Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
Bandicam v7.1/Bandicam_v7.1.1.2158.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bandicam v7.1/Bandicam_v7.1.1.2158.exe
Resource
win10v2004-20240426-en
General
-
Target
Bandicam v7.1/Bandicam_v7.1.1.2158.exe
-
Size
32.7MB
-
MD5
4984e0c775ab5231a365b1a1c202a426
-
SHA1
738e02162caf70a354c6ae9a4509464e04c7359c
-
SHA256
0af3e262f17ec535175470767fa2133232bfe5c6cdb4decdae442282b68aa086
-
SHA512
c78d51f81968e4112a3ad2e6a14d37f4331504cedb156cdcc9610de13ada1405f326fdae850c75981ea22d33605d38619c9d23942a7f2b5b3f7e8609428fafcd
-
SSDEEP
786432:s205KPk4uyH7/DQKcGF5snXw2QYSpxrDtG6j+P7ZqsAPcF5:sbSbvQ0F5T2QYIr5vj+vAPG
Malware Config
Extracted
redline
YT-16.05.2024
45.140.147.183:12245
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-973-0x00000000000D0000-0x0000000000122000-memory.dmp family_redline behavioral1/memory/1620-974-0x00000000000D0000-0x0000000000122000-memory.dmp family_redline behavioral1/memory/1620-975-0x00000000000D0000-0x0000000000122000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Caused.pifdescription pid process target process PID 1520 created 1200 1520 Caused.pif Explorer.EXE -
Drops file in Drivers directory 2 IoCs
Processes:
Loader.tmpBandicam_v7.1.1.2158.tmpdescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts Loader.tmp File opened for modification C:\Windows\System32\drivers\etc\hosts Bandicam_v7.1.1.2158.tmp -
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 1052 netsh.exe 2672 netsh.exe -
Executes dropped EXE 12 IoCs
Processes:
Bandicam_v7.1.1.2158.tmpBandicam_v7.1.1.2158.exeDistinguishedListings.exeBandicam_v7.1.1.2158.tmpCaused.pifbdcam.exebdreg.exeLoader.exeLoader.tmpbdreg.exebdcam.exeRegAsm.exepid process 2968 Bandicam_v7.1.1.2158.tmp 2728 Bandicam_v7.1.1.2158.exe 2676 DistinguishedListings.exe 2512 Bandicam_v7.1.1.2158.tmp 1520 Caused.pif 1276 bdcam.exe 372 bdreg.exe 2032 Loader.exe 2024 Loader.tmp 2852 bdreg.exe 2404 bdcam.exe 1620 RegAsm.exe -
Loads dropped DLL 36 IoCs
Processes:
Bandicam_v7.1.1.2158.exeBandicam_v7.1.1.2158.tmpBandicam_v7.1.1.2158.exeBandicam_v7.1.1.2158.tmpcmd.exebdcam.exerundll32.exerundll32.exeregsvr32.exeregsvr32.exeLoader.exeLoader.tmpbdcam.exeExplorer.EXECaused.pifRegAsm.exepid process 2772 Bandicam_v7.1.1.2158.exe 2968 Bandicam_v7.1.1.2158.tmp 2968 Bandicam_v7.1.1.2158.tmp 2728 Bandicam_v7.1.1.2158.exe 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2476 cmd.exe 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 1276 bdcam.exe 3044 rundll32.exe 3044 rundll32.exe 3044 rundll32.exe 3044 rundll32.exe 3056 rundll32.exe 3056 rundll32.exe 3056 rundll32.exe 3056 rundll32.exe 324 regsvr32.exe 2812 regsvr32.exe 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2032 Loader.exe 2024 Loader.tmp 2024 Loader.tmp 2024 Loader.tmp 2024 Loader.tmp 2024 Loader.tmp 2404 bdcam.exe 1200 Explorer.EXE 1520 Caused.pif 1620 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun 1 TTPs 12 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" regsvr32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 13 IoCs
Processes:
Bandicam_v7.1.1.2158.tmpdescription ioc process File created C:\Windows\system32\bdmpegv64.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\system32\vcomp140.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\SysWOW64\vcomp140.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\system32\bdmjpeg64.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\system32\bdmpega64.acm Bandicam_v7.1.1.2158.tmp File created C:\Windows\system32\D3DCompiler_47.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\SysWOW64\bdmjpeg.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\SysWOW64\bdmpega.acm Bandicam_v7.1.1.2158.tmp File created C:\Windows\SysWOW64\D3DCompiler_47.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\SysWOW64\d3dx11_43.dll Bandicam_v7.1.1.2158.tmp File opened for modification C:\Windows\system32\bdmjpeg64.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\system32\d3dx11_43.dll Bandicam_v7.1.1.2158.tmp File created C:\Windows\SysWOW64\bdmpegv.dll Bandicam_v7.1.1.2158.tmp -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
bdcam.exebdcam.exepid process 1276 bdcam.exe 1276 bdcam.exe 2404 bdcam.exe 2404 bdcam.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Bandicam_v7.1.1.2158.tmpBandicam_v7.1.1.2158.tmpLoader.tmpdescription ioc process File created C:\Program Files (x86)\Bandicam\data\is-K90TA.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\Loader.exe Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcam.exe Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-96EAC.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\lang\is-R999R.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcam64.dll Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\msimg32.dll Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcap32.dll Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-0AUG3.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-VCETN.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-E908R.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\is-R6JBO.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-FU820.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\lang\is-8EKE9.