-1-6-en.exe
SHA256 e2bda9dd998cbfc495ad3c077b0340447ea325de375953fe7400b3044147730f
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e2bda9dd998cbfc495ad3c077b0340447ea325de375953fe7400b3044147730f

Threat Level: Shows suspicious behavior

The file bandicam-1-6-en.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Executes dropped EXE

Loads dropped DLL

Registers COM server for autorun

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

117s

Max time network

118s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\bdfilters.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandisoft MPEG-1 Audio Property" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandisoft MPEG-1 Video Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandisoft MPEG-1 Video Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$TEMP\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandisoft MPEG-1 Video Property" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 1772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1988 wrote to memory of 1772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1988 wrote to memory of 1772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1988 wrote to memory of 1772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1988 wrote to memory of 1772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1988 wrote to memory of 1772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1988 wrote to memory of 1772 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$TEMP\bdfilters.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$TEMP\bdfilters.dll

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

117s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcap32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2976 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcap32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcap32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdfix.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bdfix.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bdfix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bdfix.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdfix.exe

"C:\Users\Admin\AppData\Local\Temp\bdfix.exe"

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

122s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 228

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmjpeg64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmjpeg64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

119s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpega64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpega64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdcam.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bdcam.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bdcam.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bdcam.exe

"C:\Users\Admin\AppData\Local\Temp\bdcam.exe"

C:\Users\Admin\AppData\Local\Temp\bdcam64.bin

"C:\Users\Admin\AppData\Local\Temp\bdcam64.bin"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bdcam64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\bdcam64.exe

"C:\Users\Admin\AppData\Local\Temp\bdcam64.exe"

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

117s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcap64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcap64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240220-es

Max time kernel

144s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam64.bin N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A N/A N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\bdmjpeg64.dll C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Windows\system32\bdmpegv64.dll C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Windows\system32\bdmpega64.acm C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Windows\SysWOW64\bdmjpeg.dll C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Windows\SysWOW64\bdmpegv.dll C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Windows\SysWOW64\bdmpega.acm C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Bandicam\skin\btn_black.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\BandiMPEG1\uninstall.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Program Files (x86)\Bandicam\bdfix.exe C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\lang\Simplified_Chinese.ini C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_fullscreen.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bdcam.exe C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bdcamih.dll C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\target.xml C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bdcam64.bin C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_rec_start.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_rec_stop.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\sample.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\BandiMPEG1\bdfilters.dll C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
File created C:\Program Files (x86)\Bandicam\language.dat C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\uninstall.exe C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bdcap32.dll C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bandicam.ini C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bdcam.dll C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_img_start.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bdcap64.dll C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\bdcam64.dll C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_default.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_rec_paused.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_restore.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\lang\English.ini C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_img_stop.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
File created C:\Program Files (x86)\Bandicam\skin\btn_rec_pause.png C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandisoft MPEG-1 Audio Property" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandisoft MPEG-1 Video Decoder" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandisoft MPEG-1 Audio Decoder" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandisoft MPEG-1 Audio Decoder" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandisoft MPEG-1 Video Decoder" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandisoft MPEG-1 Video Decoder" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandisoft MPEG-1 Audio Property" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandisoft MPEG-1 Video Property" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll" C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandisoft MPEG-1 Video Decoder" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandisoft MPEG-1 Video Property" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" C:\Windows\system32\regsvr32.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files (x86)\Bandicam\bdcam.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\Bandicam\bdcam.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files (x86)\Bandicam\bdcam.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe N/A
Token: 33 N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files (x86)\Bandicam\bdcam.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2808 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
PID 2808 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
PID 2808 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
PID 2808 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
PID 2808 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
PID 2808 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
PID 2808 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
PID 1764 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 816 wrote to memory of 344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 816 wrote to memory of 344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 816 wrote to memory of 344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 816 wrote to memory of 344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 816 wrote to memory of 344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 816 wrote to memory of 344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 816 wrote to memory of 344 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 2808 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe C:\Program Files (x86)\Bandicam\bdcam.exe
PID 272 wrote to memory of 1980 N/A C:\Program Files (x86)\Bandicam\bdcam.exe C:\Program Files (x86)\Bandicam\bdcam64.bin
PID 272 wrote to memory of 1980 N/A C:\Program Files (x86)\Bandicam\bdcam.exe C:\Program Files (x86)\Bandicam\bdcam64.bin
PID 272 wrote to memory of 1980 N/A C:\Program Files (x86)\Bandicam\bdcam.exe C:\Program Files (x86)\Bandicam\bdcam64.bin
PID 272 wrote to memory of 1980 N/A C:\Program Files (x86)\Bandicam\bdcam.exe C:\Program Files (x86)\Bandicam\bdcam64.bin

