redline | 2ede8d795cc7869a18747f015bd1627643f25f88ba41b9ea8766915fe28fef07

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bandicam v7.1/Bandicam_v7.1.1.2158.exe
Size

32.7MB
MD5

4984e0c775ab5231a365b1a1c202a426
SHA1

738e02162caf70a354c6ae9a4509464e04c7359c
SHA256

0af3e262f17ec535175470767fa2133232bfe5c6cdb4decdae442282b68aa086
SHA512

c78d51f81968e4112a3ad2e6a14d37f4331504cedb156cdcc9610de13ada1405f326fdae850c75981ea22d33605d38619c9d23942a7f2b5b3f7e8609428fafcd
SSDEEP

786432:s205KPk4uyH7/DQKcGF5snXw2QYSpxrDtG6j+P7ZqsAPcF5:sbSbvQ0F5T2QYIr5vj+vAPG

Score

10^/10

redline yt-16.05.2024 discovery evasion infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

YT-16.05.2024

45.140.147.183:12245

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3564-689-0x0000000000D00000-0x0000000000D52000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Caused.pif

description pid process target process

PID 960 created 3436 960 Caused.pif Explorer.EXE

description	pid	process	target process
PID 960 created 3436	960	Caused.pif	Explorer.EXE

Drops file in Drivers directory 2 IoCs

Processes:

Loader.tmpBandicam_v7.1.1.2158.tmp

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Loader.tmp
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Bandicam_v7.1.1.2158.tmp

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1372 netsh.exe
1944 netsh.exe

pid	process
1372	netsh.exe
1944	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DistinguishedListings.exebdcam.exeBandicam_v7.1.1.2158.tmpLoader.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	DistinguishedListings.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	bdcam.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Bandicam_v7.1.1.2158.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Loader.tmp

Executes dropped EXE 12 IoCs

Processes:

Bandicam_v7.1.1.2158.tmpBandicam_v7.1.1.2158.exeDistinguishedListings.exeBandicam_v7.1.1.2158.tmpCaused.pifRegAsm.exebdcam.exebdreg.exeLoader.exeLoader.tmpbdreg.exebdcam.exe

pid	process
1944	Bandicam_v7.1.1.2158.tmp
3392	Bandicam_v7.1.1.2158.exe
764	DistinguishedListings.exe
5072	Bandicam_v7.1.1.2158.tmp
960	Caused.pif
3564	RegAsm.exe
3668	bdcam.exe
932	bdreg.exe
4684	Loader.exe
4880	Loader.tmp
1732	bdreg.exe
2716	bdcam.exe

Loads dropped DLL 11 IoCs

Processes:

Bandicam_v7.1.1.2158.tmpbdcam.exerundll32.exerundll32.exeregsvr32.exeregsvr32.exeLoader.tmpbdcam.exe

pid	process
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
3668	bdcam.exe
1368	rundll32.exe
1516	rundll32.exe
2124	regsvr32.exe
3240	regsvr32.exe
4880	Loader.tmp
2716	bdcam.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 13 IoCs

Processes:

Bandicam_v7.1.1.2158.tmp

description	ioc	process
File created	C:\Windows\system32\bdmpegv64.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\system32\vcomp140.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\SysWOW64\bdmpega.acm	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\SysWOW64\d3dx11_43.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\system32\D3DCompiler_47.dll	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Windows\system32\bdmjpeg64.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\system32\bdmpega64.acm	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\SysWOW64\vcomp140.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\system32\bdmjpeg64.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\system32\d3dx11_43.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\SysWOW64\bdmjpeg.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Windows\SysWOW64\bdmpegv.dll	Bandicam_v7.1.1.2158.tmp

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

bdcam.exebdcam.exe

pid process

3668 bdcam.exe
3668 bdcam.exe
2716 bdcam.exe
2716 bdcam.exe

pid	process
3668	bdcam.exe
3668	bdcam.exe
2716	bdcam.exe
2716	bdcam.exe

Drops file in Program Files directory 64 IoCs

Processes:

Bandicam_v7.1.1.2158.tmpLoader.tmpBandicam_v7.1.1.2158.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bandicam\bdcam32.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-HURHJ.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-U0LNS.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-PL3VJ.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-078IG.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdcam64.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\lang\is-IC18I.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-JQ5KI.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\uninstall.dat	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdcamvk32.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-I05VV.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-5VPPF.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-TVVHA.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bandicam.ini	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdcamvk64.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-0A2HL.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\Loader.ini	Loader.tmp
File created	C:\Program Files (x86)\Bandicam\is-46KG0.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-Q2KKF.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\lang\is-B5VAC.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdfix.exe	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-TMGUI.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-ULGH8.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-Q3E50.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\unins000.dat	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-C0077.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-9U0PG.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdcam.exe	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\Loader.exe	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-H8HDN.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\lang\is-67BJH.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-OFF6F.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-CB888.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-E86DJ.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-6UHUE.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdfilters.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\unins000.dat	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-JE86O.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-Q9F2B.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-3RO6H.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-IU3JB.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdfilters64.dll	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdcamih.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-O0A0E.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-F40RJ.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-PDUU7.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-0F7FQ.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-3EIVC.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\bdcam_safemode.lnk	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-P97D3.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\msimg32.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-APBOD.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-3J6N8.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-5R9SN.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\encap64.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-RP89L.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\lang\is-DGVE4.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\StrLocalGate\is-S91DV.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdcap64.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\is-929JS.tmp	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\is-C05LF.tmp	Bandicam_v7.1.1.2158.tmp
File opened for modification	C:\Program Files (x86)\Bandicam\bdcap32.dll	Bandicam_v7.1.1.2158.tmp
File created	C:\Program Files (x86)\Bandicam\data\effects\is-3LHAI.tmp	Bandicam_v7.1.1.2158.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2268 tasklist.exe
920 tasklist.exe

pid	process
2268	tasklist.exe
920	tasklist.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Bandicam_v7.1.1.2158.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	Bandicam_v7.1.1.2158.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	Bandicam_v7.1.1.2158.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	Bandicam_v7.1.1.2158.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	Bandicam_v7.1.1.2158.tmp

Modifies registry class 64 IoCs

Processes:

bdcam.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix\Shell	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.bfix	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix\DefaultIcon\ = "C:\\Program Files (x86)\\Bandicam\\bdfix.exe"	bdcam.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Program Files (x86)\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix\Shell\Open	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\Bandicam\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\BANDICAM.bfix\DefaultIcon	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3988 PING.EXE

pid	process
3988	PING.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

Bandicam_v7.1.1.2158.tmpCaused.pifRegAsm.exeBandicam_v7.1.1.2158.tmpbdcam.exeLoader.tmpbdcam.exe

pid	process
1944	Bandicam_v7.1.1.2158.tmp
1944	Bandicam_v7.1.1.2158.tmp
960	Caused.pif
960	Caused.pif
960	Caused.pif
960	Caused.pif
960	Caused.pif
960	Caused.pif
960	Caused.pif
960	Caused.pif
960	Caused.pif
960	Caused.pif
3564	RegAsm.exe
3564	RegAsm.exe
3564	RegAsm.exe
3564	RegAsm.exe
3564	RegAsm.exe
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
3668	bdcam.exe
3668	bdcam.exe
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
5072	Bandicam_v7.1.1.2158.tmp
4880	Loader.tmp
4880	Loader.tmp
4880	Loader.tmp
4880	Loader.tmp
2716	bdcam.exe
2716	bdcam.exe
2716	bdcam.exe
2716	bdcam.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

tasklist.exetasklist.exeRegAsm.exeAUDIODG.EXEbdcam.exe

description	pid	process
Token: SeDebugPrivilege	2268	tasklist.exe
Token: SeDebugPrivilege	920	tasklist.exe
Token: SeDebugPrivilege	3564	RegAsm.exe
Token: 33	1948	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1948	AUDIODG.EXE
Token: 33	2716	bdcam.exe
Token: SeIncBasePriorityPrivilege	2716	bdcam.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Bandicam_v7.1.1.2158.tmpCaused.pifBandicam_v7.1.1.2158.tmpbdcam.exe