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-8M2IS.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-BTEM4.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\Loader.ini Loader.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcamih.dll Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcamvk64.dll Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\unins000.dat Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-OOI9Q.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-L9BHB.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bandicam.ini Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcam32.dll Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-HCT3R.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\is-PAIRF.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcamvk32.dll Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\is-7STJU.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-NB9A4.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-RQO1K.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-UM6E8.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\uninstall.dat Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdfilters64.dll Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-0ES0H.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-37S8R.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-8L7AC.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdcap64.dll Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdfilters.dll Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\bdfix.exe Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\is-HTGA5.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\is-3BGUT.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-UTPHM.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\lang\is-MJRT3.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\StrLocalGate\is-RH9ID.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-CAME2.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-1BNIT.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-2JOCF.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-NKHH7.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-KCK0J.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-AUARD.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\lang\is-C1I5V.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\lang\is-JK9DP.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\encap64.dll Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-PCSFO.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-41E6H.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-VCVGH.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-RJR3K.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\is-TQOU6.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\effects\is-0HLJM.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\bdcam_safemode.lnk Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\is-I0J5A.tmp Bandicam_v7.1.1.2158.tmp File created C:\Program Files (x86)\Bandicam\data\is-R7DHU.tmp Bandicam_v7.1.1.2158.tmp File opened for modification C:\Program Files (x86)\Bandicam\unins000.dat Bandicam_v7.1.1.2158.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 660 tasklist.exe 2148 tasklist.exe -
Processes:
Bandicam_v7.1.1.2158.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION Bandicam_v7.1.1.2158.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000" Bandicam_v7.1.1.2158.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION Bandicam_v7.1.1.2158.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1" Bandicam_v7.1.1.2158.tmp -
Modifies registry class 64 IoCs
Processes:
regsvr32.exeregsvr32.exebdcam.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix\ = "BandiFix Recovery File" bdcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix\DefaultIcon\ = "C:\\Program Files (x86)\\Bandicam\\bdfix.exe" bdcam.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Bandicam\\bdfix.exe\"\"%1\"" bdcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix\DefaultIcon bdcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.bfix\ = "BANDICAM.bfix" bdcam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05} regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix\Shell\Open bdcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.bfix bdcam.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command bdcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix bdcam.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\BANDICAM.bfix\Shell bdcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder" regsvr32.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32 regsvr32.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
Bandicam_v7.1.1.2158.tmpCaused.pifBandicam_v7.1.1.2158.tmpbdcam.exeLoader.tmpbdcam.exeRegAsm.exepid process 2968 Bandicam_v7.1.1.2158.tmp 2968 Bandicam_v7.1.1.2158.tmp 1520 Caused.pif 1520 Caused.pif 1520 Caused.pif 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 1276 bdcam.exe 2512 Bandicam_v7.1.1.2158.tmp 2512 Bandicam_v7.1.1.2158.tmp 2024 Loader.tmp 2024 Loader.tmp 2404 bdcam.exe 2404 bdcam.exe 1520 Caused.pif 1520 Caused.pif 1620 RegAsm.exe 1620 RegAsm.exe 1620 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