Processes

C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe

"C:\Users\Admin\AppData\Local\Temp\bandicam-1-6-en.exe"

C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE /S

C:\Windows\SysWOW64\regsvr32.exe

"regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"

C:\Program Files (x86)\Bandicam\bdcam.exe

"C:\Program Files (x86)\Bandicam\bdcam.exe" /install

C:\Program Files (x86)\Bandicam\bdcam.exe

"C:\Program Files (x86)\Bandicam\bdcam.exe"

C:\Program Files (x86)\Bandicam\bdcam64.bin

"C:\Program Files (x86)\Bandicam\bdcam64.bin"

C:\Program Files (x86)\Bandicam\bdcam.exe

"C:\Program Files (x86)\Bandicam\bdcam.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-51-58-407.avi"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-51-58-407.avi"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-51-58-407.avi"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-52-09-141.avi"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-52-09-141.avi"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-52-09-141.avi"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-52-09-141.avi"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Documents\Bandicam\bdcam 2024-02-22 20-52-09-141.avi"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ssl.bandisoft.com udp
KR 52.79.86.85:443 ssl.bandisoft.com tcp
US 8.8.8.8:53 www.bandicam.com udp
US 151.101.2.132:80 www.bandicam.com tcp
US 151.101.2.132:443 www.bandicam.com tcp
US 151.101.2.132:80 www.bandicam.com tcp
US 151.101.2.132:80 www.bandicam.com tcp
US 151.101.2.132:443 www.bandicam.com tcp
US 151.101.2.132:443 www.bandicam.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsoDE7.tmp\LangDLL.dll

MD5 8e806ea2e205dc508a2fb5adda3419db
SHA1 21beab4e309b139fdcca7dd708df8dbbfd2dd5a3
SHA256 86a55734b8802051bbbd0e8c9c506d0ca985bc5c99113e99b309469046133937
SHA512 6b362bdadd6801ceb6106485015a4ae6d227dc04c1397a730ac8fd44b00649876ee7cbd0d7690b41dcaa8451c94e9f5838daa9fbc21f7306740de89667468cc1

\Users\Admin\AppData\Local\Temp\nsoDE7.tmp\UserInfo.dll

MD5 351b802508ee5462cbf7f35454a9dca6
SHA1 7b9a1bc758e10af02124143680f636853b421da1
SHA256 39275ee1767aac3ae0929a3e67a84a921610b45d5cfff3db1641893504d5c78d
SHA512 6b0a4a500597fefaceb5eab79737d4f8dd253bb6bf8c263699314deda417763857b4407457d877b28f7a9c1f40a241d378ccae80c68541ff3f102eac8a6ff8d2

C:\Users\Admin\AppData\Local\Temp\nsoDE7.tmp\ioSpecial.ini

MD5 7fe7cf7235beb5f6a68871062c168d2b
SHA1 27518a1a4fc6004393c66eade8780e6baa293973
SHA256 fdd43e9492775de2a4a5e74980f6ba39131df3f3005ef95bbcc49b9fc1ee1f5e
SHA512 768b907dc8af11d2a645a32647c15a99256ee5cfc471f2eed88db6914e8ba904ba83c9a5ca8f29d7fa7b562de340078802c027719ed193ad83ee2adf2eeec432

\Users\Admin\AppData\Local\Temp\nsoDE7.tmp\InstallOptions.dll

MD5 6e663f1a0de94bc05d64d020da5d6f36
SHA1 c5abb0033776d6ab1f07e5b3568f7d64f90e5b04
SHA256 458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4
SHA512 2a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5