pid process

1944 Bandicam_v7.1.1.2158.tmp
960 Caused.pif
960 Caused.pif
960 Caused.pif
5072 Bandicam_v7.1.1.2158.tmp
2716 bdcam.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Caused.pifbdcam.exe

pid process

960 Caused.pif
960 Caused.pif
960 Caused.pif
2716 bdcam.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

bdcam.exebdcam.exe

pid process

3668 bdcam.exe
2716 bdcam.exe
2716 bdcam.exe
2716 bdcam.exe
2716 bdcam.exe

pid	process
960	Caused.pif
960	Caused.pif
960	Caused.pif
2716	bdcam.exe

pid	process
3668	bdcam.exe
2716	bdcam.exe
2716	bdcam.exe
2716	bdcam.exe
2716	bdcam.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Bandicam_v7.1.1.2158.exeBandicam_v7.1.1.2158.tmpBandicam_v7.1.1.2158.exeDistinguishedListings.execmd.exeCaused.pifBandicam_v7.1.1.2158.tmpbdcam.exe

description	pid	process	target process
PID 4192 wrote to memory of 1944	4192	Bandicam_v7.1.1.2158.exe	Bandicam_v7.1.1.2158.tmp
PID 4192 wrote to memory of 1944	4192	Bandicam_v7.1.1.2158.exe	Bandicam_v7.1.1.2158.tmp
PID 4192 wrote to memory of 1944	4192	Bandicam_v7.1.1.2158.exe	Bandicam_v7.1.1.2158.tmp
PID 1944 wrote to memory of 3392	1944	Bandicam_v7.1.1.2158.tmp	Bandicam_v7.1.1.2158.exe
PID 1944 wrote to memory of 3392	1944	Bandicam_v7.1.1.2158.tmp	Bandicam_v7.1.1.2158.exe
PID 1944 wrote to memory of 3392	1944	Bandicam_v7.1.1.2158.tmp	Bandicam_v7.1.1.2158.exe
PID 1944 wrote to memory of 764	1944	Bandicam_v7.1.1.2158.tmp	DistinguishedListings.exe
PID 1944 wrote to memory of 764	1944	Bandicam_v7.1.1.2158.tmp	DistinguishedListings.exe
PID 1944 wrote to memory of 764	1944	Bandicam_v7.1.1.2158.tmp	DistinguishedListings.exe
PID 3392 wrote to memory of 5072	3392	Bandicam_v7.1.1.2158.exe	Bandicam_v7.1.1.2158.tmp
PID 3392 wrote to memory of 5072	3392	Bandicam_v7.1.1.2158.exe	Bandicam_v7.1.1.2158.tmp
PID 3392 wrote to memory of 5072	3392	Bandicam_v7.1.1.2158.exe	Bandicam_v7.1.1.2158.tmp
PID 764 wrote to memory of 1196	764	DistinguishedListings.exe	cmd.exe
PID 764 wrote to memory of 1196	764	DistinguishedListings.exe	cmd.exe
PID 764 wrote to memory of 1196	764	DistinguishedListings.exe	cmd.exe
PID 1196 wrote to memory of 2268	1196	cmd.exe	tasklist.exe
PID 1196 wrote to memory of 2268	1196	cmd.exe	tasklist.exe
PID 1196 wrote to memory of 2268	1196	cmd.exe	tasklist.exe
PID 1196 wrote to memory of 808	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 808	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 808	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 920	1196	cmd.exe	tasklist.exe
PID 1196 wrote to memory of 920	1196	cmd.exe	tasklist.exe
PID 1196 wrote to memory of 920	1196	cmd.exe	tasklist.exe
PID 1196 wrote to memory of 2708	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 2708	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 2708	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 4924	1196	cmd.exe	cmd.exe
PID 1196 wrote to memory of 4924	1196	cmd.exe	cmd.exe
PID 1196 wrote to memory of 4924	1196	cmd.exe	cmd.exe
PID 1196 wrote to memory of 4528	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 4528	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 4528	1196	cmd.exe	findstr.exe
PID 1196 wrote to memory of 1892	1196	cmd.exe	cmd.exe
PID 1196 wrote to memory of 1892	1196	cmd.exe	cmd.exe
PID 1196 wrote to memory of 1892	1196	cmd.exe	cmd.exe
PID 1196 wrote to memory of 960	1196	cmd.exe	Caused.pif