tasklist.exetasklist.exebdcam.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 660 tasklist.exe Token: SeDebugPrivilege 2148 tasklist.exe Token: 33 2404 bdcam.exe Token: SeIncBasePriorityPrivilege 2404 bdcam.exe Token: SeDebugPrivilege 1620 RegAsm.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Bandicam_v7.1.1.2158.tmpCaused.pifBandicam_v7.1.1.2158.tmpbdcam.exepid process 2968 Bandicam_v7.1.1.2158.tmp 1520 Caused.pif 1520 Caused.pif 1520 Caused.pif 2512 Bandicam_v7.1.1.2158.tmp 2404 bdcam.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Caused.pifbdcam.exepid process 1520 Caused.pif 1520 Caused.pif 1520 Caused.pif 2404 bdcam.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
bdcam.exebdcam.exepid process 1276 bdcam.exe 2404 bdcam.exe 2404 bdcam.exe 2404 bdcam.exe 2404 bdcam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Bandicam_v7.1.1.2158.exeBandicam_v7.1.1.2158.tmpBandicam_v7.1.1.2158.exeDistinguishedListings.execmd.exeBandicam_v7.1.1.2158.tmpdescription pid process target process PID 2772 wrote to memory of 2968 2772 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2772 wrote to memory of 2968 2772 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2772 wrote to memory of 2968 2772 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2772 wrote to memory of 2968 2772 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2772 wrote to memory of 2968 2772 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2772 wrote to memory of 2968 2772 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2772 wrote to memory of 2968 2772 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2968 wrote to memory of 2728 2968 Bandicam_v7.1.1.2158.tmp Bandicam_v7.1.1.2158.exe PID 2968 wrote to memory of 2728 2968 Bandicam_v7.1.1.2158.tmp Bandicam_v7.1.1.2158.exe PID 2968 wrote to memory of 2728 2968 Bandicam_v7.1.1.2158.tmp Bandicam_v7.1.1.2158.exe PID 2968 wrote to memory of 2728 2968 Bandicam_v7.1.1.2158.tmp Bandicam_v7.1.1.2158.exe PID 2968 wrote to memory of 2676 2968 Bandicam_v7.1.1.2158.tmp DistinguishedListings.exe PID 2968 wrote to memory of 2676 2968 Bandicam_v7.1.1.2158.tmp DistinguishedListings.exe PID 2968 wrote to memory of 2676 2968 Bandicam_v7.1.1.2158.tmp DistinguishedListings.exe PID 2968 wrote to memory of 2676 2968 Bandicam_v7.1.1.2158.tmp DistinguishedListings.exe PID 2728 wrote to memory of 2512 2728 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2728 wrote to memory of 2512 2728 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2728 wrote to memory of 2512 2728 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2728 wrote to memory of 2512 2728 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2728 wrote to memory of 2512 2728 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2728 wrote to memory of 2512 2728 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2728 wrote to memory of 2512 2728 Bandicam_v7.1.1.2158.exe Bandicam_v7.1.1.2158.tmp PID 2676 wrote to memory of 2476 2676 DistinguishedListings.exe cmd.exe PID 2676 wrote to memory of 2476 2676 DistinguishedListings.exe cmd.exe PID 2676 wrote to memory of 2476 2676 DistinguishedListings.exe cmd.exe PID 2676 wrote to memory of 2476 2676 DistinguishedListings.exe cmd.exe PID 2476 wrote to memory of 660 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 660 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 660 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 660 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 528 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 528 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 528 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 528 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 2148 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 2148 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 2148 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 2148 2476 cmd.exe tasklist.exe PID 2476 wrote to memory of 944 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 944 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 944 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 944 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 1192 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1192 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1192 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1192 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1352 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 1352 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 1352 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 1352 2476 cmd.exe findstr.exe PID 2476 wrote to memory of 1816 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1816 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1816 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1816 2476 cmd.exe cmd.exe PID 2476 wrote to memory of 1520 2476 cmd.exe Caused.pif PID 2476 wrote to memory of 1520 2476 cmd.exe Caused.pif PID 2476 wrote to memory of 1520 2476 cmd.exe Caused.pif PID 2476 wrote to memory of 1520 2476 cmd.exe Caused.pif PID 2476 wrote to memory of 2108 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2108 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2108 2476 cmd.exe PING.EXE PID 2476 wrote to memory of 2108 2476 cmd.exe PING.EXE PID 2512 wrote to memory of 1276 2512 Bandicam_v7.1.1.2158.tmp bdcam.exe PID 2512 wrote to memory of 1276 2512 Bandicam_v7.1.1.2158.tmp bdcam.