\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

MD5 0589ff5a72fe0c792e804734792694f9
SHA1 e27158e3e714625f2adcc27afd83b182e83b037b
SHA256 2705379fddf8dd2841cfd384f48fda20d7012d1524ddc529efcd0631f68db70f
SHA512 ea385c072de2d01a6e5b46dfcb7b7c12011d6138e837fab8fc147bbd0869e251452e645239a4b88cb675e525eb4abff76386d16ec4cb21ffeac6c5e5cdbea7a3

\Users\Admin\AppData\Local\Temp\bdfilters.dll

MD5 ce7771d46984248bdda017f5c6f608f7
SHA1 1dc0f86c9b4752463b59d5070f59f99f63cc5ee5
SHA256 a8e95fede4a8df0bb8881d19f2d81fd87f37118c8e93004e0857cebb996f44a3
SHA512 b1e267f91c05544b4a02e57601e021934ba884eebfc51277cefa917383a1c1ec85ddeb3b5f927885967e46a0cb97adceae81443a6423fbbc2a598e717d279fb3

C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

MD5 79dd4a67830c508079eccdd8c1332cc4
SHA1 f8a4fba282d40b8c1a9bf7339cec1e3d947d321d
SHA256 87c92d2e700f9a3bc62630be3a92e2df01d8d497afcf30d466d65f926a65f230
SHA512 2605d00cb14957384e1016a1f0e587e8c38a303814374ffeaf74504b8cd92d432c875b72d44b7a8565fa9c209d3d899560c4d47f7bf568a141b7100bd2525545

\Users\Admin\AppData\Local\Temp\nso7226.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Program Files (x86)\Bandicam\bdcam.exe

MD5 907a27105e6792d926220de1d69f9a90
SHA1 d512f68501ace290604e4ab6f45bfd4361045301
SHA256 c6700c69f3430da3fe9548d116e18b312ede6746eedf24dfd20aa42b6f70e249
SHA512 779d5a0f41ded1cc3b6ab9d8c04d7ce4c2f5bf4207aa56ebf1ae530ac828fd6d953c9d623e815fdaddfba00c7a9da7678cfdaebe3e23e9e8d4538cae7c276a1b

C:\Program Files (x86)\Bandicam\bdcam.dll

MD5 65e41d4d1b4026f613327bc8afa459ea
SHA1 bbb158ecfc93d345e3c64cd9ea7b5f1f0e875f20
SHA256 2ea45b8f233b61fc60058368eac9cec9f4f46f8cebc1f5ca4799a84a82e3e838
SHA512 aeb1177843aba73e7dc0f4672ee51c99d193aade7f88bab89adca12b2833f4420c01cb13424cda2061912df3afca4a1571e9090d44c9ec6ee5460156af558cdd

\Program Files (x86)\Bandicam\uninstall.exe

MD5 40c88c648a1be28d1492a61aef691b89
SHA1 50c001c2cf5b45e10f000ccdaff1b8e830aec41f
SHA256 0f23050433a14ef76b155a35b6bfda26b3c0b2ca58f5668455bad884de7ad7ce
SHA512 fd009303d4c684186ce3d5ae4e34c9507137e6cafaedf5c46797c0265d4225bb715b6cfbef5229bb8774f299ef3ac0c78b67451e59258190f17cee7fa6cb8aaa

\Program Files (x86)\Bandicam\bdfix.exe

MD5 eeed3bd6972c1be2ed04886688db3e60
SHA1 3cb808d109349d5e6612012746a66e259880d0ce
SHA256 95e172c0359f8471d4f538053fe48a54a33cb7f5e64355692ed41e04d21cdeaa
SHA512 c6e1c147ea7e4e3e6fe3e8225342e3a392841eca1a1262e128c1502e75111c6124b7811f8c66aca046bdd8354cb47c536948668ef7b4aee2d2fc21bb52a86bd5