PID 1196 wrote to memory of 960	1196	cmd.exe	Caused.pif
PID 1196 wrote to memory of 960	1196	cmd.exe	Caused.pif
PID 1196 wrote to memory of 3988	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 3988	1196	cmd.exe	PING.EXE
PID 1196 wrote to memory of 3988	1196	cmd.exe	PING.EXE
PID 960 wrote to memory of 3564	960	Caused.pif	RegAsm.exe
PID 960 wrote to memory of 3564	960	Caused.pif	RegAsm.exe
PID 960 wrote to memory of 3564	960	Caused.pif	RegAsm.exe
PID 960 wrote to memory of 3564	960	Caused.pif	RegAsm.exe
PID 960 wrote to memory of 3564	960	Caused.pif	RegAsm.exe
PID 5072 wrote to memory of 3668	5072	Bandicam_v7.1.1.2158.tmp	bdcam.exe
PID 5072 wrote to memory of 3668	5072	Bandicam_v7.1.1.2158.tmp	bdcam.exe
PID 3668 wrote to memory of 1368	3668	bdcam.exe	rundll32.exe
PID 3668 wrote to memory of 1368	3668	bdcam.exe	rundll32.exe
PID 3668 wrote to memory of 1516	3668	bdcam.exe	rundll32.exe
PID 3668 wrote to memory of 1516	3668	bdcam.exe	rundll32.exe
PID 3668 wrote to memory of 1516	3668	bdcam.exe	rundll32.exe
PID 5072 wrote to memory of 2124	5072	Bandicam_v7.1.1.2158.tmp	regsvr32.exe
PID 5072 wrote to memory of 2124	5072	Bandicam_v7.1.1.2158.tmp	regsvr32.exe
PID 5072 wrote to memory of 3240	5072	Bandicam_v7.1.1.2158.tmp	regsvr32.exe
PID 5072 wrote to memory of 3240	5072	Bandicam_v7.1.1.2158.tmp	regsvr32.exe
PID 5072 wrote to memory of 3240	5072	Bandicam_v7.1.1.2158.tmp	regsvr32.exe
PID 5072 wrote to memory of 932	5072	Bandicam_v7.1.1.2158.tmp	bdreg.exe
PID 5072 wrote to memory of 932	5072	Bandicam_v7.1.1.2158.tmp	bdreg.exe
PID 5072 wrote to memory of 932	5072	Bandicam_v7.1.1.2158.tmp	bdreg.exe
PID 5072 wrote to memory of 4684	5072	Bandicam_v7.1.1.2158.tmp	Loader.exe
PID 5072 wrote to memory of 4684	5072	Bandicam_v7.1.1.2158.tmp	Loader.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\Bandicam v7.1\Bandicam_v7.1.1.2158.exe
"C:\Users\Admin\AppData\Local\Temp\Bandicam v7.1\Bandicam_v7.1.1.2158.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\is-GLQSM.tmp\Bandicam_v7.1.1.2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GLQSM.tmp\Bandicam_v7.1.1.2158.tmp" /SL5="$60198,33493152,807424,C:\Users\Admin\AppData\Local\Temp\Bandicam v7.1\Bandicam_v7.1.1.2158.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1944

C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe
"C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Local\Temp\is-7A4LQ.tmp\Bandicam_v7.1.1.2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7A4LQ.tmp\Bandicam_v7.1.1.2158.tmp" /SL5="$9003C,31228973,185344,C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe"
5⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5072

C:\Program Files (x86)\Bandicam\bdcam.exe
"C:\Program Files (x86)\Bandicam\bdcam.exe" /install
6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk64.dll",RegDll
7⤵
- Loads dropped DLL
PID:1368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDll
7⤵
- Loads dropped DLL
PID:1516

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Bandicam\bdfilters64.dll"
6⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2124

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Bandicam\bdfilters.dll"
6⤵
- Loads dropped DLL
- Modifies registry class
PID:3240

C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\bdreg.exe
"C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\bdreg.exe"
6⤵
- Executes dropped EXE
PID:932