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Bandicam v7.1\Bandicam_v7.1.1.2158.exe"C:\Users\Admin\AppData\Local\Temp\Bandicam v7.1\Bandicam_v7.1.1.2158.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-FA1OP.tmp\Bandicam_v7.1.1.2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-FA1OP.tmp\Bandicam_v7.1.1.2158.tmp" /SL5="$7011E,33493152,807424,C:\Users\Admin\AppData\Local\Temp\Bandicam v7.1\Bandicam_v7.1.1.2158.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe"C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-JAJLA.tmp\Bandicam_v7.1.1.2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-JAJLA.tmp\Bandicam_v7.1.1.2158.tmp" /SL5="$401C4,31228973,185344,C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe"5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Bandicam\bdcam.exe"C:\Program Files (x86)\Bandicam\bdcam.exe" /install6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk64.dll",RegDll7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDll7⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Bandicam\bdfilters64.dll"6⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Bandicam\bdfilters.dll"6⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\bdreg.exe"C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\bdreg.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Bandicam\Loader.exe"C:\Program Files (x86)\Bandicam\Loader.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-46L4M.tmp\Loader.tmp"C:\Users\Admin\AppData\Local\Temp\is-46L4M.tmp\Loader.tmp" /SL5="$C015C,195428,185344,C:\Program Files (x86)\Bandicam\Loader.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\is-HHBS5.tmp\bdreg.exe"C:\Users\Admin\AppData\Local\Temp\is-HHBS5.tmp\bdreg.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\is-HHBS5.tmp\BlockFireWallRule.cmd" "8⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="BlockLicenseCheckBandicamLoader" dir=out action=Block program="C:\Program Files (x86)\Bandicam\bdcam.exe" enable=yes9⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Bandicam\bdcam.exe"C:\Program Files (x86)\Bandicam\bdcam.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\BlockFireWallRule.cmd" "6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="BlockLicenseCheckBandicam" dir=out action=Block program="C:\Program Files (x86)\Bandicam\bdcam.exe" enable=yes7⤵
- Modifies Windows Firewall
-
C:\StrLocalGate\DistinguishedListings.exe"C:\StrLocalGate\DistinguishedListings.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k copy Usually Usually.cmd & Usually.cmd & exit5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"6⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 563456⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "trackinggardenczechquiz" Prague6⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Monica + Cdna + Athletics + Campaign + Ethical 56345\z6⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\56345\Caused.pif56345\Caused.pif 56345\z6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\56345\RegAsm.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\56345\RegAsm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Bandicam\Loader.iniFilesize
54B
MD590b9d2f9b849da3398c222928611cffd
SHA162d78678657417b8e543f0a93193136c07398505
SHA256ea307d27210233fdc6af9991bbddd24ef9a706c775985474372f3306df75a5cc
SHA51250ef275f54baa5294b4c51f16c5320914b249bbd1eb1ba2617c12dac20fc59b833ddf72bbed2b979a4d543eb1b37e1f2a416e8df16a62683a19841a3eb6713d5
-
C:\Program Files (x86)\Bandicam\bdcamvk64.dllFilesize
1.9MB
MD576345bbf3d96b7a6bd670d163400d0cc
SHA1e28a2e8b5be043831836b8d35ca43d07159d2741
SHA2560f2d19b39e41e25b211a22326d61b7fd1aba24b4c8d2914756a2be22fefd79f5
SHA512918213ec8300311ed5bd0bdc5e3ba34e4ede218770434cbc80da03eae8da740dbefbf6d8e9ce78e9d7e3f1b8caf434d2136e94f8d7efd4468c4f13d920212053
-
C:\Program Files (x86)\Bandicam\bdcap64.dllFilesize
21.2MB
MD576012141ceda5d7cbb200137cd3b0f12
SHA17fc7ef17e3147e78ab04abbc3cd79db59a4e8043
SHA2565565bfbd434467599b282a909fe2c1d9740918e7ed134c3287213906dbd84556
SHA5122fbf4c172424ba5c643ee52c6ae552246164a86026905baa7e65c9de8aabc93ebd03c5267f7de9d2578149bb80c7136d57cffb26036ecd07ad1da14cc7d46be1
-
C:\Program Files (x86)\Bandicam\is-1BNIT.tmpFilesize
695KB
MD5b1dcdfd6f61bce5f8a53fbe7a93711f2
SHA1f4e9807202ba141a1a0ff4a21738681ce1d9f480
SHA2562cfd6d38ebedad3f0952253fafaba8e99a2c83b2600793e8ae057d65567fa8ef
SHA512b3e7d222a3ffa1f392c5ed2e4f6d92e99b352f31fae90049ecf8432fc1dd11b9e2bc219666a9d51fd32eca0e5650cdd58e207b82a79aa55554261104bdadbf86
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\56345\zFilesize
390KB
MD5769f028469f4187abcb2ef9d1c4ad148
SHA109c5eec3bc0bfe5184d6b6e89a0622508de51f69
SHA25688826b2cbc9ef6afdf8d414143e66bbc2de0d5f834d33362634a3b123062b21f
SHA5128ee339b3417b02ba8e71af88a7b68d2cc95e2f7e4797a18654dfa80fb27a1b6f226821ae74af4a9ec0f8c05068422cb36603b67bce3918b6749464a9dee14c47
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\AgenciesFilesize