C:\Users\Admin\AppData\Local\Temp\nsoDE7.tmp\ioSpecial.ini

MD5 d37776c31a8b93d2265ac0034845367d
SHA1 84499d98ee6474d901fd19de5d9a8632856f5ee6
SHA256 fc70bdaa453ef99c83577f7510f700d7c53d1a5229aacfb590d6aa3dc7705800
SHA512 effc1c7c0c60b3b6ef0c5c0dfdc01e6ec1136a9c2967d6f0af757f50bea1a3004ff086dfeca50d7f75423e69f0b665725e1e5854e4d357911655945a1309d759

\Program Files (x86)\Bandicam\bdcam64.bin

MD5 2fc6fd53536961b070df7ba5caebf10b
SHA1 224a957cbcc956d2243691a2fca06b233e01b5e4
SHA256 58f7639fc9cfdb8266e48b743cd574c0a371e4286d75f50f8338305824f3dc84
SHA512 6e5cde246eb8a6e86fac139fdbd9d8f58a7d000d60027cf214149bf1544324a0ba56fd822ba0c5a652b095c046d0582f4a71429e20877a8f0325fbb3d05edf62

C:\Program Files (x86)\Bandicam\lang\English.ini

MD5 e85add0df008c9d0c8558d5f3025226b
SHA1 94b411c91a05a98764a8201999bb9a6e9df435b7
SHA256 b4a147b0b33c794965773431dd9ecb04bb124ebe0787f7ab35e4c1ed6f931af2
SHA512 35298e335984a74a888287203f7089a72c92d47cabe0fcf39098b76bc77617dc80b99534d13eed80f1c8bf99b084d09f0d3d36b9032433b71fddc602bfc00476

C:\Program Files (x86)\Bandicam\language.dat

MD5 f7f4b925ca5d5a0caad2d3aebdf076c0
SHA1 fd3bf0ff4e2575ec6f3be0d248189139537fe676
SHA256 2ef96c05560a59dcd27dd11b8de0e3f6840618e4887ba78dcd3903128d731783
SHA512 a7942b5351c5f4370db496cb114310a541e97f3789231f0cc550e0c8b0aebc76f5be7ac429683a61180f2473ae03a85c00800d3749cd993531e6d8bc4c39fb0e

C:\Program Files (x86)\Bandicam\bdcam64.dll

MD5 6735e157c2dd2f016544d263e8eb5165
SHA1 b7e6d8cb10f99b216c87b08660e3cd6a674220f1
SHA256 d78eeab3e08f311f276364c2c0327cf3992b15014b2bb9abcbbf683faa51e2a4
SHA512 b7035578e97fdbb42e75348974f901871faeea7a9f6a864489b37952fa4967b714db810bd1f86dbe266028675894c1ad427b499accea339bd1f5514e825ad90a

C:\Program Files (x86)\Bandicam\bdcap32.dll

MD5 dbd6094a7248f7a4bd755adc55f095da
SHA1 cee1d24d3d5ccee5523599eee6d7dd2bdbc98d95
SHA256 6939ff90e3e7f582b566fdf752e97ec4a345b5f90e6c957fafc73b493c997659
SHA512 ee19b29ae0050a2ffd1921d81b1e0b5411d19601cc06acf7d17e4eee27c007fe7fe69d12fe9adc9eff04a8e90caffdef37ac835b4d13abc3b745e4f0ce7eefb7

C:\Program Files (x86)\Bandicam\bdcap64.dll

MD5 f4421e989622a0c2e4c0bd77a179c854
SHA1 cee242a535f59d8ca8f470116518d4c80ba9afad
SHA256 e0e958b9e002028900e48236041fe9a515e64d65d452fb541ae18fc93a482254
SHA512 cb8a85b3ed4e88ec565bbc33829992922ffc52fa9a71f9c91d6d10d212ef3da215f360c9483bee8cc620d9777b63b06904064db1440a0e75b91e12b60d68b110