C:\Program Files (x86)\Bandicam\Loader.exe
"C:\Program Files (x86)\Bandicam\Loader.exe"
6⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\AppData\Local\Temp\is-1ITK9.tmp\Loader.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1ITK9.tmp\Loader.tmp" /SL5="$30250,195428,185344,C:\Program Files (x86)\Bandicam\Loader.exe"
7⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Users\Admin\AppData\Local\Temp\is-9N22H.tmp\bdreg.exe
"C:\Users\Admin\AppData\Local\Temp\is-9N22H.tmp\bdreg.exe"
8⤵
- Executes dropped EXE
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is-9N22H.tmp\BlockFireWallRule.cmd" "
8⤵
PID:4336

C:\Windows\SysWOW64\chcp.com
chcp 1251
9⤵
PID:648

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="BlockLicenseCheckBandicamLoader" dir=out action=Block program="C:\Program Files (x86)\Bandicam\bdcam.exe" enable=yes
9⤵
- Modifies Windows Firewall
PID:1944

C:\Program Files (x86)\Bandicam\bdcam.exe
"C:\Program Files (x86)\Bandicam\bdcam.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\BlockFireWallRule.cmd" "
6⤵
PID:4420

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:1172

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="BlockLicenseCheckBandicam" dir=out action=Block program="C:\Program Files (x86)\Bandicam\bdcam.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:1372

C:\StrLocalGate\DistinguishedListings.exe
"C:\StrLocalGate\DistinguishedListings.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Usually Usually.cmd & Usually.cmd & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
6⤵
PID:808

C:\Windows\SysWOW64\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
6⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c md 56230
6⤵
PID:4924

C:\Windows\SysWOW64\findstr.exe
findstr /V "trackinggardenczechquiz" Prague
6⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Monica + Cdna + Athletics + Campaign + Ethical 56230\z
6⤵
PID:1892

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\56230\Caused.pif
56230\Caused.pif 56230\z
6⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
6⤵
- Runs ping.exe
PID:3988

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\56230\RegAsm.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\56230\RegAsm.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bandicam\Loader.exe
Filesize
695KB

MD5
b1dcdfd6f61bce5f8a53fbe7a93711f2

SHA1
f4e9807202ba141a1a0ff4a21738681ce1d9f480

SHA256
2cfd6d38ebedad3f0952253fafaba8e99a2c83b2600793e8ae057d65567fa8ef

SHA512
b3e7d222a3ffa1f392c5ed2e4f6d92e99b352f31fae90049ecf8432fc1dd11b9e2bc219666a9d51fd32eca0e5650cdd58e207b82a79aa55554261104bdadbf86

Download Submit
C:\Program Files (x86)\Bandicam\Loader.ini
Filesize
54B

MD5
90b9d2f9b849da3398c222928611cffd

SHA1
62d78678657417b8e543f0a93193136c07398505

SHA256
ea307d27210233fdc6af9991bbddd24ef9a706c775985474372f3306df75a5cc

SHA512
50ef275f54baa5294b4c51f16c5320914b249bbd1eb1ba2617c12dac20fc59b833ddf72bbed2b979a4d543eb1b37e1f2a416e8df16a62683a19841a3eb6713d5

Download Submit
C:\Program Files (x86)\Bandicam\MSIMG32.dll
Filesize
27KB

MD5
b813a2b492d50a405de0ec2107596131

SHA1
9b4d092ffa403e0a28c2b17f22737f1db01d3564

SHA256
aa4c9f3c22bf60cfa9f17b37b0b90a8a9729d473d9046b7480e97ddaea9d7b3a

SHA512
0599a1c02f4e4964a0a881b0fc265fa90fb1212ebb6e629a490aa9a1195daf1eca138b5b67a17171cf4e82d3b8fed10319f1602800fc07f1f527c4df47c0f30c

Download Submit
C:\Program Files (x86)\Bandicam\bdcam.exe
Filesize
13.3MB

MD5
d9b55c88134adeb2ce3ecf12dbf255cc

SHA1
18e189c417fbb4fb3c8622c222481cf24b768ecc

SHA256
8b37afb00f007d14a78ad8ddd6fb456a5e3a7d7305e777be5d3c3e004fddbef2

SHA512
9dc291e3d651bebe61abfd996dcc818b3b38f9a5b495830c6049a181017938c6198a5807bb201793f19ca59bc19cb2cfbd747b216ccb4c96058eddbff5ad4685