19KB
MD516c9e56cdab65773a62b71ea327daca6
SHA1cf13a7440701d4729fdc1fa41697a9be03445939
SHA256e4aec9c5f7f504ed6d431c2fa12b68dac9862edaa60f78c9596935b3665cb7e2
SHA5120c764e4062ba0f184761c67ee445b31ea0068b71a4c10946e70e5b58abf69e7a28e6a08c30549e17828bbe37e27229ad37bdb8e9a9787a2de1bf3074934c9733
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\AlterFilesize
68KB
MD546523ea1ecfa6cbb2bc001ca2b280578
SHA170dd1636b5b82eb847e7fcc25fbdba098a6ee767
SHA2569418eb47a71f16228a63fc687ead372c432f21429635f0435e3252c4a8002508
SHA51284aa0698b47502e63fab5009d08d9e65f8d5e8461cd50f6d6a2fdf35c7eefa68a0024d3f212ca5e9849d29879e6ca4d403fddb4288898357b192bd3f1900266f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\ApproximatelyFilesize
62KB
MD547faabcf30b475d0156e7477ec961407
SHA10ca0cef3ecd2cbe153d22aea537b4521653a2191
SHA256b13253f77551f61e70457a14867dd11c3a087bd9fbb1b62425c5ef12b143ee3c
SHA51234b2fe7a3b6cb1f4a976871518f9751366a16e8387fdba9713e578d76b1980cae0eb237e5edd87fd19dae8f533a5eb5a99aaf8219ee18b2af69e9aa2c754bc2e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\AthleticsFilesize
125KB
MD50b0bf1e2325ccd0789c251ef098285ff
SHA1b00d983c3b4d27a094f49cbecc61de5d7cb430b8
SHA2563bd256d54241bbdcedc027838da70714e0d54a9c0c39e9a26a6a945bdab32055
SHA51268bad482c33c29f5bbdd3f44c120fab15b7516687860cd5172238850ac79f71048d3cb8d3ce91ee7f2c2a6bb67d1769e08e2baab74da7f811e6cf7e4815eaaeb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\BelgiumFilesize
56KB
MD5f80233eb2b6daa9723b9a8c4ae51b35b
SHA1f08e14f4f246e16ee8674412d3361fb772ec8d20
SHA256fc7685bc2b8d104b2ca76d41e7180941938a936416a0bf6a9289d21c5783284f
SHA5124ef40c195992747c9d80da55320f012446d429df5b41b39e39d6bdfd37bb3ece50c92c6fdd3998adfd9d16d7cdb22d1a801f9f2a0cecb2adddb30a6fdf60140a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\BladesFilesize
40KB
MD5c009748ee2ef2cfb5a786967d9192842
SHA1dd165130a6a37f4313f3680121997a69866a055b
SHA2566101008df17b7bd21f4a0d3ffd6d1dbd8b0e89013b1f1b3aa6fc5bd8a685571b
SHA5121dd084b24f4ab84d3a6c8e9b737b2820f9393667652a76ab0381ed0bc9d9a6108801cefdd36ecbcbe12613e92ce35ebadb6c2be8fa5658b43d5a019cbd2b1c92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\CampaignFilesize
60KB
MD500813ef7d503d316883997ca05182d82
SHA19d1b030488dc367220d95210fa82f8128f58071b
SHA2560ab466eebceeb4834758a79e50fee5d929ffdf4f0d5b82213ebaaec325f762e6
SHA512c1f5beb98dd8658f22ed73395977cd4910ec5a2a8b02c050e778f69780c1357b3ddf5985c0ffcb783ae275e138ae997dd5daba7905bf498fd33771b4566f1c00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\CaptureFilesize
49KB
MD5fd7207599f1bf9d1faa5c1ecdf2ef5d3
SHA1f42c307c220842f9fa8bb3e5f0a985fb4aa74969
SHA256d530ca2475b1351ac146d3d8176746093234f1e627209a32adcaf614e8d480dd
SHA512437ea42114c716a084e4225687baa22ede1265be303343fc1b1ad7d8f9c6f34f2f70dd6615a609aaf983ef3c96309c7be1c872a8a5606b664150a28318259e8b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\CdnaFilesize
35KB
MD5a9cef18c2e44ac99770f0043f771ffa5
SHA1c15b5d40ba6d7cffa12e628cef838c47be6ee2f2
SHA256ee2e70d4c41d00ec27e439ee90e1beabe903a3774456215c4c311268dbd9fdd8
SHA51235dab83152bbf93a954ea62d03da6ae67edfefb56ee5d406006c959862d403698356fafb409aaf7c2ea527f490cd90ff9f9dcf7e1f71cd8289f330e483b4b995
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\CorrectFilesize
26KB
MD55deebb499de0765b2b73bbbfcaeeea65
SHA1cafa73bd311216a7566f2879c72475e032c2e6da
SHA256661b4bc09f0e4c65d82421aecb90faf5cca7fd7b3cd71949f3767da0c6e44ace
SHA512a3117cd533dc94cb38bc2d97e1a434853b2abf8d7a896d0974f624fbf12f322d6f9be3c53291c5a2b1875f3b1be0b9d8b9fb78a1e191bb91d21cb20b9d0c6531
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\DelhiFilesize
26KB
MD5980484c6ca7441854653018368542fd8
SHA1402277d88dac352d7da9c162c0ff90059cb914b3
SHA2561756ba79e34af55dee321edc65314da59434c82439c844d71af1ac1527c961aa
SHA5127097c19c848d3963f1c43a7ae358a980eeaa33c0a0495513568aafefbdb5e6a9d542e05e49f80c3d7a107c3a4282c714826a13de719af7264ce760263f61f5ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\EthicalFilesize
79KB
MD592166ad792080caedd3880d17880c0f4
SHA193c594993b7a31f8f46e1dcdab0fc3c3e2735927
SHA256bab311dc3f1ca85c303befb390fb0e9a44ece39950b4dea201acf53fd1aa4cfe
SHA512356cd441fda7dd3e31cebae47c875bce3b073d7a4dfa92fd9241268c62e891781f85232101ae3848e0052d2b43509b73e3a4977a6f962ccc52fbc1620dacab43
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\GroundwaterFilesize
62KB
MD5e9370ff3145b1d76fa099df8c00d265e
SHA172b2ef78a81d31ffbe8f6c4d58bf7a523c06a656
SHA256f7e918684019bcca45a0137259df805babbb0e4a2c00a42de5acb65a1ced96c4
SHA5128635a1fe315fbf600ae907e92d9317378a08f310e0cef2a45b0d8a8a6c21f28192db95a559ff5d7d21fa786c509c0a518e2b75c32cbe896e5fe081bf5ed517af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\IndependenceFilesize
21KB
MD55ca8f14661f747021ae2f8ecea5e4d43
SHA150f4efe97afce86e6b1c06fde922b0d3f7668e78
SHA256d360a53faa5c9eeabdaa3be4b069f841b359596e48b16718b5a55bd66d390a1e
SHA512efdecd53e279362def66ebd7045a2e44b7e103f0341984e52c8d5c8a139e82c4075839fab778c131adf7f91fda41e3e4a02195b9a094a429a8862d9e9d89084d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\MonicaFilesize
91KB
MD533068d1484ace7d09b98b422d12af19a
SHA15bde2f9fe64b6a70898c653723477dfd84c4f8a8
SHA2569d64b095f6a5a7a90e2fd9cbaef0ec34c05a7655f0b60a5096e4f7e618ff96ac