C:\Users\Admin\AppData\Local\Temp\Cab92A1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar92C3.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4073b984b589a06bed959178bd93098a
SHA1 5e1c458e7ea3148860f92bf7de074ddd5a88a278
SHA256 6663ce51ff0a05bf288ad0438bac088edf0178d556e5f6f0932fdbed9ef14883
SHA512 d83ead8afe9e5abe6ae68f95d7811556412e62e195b0a3e55ee592d1df0cca82440d970d1949e2dd2b3a5f2060c24a05a91f987ba3ceffc30ead4308d29e4c42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5515c85a5c2707c44e10585fd48699bd
SHA1 75c04707623359a730a5e4792289cdd30312915b
SHA256 c7086b9ee9a2b35e1bd0e3ee3881a8b3f2650fa39d7fec53b398c82a47252ebf
SHA512 3aa8b824aa0425a765c45a439ddfc731847f1b1b0277968f424d77e39933994a0ff83bd3911b98556806ee065624272d390dc8265a866b5f2def1ab0f6437583

C:\Program Files (x86)\Bandicam\skin\target.xml

MD5 f2285f41b171567438ddde7e9158c26a
SHA1 cdfd44936bda119763bde9f24ac6607bc58b5d26
SHA256 5a521902edefc55ce042befb427e8c8d8cb069889af714c51403b5251350f9a5
SHA512 23a38cd1ccc946ce9b50111e4cca2d537f19b699ae1765ebc690dda770406ebc4ab8e786f2d422c0d3f8047b22a1bebc0ba2c8402227e2eb679c0f1e55e04e93

C:\Program Files (x86)\Bandicam\skin\btn_fullscreen.png

MD5 9357ab0462e77810c4a25d78c5ce9755
SHA1 2d2df27fe96f1455dbc8cd6ae648b9e7ee5ae5ec
SHA256 f3b09cc3d4ce6c19e55e5533d5901b2530bfe97cf738d43ecb30be25c241dd44
SHA512 c27728570f5615ccaec397b41fbfb8d54939294f97be84485bcf464202a05ed00a0e0f8b41ca3d5620722d17893707b3e8b4458bb87a5215284393ff5d6a9119

C:\Program Files (x86)\Bandicam\skin\btn_img_stop.png

MD5 3b3b6959d370c94b7c204b20c4ab5e78
SHA1 1a13e189cee8fc1202813c9c96b43b54ba3db692
SHA256 7f9350648c84d8b1957d246ded796b244d084cabfa97e171f286c45041ef53a4
SHA512 e64ee2e46f4a66ab8c36a7cd9e224e7d381aad5c1339d18c5679ac7893c6a04b53f1f10f0a97666dd8cf8294be89c07140dbcd945666e13705d82cfc4e412ae7

C:\Program Files (x86)\Bandicam\skin\btn_img_start.png

MD5 be10a75439d9ecc7dabcf025d0af43f9
SHA1 5c736b01aaa77c3e58bf3373e92bf31e1f8b44dd
SHA256 3560b58def1255d7bf545cac5140a9015b8d1f22a7cefd5cf46fa4919a5fb8a9
SHA512 3917da9c3afe5045719daf5d3b187d5e82ba4486392dc8d80641f9b0fa7986bab96a3227d8f4af8cc4ed49785145b90ce44cd7dbdeac54cb7502cd2f8df61bb5

C:\Program Files (x86)\Bandicam\skin\btn_rec_paused.png

MD5 f1c6f50b22f7bea4ed38f45ff528225f
SHA1 9b39a3aeacbc30b67a8214fd4ed88a8b8cfd4fae
SHA256 ecf474c46cff1c2798ba7ba982741d09dc626f84463806400ed8404e50391fa8
SHA512 9d97d4af2f854df325e79e6f173fafabbf6b57cefb14f928fe54231f9c23fa7583c15b6d4def1ca896d26a8df20d7c9c1799175d6da3cd62732af63e050dc4fc

C:\Program Files (x86)\Bandicam\skin\btn_rec_pause.png

MD5 20477bad4983be7372dc80cac88bac2a
SHA1 565c00ba58660545b4ba784fa822bf201c41c8fa
SHA256 79081a7e2c77e47b81641091e9f72f852795b788367f8a4726649403a1b62b40
SHA512 6ba3112a7144e359f9a4bd9857de7077f4364461872e70f2054304aa402533d78066ec9d39273f2a68a68cf082ef2ac2fef9e043d4bc2a55e11d11b0aa7692eb