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk32.dll
Filesize
1.5MB

MD5
b9a9c5d5205728a80355986c52eecb4a

SHA1
26ac6ec69a8fff2f0015817460fe7afda1047585

SHA256
a9651b954712294491963debfcce854377b58148464b76e60cad328560ad0701

SHA512
7d54545c97cd0545e6017dcc72a6181465a347ec94a39704b409e5050efc1a7d3a08eb1dabe3d1f60202a098be634493638708216807596638552ed69561a862

Download Submit
C:\Program Files (x86)\Bandicam\bdcamvk64.dll
Filesize
1.9MB

MD5
76345bbf3d96b7a6bd670d163400d0cc

SHA1
e28a2e8b5be043831836b8d35ca43d07159d2741

SHA256
0f2d19b39e41e25b211a22326d61b7fd1aba24b4c8d2914756a2be22fefd79f5

SHA512
918213ec8300311ed5bd0bdc5e3ba34e4ede218770434cbc80da03eae8da740dbefbf6d8e9ce78e9d7e3f1b8caf434d2136e94f8d7efd4468c4f13d920212053

Download Submit
C:\Program Files (x86)\Bandicam\bdcap64.dll
Filesize
21.2MB

MD5
76012141ceda5d7cbb200137cd3b0f12

SHA1
7fc7ef17e3147e78ab04abbc3cd79db59a4e8043

SHA256
5565bfbd434467599b282a909fe2c1d9740918e7ed134c3287213906dbd84556

SHA512
2fbf4c172424ba5c643ee52c6ae552246164a86026905baa7e65c9de8aabc93ebd03c5267f7de9d2578149bb80c7136d57cffb26036ecd07ad1da14cc7d46be1

Download Submit
C:\Program Files (x86)\Bandicam\bdfilters.dll
Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
C:\Program Files (x86)\Bandicam\bdfilters64.dll
Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files (x86)\StrLocalGate\Bandicam_v7.1.1.2158.exe
Filesize
30.3MB

MD5
b8e04ea04a5e49c3cf1a4abcee368647

SHA1
bc9870fe7c65dbb0aca3918c53534f97a3f86f49

SHA256
c8e16032aade990ebf98ee2d7aa1c5306cf352a16386babcd859726a0ed67322

SHA512
536b1f7a376df68b544be6c4d107c37783f79bf6c62fdf86aa925b74a0e29f7136fca5770b1b4d60ade728d8e00b8c628019fd56a0470c60c6dbd34704176e1b

Download Submit
C:\StrLocalGate\DistinguishedListings.exe
Filesize
901KB

MD5
b53171a91419e701fc8b9d6f17b0d823

SHA1
b98d619173f51464b55407e0a2fbed2d39405459

SHA256
469c5003e27982fef60eee7c95b677aa2000c38c327761f253e174347c5a263c

SHA512
e722ae4555c148d2720df8a0cef1ca579fb5d1278b76197fa98e5a4e5a2117ec1a4d5f8c08af3f91064688228c441dbc250ab8684eaa23e530222919f28214e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\56230\Caused.pif
Filesize
915KB

MD5
b06e67f9767e5023892d9698703ad098

SHA1
acc07666f4c1d4461d3e1c263cf6a194a8dd1544

SHA256
8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb

SHA512
7972c78acebdd86c57d879c12cb407120155a24a52fda23ddb7d9e181dd59dac1eb74f327817adbc364d37c8dc704f8236f3539b4d3ee5a022814924a1616943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\56230\RegAsm.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\56230\z
Filesize
390KB

MD5
769f028469f4187abcb2ef9d1c4ad148

SHA1
09c5eec3bc0bfe5184d6b6e89a0622508de51f69

SHA256
88826b2cbc9ef6afdf8d414143e66bbc2de0d5f834d33362634a3b123062b21f

SHA512
8ee339b3417b02ba8e71af88a7b68d2cc95e2f7e4797a18654dfa80fb27a1b6f226821ae74af4a9ec0f8c05068422cb36603b67bce3918b6749464a9dee14c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Agencies
Filesize
19KB