SHA512a4a0634f824fced5636994834ecff0eb2a6052819b55659e122e4ec1a2ae2311eb16811856c9f8756f9349ec2ee95887c77906bd36d916561763669dec740f28
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\PermitFilesize
18KB
MD50775b30b3fab154c5213ddbedabb8be0
SHA15c1d305b21da05ddd5c3bfd486ddca81daf8f951
SHA256c24394708c35c14c14cc1e6533f0d9bc4987d75fd943f8bfd53eb4abf25733a4
SHA512c4e126ac98d067d5842e23712766a1dbebe593a6bb0f7ce5817113f44c681e4687a0f9cd0e7298237ca1154d9a7b55d6c19e47210f8144fe2bee2a162216cec5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\PickingFilesize
49KB
MD559ed8d8e215bb76a0f0e4d3934656b2c
SHA1e8f90242d5a1ea6ec7141820ec3eaf0f2bb80f38
SHA256aac0fd2a26af5bc248a9f163dc3f0539368ed245411005181971219d891f30df
SHA512036fb199cb8f56caa82fd404c10a43bf896149ed69d9b4d4b0855a0e922fa30ad77d3cb66c7a63f3bd60ba33a94de7daa4a4d909ed1afe25d265acc79c7858ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\PragueFilesize
105B
MD50714e5a662cd0e909addcad4ced2ad3f
SHA138a018ebe31b0562cd2f95b45d950b33f1546801
SHA2566496648301e0c143429bd1ed94de5fbc40d2624b47463efb4a8f9da2d7771ab4
SHA5125401c6b959a3e5e9b149f63fb8acac3c5f09b7937fd8a11948306951bb7bd56ee6dea288d2e3e167479d9090c6af2d6d067bcfe7d7eb6634f6a4706e0e0f5b3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\QuadFilesize
31KB
MD50196c8face0e36e26939e3287cb61212
SHA1fa40d9f1a7120208256102f3724f7e3e86c6f61b
SHA25641f65248d8075ed991d62e97ddb920d05b6cd84179f80b75ef308661a104e296
SHA512c7aa4db7d5c1ff51f29650f540a2c49f29108d0a3b3ef6f5ec9e00cc3b84f20a382bbc2f2c18eb77c79380040f16f8a0c3a0d1caf30317bf2ad10b7c678509d0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\SacramentoFilesize
24KB
MD54727853c74f119c46981b61ac8eda367
SHA1c8c4994b04c5b5175c0960e3878d431212a2f4f3
SHA256ddf930d2a7841c75600191b5ac1ea2ce20e0847ffe4fe0150dea3c9c07d1c5b5
SHA51250529d94034bf1a9f8cd319a0d32eba16f08265a33a6a55c8bc80f95873f84057a377f0a47f0e56ab4d6ee0f6cc7f40d277f70ab596681e9c000d14d2bd675a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\SambaFilesize
37KB
MD597cd5dc2cc427848c8b8e1581ab4726c
SHA1cfd993d17608b9c670231dedbd17c820860dc269
SHA25644f2b252c7abf576669d113f366411cf125e4d41ec2050d8df99a51dfc99c8ae
SHA512dff07ea3197b44f19ceacc0d3efb33c8c88e062f11f2fcd2e0f80b75250f525720cc723ae2375e57df3c1367c564a06a5d21c4a1ab5cfb2a584b9438265c0e21
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\StainlessFilesize
28KB
MD5876b1ca94dc7115ab48e20e9f5ed1fe9
SHA169e5d1177ede52ab5600f05531b1299f64b3853d
SHA256cf0e1853b3be64646e13ad19d79452571bc87a0bf37cc5cb034b2ef13d5c42d6
SHA5127a317f0638e3f58320ca4ba4bd4210c51824897e2172113c6551f6d023df5a2d69a8f3c1d4a37d02a2ca712a4c710b14fb191444d11ba0c58a4684b24a2ef8e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\StatewideFilesize
55KB
MD532cdf261eee852f00656bcc85c2e5910
SHA1fa8d288e01f53ab7793cdde48cee4a2dadbd447e
SHA2561f7d3a1dad50a0f44e3cd982cfe1b79facf3fab3264c9aa311485bf675ce4700
SHA512834a25f6b13f134637ace3867813cf824e2ce695ccb2efc0ee09a6d5bfc557be5dcc44bc547b2e68f2a883bdad40d9d096dcb6fb8a366672b2ddf92bb41346e0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\StereoFilesize
67KB
MD510371d256f6b8e75346ad82e492780a8
SHA1125f88eaae5dc49717f896c17aadc7a053cd3871
SHA256a702a50d745a2e6053a53b56acebe61562f3d1f8779e4a015f5e67d1b2cc8f76
SHA512c45cacb4c5ccac0365ae9ea3030d2bf1b1b2afe4d5d20fe4528914ebb66e7b9957954edaca921af32639e267958b692701d7d09271686f7b141c62e0172a4b9c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\StreamsFilesize
33KB
MD5b23e9c03125330a27152fe8c30ae77af
SHA1836d7ecc0eb215eaebbda3a3052a4049315931c0
SHA256ff966cb96671942115c8d19e137edb42f65e0ca2c4cd3e96505d2fd52e407721
SHA5124e828c46db1e8bb06a83407696ed0c61466ec0d32bd91ef8b6ae78d8d31973480e9027f9a90ed9be17a8918672567d7d0c1eb658b3f6ac9a50325d7407884054
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\TaxFilesize
61KB
MD5ce5e43f9a497f1097c30b05fde4745a8
SHA18ab6d307a0b9eab7deebcd0edaee0b1487855173
SHA2568231f2ea6380f5d7a4a6ce923198b3e1b3b7bfa1b1fe062b3c703cd247ca9d1a
SHA512cd7a2a42c7f6681b12ec344d1029519dc57fee9f1241a448ee3816745b4a129e464ba22c99555a784c9fb76b1b30ebdaa936e332c8f4a7822288ac43e5ec4800
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\TiresFilesize
44KB
MD525e570b261dcf40f42b765eaf491cd20
SHA1daede71797167f0c49f37b402869946e96dabe2b
SHA256d13e3bf244cdb2d14087f57b8eeddcb158f623bb3a370d8555c5ac9f7c3f850a
SHA5121a1cbf40a5a84511b12d653a424cef86fd906f6988364ba8e5c8d47281b85c9bc403a9673d0ab9b15c43991bb34bb5471dc8b26e36f4fefc69eace1aaa77b938
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\UsuallyFilesize
24KB
MD53f5fa5969c85c7f644603b66750b23cf
SHA188d34ba91e2a8e8bc97ff20e1c8d16f575b0142a
SHA256468efb2bf6ec09abdd6eba42d585b03924a7c10921e7db4d8848b3d032e08fe8
SHA512c006dd181fc240c8e25aaf924dc7773f05171a736dfe2dd971e7fdebb19e2951ee61b56d85c202888f90d26e3f1932620e97d25419e41ef33827768bfc34187c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\VanFilesize
14KB
MD59b5d932f579fec083734b3b739ae0d8d
SHA154e5e2113006ecdd7fbceb7b043172e72a0ff50b
SHA2560b0948a698e3db925a2b18d5a75d922af0bdcc3bc5490797303285891a92f647
SHA512d760c12ed2477b57bce7d108fb135d017515bc8ec42102ac598f77b44a614da605d21948a6d38ff2692aaf96de69ab8a50178b701579b32c9ac15c63cf5eaf5a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\VillageFilesize