C:\Program Files (x86)\Bandicam\skin\btn_rec_stop.png

MD5 d221ec5e349525dab88addb140f4d30c
SHA1 fbb545954a0bcb0df2095618a4b2857296a46e6b
SHA256 04675081ca3c58fb681e93e88eb3161d60ad227906dc6cd84cf8b3c3bacea36f
SHA512 decd2e5d00fafc6feda7949ac2e001e0c3a263d09f6e3cdbce401567a99ab85f884e84bfe57a87ba29b01f55b45135473a6136065e90664e4adf7c6784461910

C:\Program Files (x86)\Bandicam\skin\btn_rec_start.png

MD5 dacfdfadd1a6c653315fb75dbb2d551d
SHA1 5d11b7562fccbe493956260fb608554f0ee45c51
SHA256 998667978fb8a537daab043f3241a8f66ef13918e9d423b3844a275878737510
SHA512 c39dba12fb99b588ebc3b5717a3442f7d9fcd8f2e31df3659ad774341b8d5a94dc9a92ea1fbe01af5dbe348a2fd5c7e9343144f28515d6b58b2d89877c6bba81

C:\Program Files (x86)\Bandicam\skin\btn_black.png

MD5 f56be1f9a60af16d43dc4e9f0e509c26
SHA1 32b29025eacf69da76c4bd2c094afeee9155e1b0
SHA256 305e4491539d98b8553ec50e3ef5a117b4aeb4a69f783dfe726ea00a5079768b
SHA512 2f5226c687d63e78e7f974e65a76164294690ac35b1ff493fa7dcbe600151e778e8a8da92c4e98d06ad9d7923716910f3129cac2535da9703b735f2e0c2a40c1

C:\Program Files (x86)\Bandicam\skin\btn_restore.png

MD5 29f2fdb760b7c32223a6f34a5abd68f8
SHA1 b7032f967240811359e43b7774eb6ce4b1339fcd
SHA256 98b8a57cea1367ff842442ff279f7a6625a885f02f2e4f3872d56748c0d9d58e
SHA512 957f1cfdb11713ec646d2be16e73c380d7240320b61c15e7a90e34d0b5edc3b6d9c7048cf143e0ff49629a28749735b984f76111060632bfca3f476685ad5d05

\Windows\System32\bdmpega64.acm

MD5 15f294a30095669856f7ba556af0b679
SHA1 991dd83adf483624c7e34b1ff02e6d3855a51282
SHA256 64c8b2367272b8947163b359fca4353412b84e56540b1971bac3a867a1da3c9d
SHA512 f56ce8a68017b7ed27df82000bc4b083c52b4e3bed4b641d79b6cc685fb3568ad0e7d1223d8a9c417d263ae0782a76ff0f263ab87b75d98cf19a70b8b04a595a