MD5
16c9e56cdab65773a62b71ea327daca6

SHA1
cf13a7440701d4729fdc1fa41697a9be03445939

SHA256
e4aec9c5f7f504ed6d431c2fa12b68dac9862edaa60f78c9596935b3665cb7e2

SHA512
0c764e4062ba0f184761c67ee445b31ea0068b71a4c10946e70e5b58abf69e7a28e6a08c30549e17828bbe37e27229ad37bdb8e9a9787a2de1bf3074934c9733

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alter
Filesize
68KB

MD5
46523ea1ecfa6cbb2bc001ca2b280578

SHA1
70dd1636b5b82eb847e7fcc25fbdba098a6ee767

SHA256
9418eb47a71f16228a63fc687ead372c432f21429635f0435e3252c4a8002508

SHA512
84aa0698b47502e63fab5009d08d9e65f8d5e8461cd50f6d6a2fdf35c7eefa68a0024d3f212ca5e9849d29879e6ca4d403fddb4288898357b192bd3f1900266f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Approximately
Filesize
62KB

MD5
47faabcf30b475d0156e7477ec961407

SHA1
0ca0cef3ecd2cbe153d22aea537b4521653a2191

SHA256
b13253f77551f61e70457a14867dd11c3a087bd9fbb1b62425c5ef12b143ee3c

SHA512
34b2fe7a3b6cb1f4a976871518f9751366a16e8387fdba9713e578d76b1980cae0eb237e5edd87fd19dae8f533a5eb5a99aaf8219ee18b2af69e9aa2c754bc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Athletics
Filesize
125KB

MD5
0b0bf1e2325ccd0789c251ef098285ff

SHA1
b00d983c3b4d27a094f49cbecc61de5d7cb430b8

SHA256
3bd256d54241bbdcedc027838da70714e0d54a9c0c39e9a26a6a945bdab32055

SHA512
68bad482c33c29f5bbdd3f44c120fab15b7516687860cd5172238850ac79f71048d3cb8d3ce91ee7f2c2a6bb67d1769e08e2baab74da7f811e6cf7e4815eaaeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Belgium
Filesize
56KB

MD5
f80233eb2b6daa9723b9a8c4ae51b35b

SHA1
f08e14f4f246e16ee8674412d3361fb772ec8d20

SHA256
fc7685bc2b8d104b2ca76d41e7180941938a936416a0bf6a9289d21c5783284f

SHA512
4ef40c195992747c9d80da55320f012446d429df5b41b39e39d6bdfd37bb3ece50c92c6fdd3998adfd9d16d7cdb22d1a801f9f2a0cecb2adddb30a6fdf60140a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Blades
Filesize
40KB

MD5
c009748ee2ef2cfb5a786967d9192842

SHA1
dd165130a6a37f4313f3680121997a69866a055b

SHA256
6101008df17b7bd21f4a0d3ffd6d1dbd8b0e89013b1f1b3aa6fc5bd8a685571b

SHA512
1dd084b24f4ab84d3a6c8e9b737b2820f9393667652a76ab0381ed0bc9d9a6108801cefdd36ecbcbe12613e92ce35ebadb6c2be8fa5658b43d5a019cbd2b1c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Campaign
Filesize
60KB

MD5
00813ef7d503d316883997ca05182d82

SHA1
9d1b030488dc367220d95210fa82f8128f58071b

SHA256
0ab466eebceeb4834758a79e50fee5d929ffdf4f0d5b82213ebaaec325f762e6

SHA512
c1f5beb98dd8658f22ed73395977cd4910ec5a2a8b02c050e778f69780c1357b3ddf5985c0ffcb783ae275e138ae997dd5daba7905bf498fd33771b4566f1c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Capture
Filesize
49KB

MD5
fd7207599f1bf9d1faa5c1ecdf2ef5d3

SHA1
f42c307c220842f9fa8bb3e5f0a985fb4aa74969

SHA256
d530ca2475b1351ac146d3d8176746093234f1e627209a32adcaf614e8d480dd

SHA512
437ea42114c716a084e4225687baa22ede1265be303343fc1b1ad7d8f9c6f34f2f70dd6615a609aaf983ef3c96309c7be1c872a8a5606b664150a28318259e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cdna
Filesize
35KB