25KB
MD5f4542195b327688cc9065472f09bd5e2
SHA156de97a6209b480b18645c2cda6a74d5aec3316f
SHA256271c31aa2127308ef7c97ec951ea3aba0dfe42d712429944e72ce90fe354fa70
SHA512ffc70fe9435fc940fc9d6e71b55b0966d3d16a30bd806ef92b8e21b62401ff435e976f5e315bb914ff290c59bab8a508e614582ed8a618d565dd260fe025d2f2
-
C:\Users\Admin\AppData\Local\Temp\Tmp7CB0.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\is-HHBS5.tmp\BlockFireWallRule.cmdFilesize
169B
MD53abd970f759e0897bb38a939fcaebbbb
SHA177aef1b345828d1a9ce944ef257fda265f822479
SHA256c506e8a4547e5d7548ae246a3accf87e6e2970b8ec487f827bf0645186ff6892
SHA512cab8f59e490cd2974b58dbf368c2f1bbf082b77d3a56acff31570977bc14ecab1ffe27d515282b197d47fb312ac34f90df90e39ffabdfb9664251171cd589acb
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\1.pngFilesize
23KB
MD51dd55302c74c0d48290a20e4472db1d6
SHA1c13e9e49e887b788ba20f9dee5d8eaf0f6b91a6f
SHA256edfd0a4ed2e6014b415aea57e9a8f3b87b781c09609aaf8d4f269f820706b61a
SHA512b2468db76eb88c5b1fd293ad27b7b4c2b260b6ddb965ba189997251c318a7a33357304178a16d5400fe21901f3c40a2879ac044b20476d53a5bebd9c48e479db
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\BlockFireWallRule.cmdFilesize
163B
MD5b468797586d40670acdc7db49ce9d2f0
SHA11eb50fe5bed5168402cd89a72ed76abd7612edfd
SHA2566e9fe354386789625b4faae043d61272552ba746249e7edb7c8e7f60bf575405
SHA512cd44839f26696109e9476c1ce5cebb27fe3bcbfd1f28135976e8cbd05faf8d900595cc53f07829afd485572d4d358fb7e7dabbe1bb12c7884f7c9ce7d31b3152
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\Installer net.pngFilesize
11KB
MD51c5bfe3b17ae62449e5f9e42b762f33b
SHA147f77205abb1318baf5e3add0670b7ee9fbb8f24
SHA256567a2d3cea865f672b63e6ff44fc7091173a79fa840c9d20286ecd5429029823
SHA51207e8c8f38e4e8477248092656af2e6844e325e301647a84efd2435d9cf3e5876e17dc1baaf18435f7a90459a6ce35b47fee36f3098b74604e48c87072210cced
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\Portable.pngFilesize
23KB
MD589475a0f65e50ee9c484967ebc348ab7
SHA106ba9bcdada628fc6b0a77437c8f700004ae4648
SHA2565f9ca566d37e1f25d19bbf5f885862808cb6b3d1a4dbcca5af812a58ae6fedf9
SHA512d062a31dc8cacc15159e96b18f8aaa01c4457cacc7e0f6cf78b78bc30600dadfc3d12932d6ba72b03197df7d3c2d86757c474774bca3c430d7d0c8710713b0c8
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\bdreg.exeFilesize
12KB
MD53b6f2c0f488835f80d67aca8795ce2ef
SHA198bf4a684606c5ea401f38f6c870672ab9fd794a
SHA256e082eb7a81f7bce0602cf5945e270bd61eb52112c1fdff45cbd1144b4435f0bb
SHA51269a3e5b6129a3b42557e16f60732489258ccaa04761025f4a9a53f6bb8aabda428a82fc993a7a89a17f5cbe9285da2fa541b59b785cdf57e17388f0c52b19d2c
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\eng.jpgFilesize
704B
MD54ad999118697c0735eed9b5437e2ddd9
SHA16f4c6026e3e31f8eaac4ab9ba633cdc64541a2c1
SHA256ee6d8d45a073ff7c69012cf34b1fa4dafed071e709f64143d57a42be5bb6e7f4
SHA512bf62bca3fa087cedf89c93a2a4952922e6ccf4c1ad356e68db33aae59bc10309fc37d778180ad20f48c8473a9c44fde3614a19c7e762c85588af0ca83c93ecaa
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\icon.pngFilesize
1KB
MD50fc3fa76e2b356b4815f67336908eb17
SHA1034d3c447f51b1eabac7e8bab7ea6f0bb03dc3fa
SHA256adc9d51d602878c3992f72f70faca2102e10c39c536724ba3454c67a5059d457
SHA51237a65744159563d9ba8ef2f6c00cc5efa4685d1f5d9edeba622745f85843ccb07aeb1946ae9152e7824d2c96316bd1465c185fe51eb222c1136213303c5159e6
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\port neaktiv.pngFilesize
11KB
MD5893aa141cf93c75adeeb0f4e7ec917bc
SHA136bb3105e25671d2aa0da41e6f906f5bc24119f9
SHA256f87de21bac4f7ee32d32f65c6754f57057bcb8b00376f13a9275e86b722c2fd9
SHA5120a630b83b4ad69ccd0a5d48999e8702e3d8e72208a50e0b3efaecaca87d71995b8bc55c1a19918cff75710ad086d552a57bd1e861e7db2303959dc3ba2e7fb87
-
C:\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\stac.pngFilesize
15KB
MD5eaec12cf0e741d23cbf1a100e7dee23e
SHA1d4e20ea202eccedb63c35ee138726fadf16abd9f
SHA256b38e0315691adf47090665ec21aee0c0cb5014246cfe0edf0c1f1ff36c45d2ac
SHA512344c5f14efc854f579e925928ff3b95e213f4cf325e1d80359d7ea756b11f11d756338a921a370f6308abe78981f8f5808f4941b4646d31c7ee1819bb8216c50
-
\Program Files (x86)\Bandicam\bdcam.exeFilesize
13.3MB
MD5d9b55c88134adeb2ce3ecf12dbf255cc
SHA118e189c417fbb4fb3c8622c222481cf24b768ecc
SHA2568b37afb00f007d14a78ad8ddd6fb456a5e3a7d7305e777be5d3c3e004fddbef2
SHA5129dc291e3d651bebe61abfd996dcc818b3b38f9a5b495830c6049a181017938c6198a5807bb201793f19ca59bc19cb2cfbd747b216ccb4c96058eddbff5ad4685
-
\Program Files (x86)\Bandicam\bdcamvk32.dllFilesize
1.5MB
MD5b9a9c5d5205728a80355986c52eecb4a
SHA126ac6ec69a8fff2f0015817460fe7afda1047585
SHA256a9651b954712294491963debfcce854377b58148464b76e60cad328560ad0701
SHA5127d54545c97cd0545e6017dcc72a6181465a347ec94a39704b409e5050efc1a7d3a08eb1dabe3d1f60202a098be634493638708216807596638552ed69561a862
-
\Program Files (x86)\Bandicam\bdfix.exeFilesize
3.5MB
MD5663d6d584f0bfc3f658c5d51a1b04a2a
SHA19567058bb223c759267cfe349a7954954d568eae
SHA2560a2b6d661962cb9f51b501a93eefa630d6d964e5a428d670414a052e35001a3d
SHA5128a21152ca463d8f4bfaf197e3cd37a9f45fe9a1007bbacde211ad28e3b3359a082534c0390c7a04d654f4444c8bf683eaa5f0e0528e45c12a2404249802bd304
-
\Program Files (x86)\Bandicam\msimg32.dllFilesize
27KB
MD5b813a2b492d50a405de0ec2107596131
SHA19b4d092ffa403e0a28c2b17f22737f1db01d3564