memory/2132-666-0x000000013FAE0000-0x000000013FBD8000-memory.dmp

memory/2132-667-0x000007FEF58C0000-0x000007FEF58F4000-memory.dmp

memory/2132-668-0x000007FEF5600000-0x000007FEF58B4000-memory.dmp

memory/2132-669-0x000007FEF7B60000-0x000007FEF7B78000-memory.dmp

memory/2132-670-0x000007FEF7A50000-0x000007FEF7A67000-memory.dmp

memory/2132-671-0x000007FEF6DF0000-0x000007FEF6E01000-memory.dmp

memory/2132-672-0x000007FEF5470000-0x000007FEF5487000-memory.dmp

memory/2132-673-0x000007FEF5450000-0x000007FEF5461000-memory.dmp

memory/2132-674-0x000007FEF5430000-0x000007FEF544D000-memory.dmp

memory/2132-676-0x000007FEF5210000-0x000007FEF5410000-memory.dmp

memory/2132-675-0x000007FEF5410000-0x000007FEF5421000-memory.dmp

memory/2132-677-0x000007FEF4160000-0x000007FEF520B000-memory.dmp

memory/2132-679-0x000007FEF40F0000-0x000007FEF4111000-memory.dmp

memory/2132-682-0x000007FEF4090000-0x000007FEF40A1000-memory.dmp

memory/2132-681-0x000007FEF40B0000-0x000007FEF40C1000-memory.dmp

memory/2132-680-0x000007FEF40D0000-0x000007FEF40E8000-memory.dmp

memory/2132-678-0x000007FEF4120000-0x000007FEF415F000-memory.dmp

memory/2132-683-0x000007FEF4070000-0x000007FEF4081000-memory.dmp

memory/2132-685-0x000007FEF4030000-0x000007FEF4041000-memory.dmp

memory/2132-687-0x000007FEF3FE0000-0x000007FEF4010000-memory.dmp

memory/2132-689-0x000007FEF3F00000-0x000007FEF3F6F000-memory.dmp

memory/2132-690-0x000007FEF3EE0000-0x000007FEF3EF1000-memory.dmp

memory/2132-697-0x000007FEF3E80000-0x000007FEF3ED6000-memory.dmp

memory/2132-698-0x000007FEF3E50000-0x000007FEF3E78000-memory.dmp

memory/2132-699-0x000007FEF3CD0000-0x000007FEF3E48000-memory.dmp

memory/2132-688-0x000007FEF3F70000-0x000007FEF3FD7000-memory.dmp

memory/2132-700-0x000007FEF3CB0000-0x000007FEF3CC7000-memory.dmp

memory/2132-686-0x000007FEF4010000-0x000007FEF4028000-memory.dmp

memory/2132-684-0x000007FEF4050000-0x000007FEF406B000-memory.dmp

memory/2132-702-0x000007FEF3B20000-0x000007FEF3B32000-memory.dmp

memory/2132-701-0x000007FEF3B40000-0x000007FEF3CB0000-memory.dmp

memory/2132-703-0x000007FEF3AD0000-0x000007FEF3B12000-memory.dmp

memory/2132-704-0x000007FEF3A80000-0x000007FEF3ACC000-memory.dmp

memory/2132-705-0x000007FEF3910000-0x000007FEF3A7B000-memory.dmp

memory/2132-706-0x000007FEF38B0000-0x000007FEF3907000-memory.dmp

memory/2132-707-0x000007FEF3660000-0x000007FEF38AB000-memory.dmp

memory/2132-709-0x000007FEF3640000-0x000007FEF3651000-memory.dmp

memory/2132-712-0x000007FEF35D0000-0x000007FEF35E1000-memory.dmp

memory/2132-711-0x000007FEF35F0000-0x000007FEF3603000-memory.dmp

memory/2132-710-0x000007FEF3610000-0x000007FEF363F000-memory.dmp

memory/2132-708-0x000007FEEEF60000-0x000007FEF0710000-memory.dmp

memory/2132-716-0x000007FEF34A0000-0x000007FEF34B4000-memory.dmp

memory/2132-719-0x000007FEF3440000-0x000007FEF345E000-memory.dmp

memory/2132-720-0x000007FEF3420000-0x000007FEF3436000-memory.dmp

memory/2132-718-0x000007FEF3460000-0x000007FEF3474000-memory.dmp

memory/2132-717-0x000007FEF3480000-0x000007FEF3492000-memory.dmp

memory/2132-722-0x000007FEF33E0000-0x000007FEF33F4000-memory.dmp

memory/2132-723-0x000007FEF33B0000-0x000007FEF33DC000-memory.dmp

memory/2132-724-0x000007FEF3390000-0x000007FEF33A2000-memory.dmp

memory/2132-725-0x000007FEF3360000-0x000007FEF3390000-memory.dmp

memory/2132-728-0x000007FEF3300000-0x000007FEF3312000-memory.dmp

memory/2132-730-0x000007FEF32E0000-0x000007FEF32F6000-memory.dmp

memory/2132-729-0x000007FEF7BC0000-0x000007FEF7BD0000-memory.dmp

memory/2132-727-0x000007FEF3320000-0x000007FEF3331000-memory.dmp

memory/2132-726-0x000007FEF3340000-0x000007FEF3357000-memory.dmp

memory/2132-721-0x000007FEF3400000-0x000007FEF3415000-memory.dmp

memory/2132-731-0x000007FEF3260000-0x000007FEF32D5000-memory.dmp

memory/2132-715-0x000007FEF34C0000-0x000007FEF34D1000-memory.dmp

memory/2132-714-0x000007FEF34E0000-0x000007FEF34F2000-memory.dmp

memory/2132-732-0x000007FEF31F0000-0x000007FEF3252000-memory.dmp

memory/2132-734-0x000007FEF3160000-0x000007FEF3175000-memory.dmp

memory/2132-733-0x000007FEF3180000-0x000007FEF31ED000-memory.dmp

memory/2132-713-0x000007FEF3500000-0x000007FEF35C5000-memory.dmp

memory/2132-735-0x000007FEF2F40000-0x000007FEF315D000-memory.dmp

memory/2132-765-0x000007FEF2490000-0x000007FEF25AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