SHA256aa4c9f3c22bf60cfa9f17b37b0b90a8a9729d473d9046b7480e97ddaea9d7b3a
SHA5120599a1c02f4e4964a0a881b0fc265fa90fb1212ebb6e629a490aa9a1195daf1eca138b5b67a17171cf4e82d3b8fed10319f1602800fc07f1f527c4df47c0f30c
-
\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exeFilesize
30.3MB
MD5b8e04ea04a5e49c3cf1a4abcee368647
SHA1bc9870fe7c65dbb0aca3918c53534f97a3f86f49
SHA256c8e16032aade990ebf98ee2d7aa1c5306cf352a16386babcd859726a0ed67322
SHA512536b1f7a376df68b544be6c4d107c37783f79bf6c62fdf86aa925b74a0e29f7136fca5770b1b4d60ade728d8e00b8c628019fd56a0470c60c6dbd34704176e1b
-
\StrLocalGate\DistinguishedListings.exeFilesize
901KB
MD5b53171a91419e701fc8b9d6f17b0d823
SHA1b98d619173f51464b55407e0a2fbed2d39405459
SHA256469c5003e27982fef60eee7c95b677aa2000c38c327761f253e174347c5a263c
SHA512e722ae4555c148d2720df8a0cef1ca579fb5d1278b76197fa98e5a4e5a2117ec1a4d5f8c08af3f91064688228c441dbc250ab8684eaa23e530222919f28214e0
-
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\56345\Caused.pifFilesize
915KB
MD5b06e67f9767e5023892d9698703ad098
SHA1acc07666f4c1d4461d3e1c263cf6a194a8dd1544
SHA2568498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
SHA5127972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943
-
\Users\Admin\AppData\Local\Temp\is-FA1OP.tmp\Bandicam_v7.1.1.2158.tmpFilesize
3.0MB
MD59885ab752261a129fd7da66832a655a0
SHA1510dfd3c2295fdc3dc96e5f53b73d2df8b9dbb69
SHA256d1d85d70f53b3a2df3c8ed47c0e1292344181eb120d2407c34fbf121eae95ef4
SHA5124caabf20a7696fd71b17834d4611d6610a782bcfda334e2015ac447cd73a1abf7df92a939ce7a50d4781b1ea2cdfa2b673c34e925bdcc9f57b53d9b84e4cd6da
-
\Users\Admin\AppData\Local\Temp\is-JAJLA.tmp\Bandicam_v7.1.1.2158.tmpFilesize
1.5MB
MD522fdea6634bf03f8b7e6080bff43895b
SHA1761cc7eab102003d6d1583dd1cf33e67e34a9cc9
SHA2561316becab4026dc52126f0e1f82cf2822ce3eff5fa56507d39a5e3449bf182f4
SHA512acf4a57a1240e1657cacf9ca08c37b2413aa97e4e98147461e7d7f22228e184d7833b38e4e1579d62eb264a6daa5896f7d93c57fe230c9cf336c0f441b46c3d1
-
\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\_isetup\_iscrypt.dllFilesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\botva2.dllFilesize
41KB
MD5ef899fa243c07b7b82b3a45f6ec36771
SHA14a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe
SHA256da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77
SHA5123f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8
-
\Users\Admin\AppData\Local\Temp\is-M22VU.tmp\iswin7logo.dllFilesize
74KB
MD57363a2a5949c9f613cde458b89deecb5
SHA1fb25bad5d2625210c4cb47a9c24b853e63d52ae0
SHA256196390762f6393024e0c5d33b037d497c5a8cfdd6c406719c05b0081d7e45cb5
SHA512323f8eb42f355a0dc2df2b5b2d7711842c688f770e4ea8cb671228c60e8f2dbd92468e248a824822a08ee557075b7aaa8e42ca7b870f49c4385c6b2e9227a021
-
memory/372-877-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/372-867-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1276-847-0x00000000779E0000-0x00000000779E2000-memory.dmpFilesize
8KB
-
memory/1276-845-0x00000000779E0000-0x00000000779E2000-memory.dmpFilesize
8KB
-
memory/1276-843-0x00000000779E0000-0x00000000779E2000-memory.dmpFilesize
8KB
-
memory/1276-848-0x000000013F900000-0x0000000140662000-memory.dmpFilesize
13.4MB
-
memory/1620-973-0x00000000000D0000-0x0000000000122000-memory.dmpFilesize
328KB
-
memory/1620-975-0x00000000000D0000-0x0000000000122000-memory.dmpFilesize
328KB
-
memory/1620-974-0x00000000000D0000-0x0000000000122000-memory.dmpFilesize
328KB
-
memory/2024-957-0x0000000000400000-0x0000000000583000-memory.dmpFilesize
1.5MB
-
memory/2024-910-0x0000000002050000-0x000000000206E000-memory.dmpFilesize
120KB
-
memory/2024-906-0x0000000002050000-0x000000000206E000-memory.dmpFilesize
120KB
-
memory/2032-959-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2032-880-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2404-969-0x0000000000310000-0x000000000031A000-memory.dmpFilesize
40KB
-
memory/2404-966-0x000000013F5C0000-0x0000000140322000-memory.dmpFilesize
13.4MB
-
memory/2404-967-0x0000000000310000-0x000000000031A000-memory.dmpFilesize
40KB
-
memory/2404-965-0x00000000779E0000-0x00000000779E2000-memory.dmpFilesize
8KB
-
memory/2404-968-0x0000000000310000-0x000000000031A000-memory.dmpFilesize
40KB
-
memory/2512-91-0x0000000007070000-0x000000000707F000-memory.dmpFilesize
60KB
-
memory/2512-737-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/2512-956-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/2512-864-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/2512-693-0x0000000007070000-0x000000000707F000-memory.dmpFilesize
60KB
-
memory/2512-866-0x0000000007E90000-0x0000000007EAE000-memory.dmpFilesize
120KB
-
memory/2512-692-0x0000000000400000-0x0000000000586000-memory.dmpFilesize
1.5MB
-
memory/2728-960-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2728-686-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2728-18-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/2772-0-0x0000000000400000-0x00000000004D2000-memory.dmpFilesize
840KB
-
memory/2772-30-0x0000000000400000-0x00000000004D2000-memory.dmpFilesize
840KB
-
memory/2772-2-0x0000000000401000-0x00000000004B7000-memory.dmpFilesize
728KB
-
memory/2968-8-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB
-
memory/2968-28-0x0000000000400000-0x000000000070E000-memory.dmpFilesize
3.1MB