MD5 9cdbedcfbe18e2c032e46d1a315d1c87
SHA1 c712944782a512d63fee5357d2e623a3ad546622
SHA256 007e21a3591c6553c5c0f6ff39949bdf7aa1b2e18f4c61295c2b32a67ca60346
SHA512 aba9442c4920688c2d5336160e1fe12fc1647438358c8ab86aa3911fa31b2a0f681426910648c0c946da2992f70c9755ed6363932e1c5f4eea0ebaba78f8d83a

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Ya2132

MD5 5edb9e8849bb9e705f1ebab12b7baa65
SHA1 b7fbd4407e0c5b254f72b39b4ab0c672cbadd527
SHA256 3b396c2f48ea2a007f7413d43a9dc7be796138443cd2f8bc4d7d52e5ff6fa80d
SHA512 e3389c9e07fe2de0e684410c6c70870d86c274b79e24dad4cb7597226729bb59973749ff6610c27591612d9ff64f57b1379b3e7c657052e882104b43a2461f59

memory/2132-790-0x000007FEF2490000-0x000007FEF25AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

MD5 7f293cac32fc16482a32c6278049f5f6
SHA1 589c983bf2717315a7b2ea56b7d53c5719a4e040
SHA256 dfd31a6c22504ee227680dff1eb84484603120ac49bc626406022c613897e1fb
SHA512 15a6a10b8cea3d435612bd8518b700f202c52a86ce2898baa98c1eca1819aa048c4a1d374053226e78bdd1bf59ed059f0c9d07f850bfe4a79e77fabfe93a7fec

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.if2132

MD5 65ed24a11c9f5b04ac0ce86b4c6e101d
SHA1 a0ee450e1b01414de6babe3c0a479a15ae564bb3
SHA256 7231e2456a770ce90f06192829a102424c7fdafd6855e3a35f58e5513add1ff4
SHA512 1bdd36f1a2cd2b989c5a59e44b464dca6b1abf9b6e694c80572e5544e5351a7a3f9f09d7bf0c7cca4a3e20800bdd8265f2a1c8b57b6f2b2513049f7550bb5e00

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\BDMPEG1SETUP.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\BDMPEG1SETUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\BDMPEG1SETUP.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\BDMPEG1SETUP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\BDMPEG1SETUP.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\BDMPEG1SETUP.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsy18D0.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 244

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240220-es

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240220-es

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpegv64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpegv64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

118s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdfilters.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandisoft MPEG-1 Video Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandisoft MPEG-1 Video Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandisoft MPEG-1 Audio Property" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandisoft MPEG-1 Video Property" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1752 wrote to memory of 2840 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdfilters.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\bdfilters.dll

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240215-es

Max time kernel

122s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdfilters64.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandisoft MPEG-1 Audio Decoder" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandisoft MPEG-1 Video Decoder" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandisoft MPEG-1 Audio Property" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandisoft MPEG-1 Video Property" C:\Windows\system32\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandisoft MPEG-1 Video Decoder" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdfilters64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bdfilters64.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

122s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 248

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240215-es

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmjpeg.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmjpeg.dll,#1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmjpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpega.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 2148 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpega.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpega.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

122s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpegv.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 2456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpegv.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$SYSDIR\bdmpegv.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcam.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2260 wrote to memory of 2540 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcam.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcam.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

119s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcam64.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcam64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-22 20:50

Reported

2024-02-22 20:53

Platform

win7-20240221-es

Max time kernel

121s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcamih.dll,#1

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1324 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1324 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcamih.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\bdcamih.dll,#1

Network

N/A

Files

N/A