MD5
a9cef18c2e44ac99770f0043f771ffa5

SHA1
c15b5d40ba6d7cffa12e628cef838c47be6ee2f2

SHA256
ee2e70d4c41d00ec27e439ee90e1beabe903a3774456215c4c311268dbd9fdd8

SHA512
35dab83152bbf93a954ea62d03da6ae67edfefb56ee5d406006c959862d403698356fafb409aaf7c2ea527f490cd90ff9f9dcf7e1f71cd8289f330e483b4b995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Correct
Filesize
26KB

MD5
5deebb499de0765b2b73bbbfcaeeea65

SHA1
cafa73bd311216a7566f2879c72475e032c2e6da

SHA256
661b4bc09f0e4c65d82421aecb90faf5cca7fd7b3cd71949f3767da0c6e44ace

SHA512
a3117cd533dc94cb38bc2d97e1a434853b2abf8d7a896d0974f624fbf12f322d6f9be3c53291c5a2b1875f3b1be0b9d8b9fb78a1e191bb91d21cb20b9d0c6531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Delhi
Filesize
26KB

MD5
980484c6ca7441854653018368542fd8

SHA1
402277d88dac352d7da9c162c0ff90059cb914b3

SHA256
1756ba79e34af55dee321edc65314da59434c82439c844d71af1ac1527c961aa

SHA512
7097c19c848d3963f1c43a7ae358a980eeaa33c0a0495513568aafefbdb5e6a9d542e05e49f80c3d7a107c3a4282c714826a13de719af7264ce760263f61f5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ethical
Filesize
79KB

MD5
92166ad792080caedd3880d17880c0f4

SHA1
93c594993b7a31f8f46e1dcdab0fc3c3e2735927

SHA256
bab311dc3f1ca85c303befb390fb0e9a44ece39950b4dea201acf53fd1aa4cfe

SHA512
356cd441fda7dd3e31cebae47c875bce3b073d7a4dfa92fd9241268c62e891781f85232101ae3848e0052d2b43509b73e3a4977a6f962ccc52fbc1620dacab43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Groundwater
Filesize
62KB

MD5
e9370ff3145b1d76fa099df8c00d265e

SHA1
72b2ef78a81d31ffbe8f6c4d58bf7a523c06a656

SHA256
f7e918684019bcca45a0137259df805babbb0e4a2c00a42de5acb65a1ced96c4

SHA512
8635a1fe315fbf600ae907e92d9317378a08f310e0cef2a45b0d8a8a6c21f28192db95a559ff5d7d21fa786c509c0a518e2b75c32cbe896e5fe081bf5ed517af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Independence
Filesize
21KB

MD5
5ca8f14661f747021ae2f8ecea5e4d43

SHA1
50f4efe97afce86e6b1c06fde922b0d3f7668e78

SHA256
d360a53faa5c9eeabdaa3be4b069f841b359596e48b16718b5a55bd66d390a1e

SHA512
efdecd53e279362def66ebd7045a2e44b7e103f0341984e52c8d5c8a139e82c4075839fab778c131adf7f91fda41e3e4a02195b9a094a429a8862d9e9d89084d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Monica
Filesize
91KB

MD5
33068d1484ace7d09b98b422d12af19a

SHA1
5bde2f9fe64b6a70898c653723477dfd84c4f8a8

SHA256
9d64b095f6a5a7a90e2fd9cbaef0ec34c05a7655f0b60a5096e4f7e618ff96ac

SHA512
a4a0634f824fced5636994834ecff0eb2a6052819b55659e122e4ec1a2ae2311eb16811856c9f8756f9349ec2ee95887c77906bd36d916561763669dec740f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Permit
Filesize
18KB

MD5
0775b30b3fab154c5213ddbedabb8be0

SHA1
5c1d305b21da05ddd5c3bfd486ddca81daf8f951

SHA256
c24394708c35c14c14cc1e6533f0d9bc4987d75fd943f8bfd53eb4abf25733a4

SHA512
c4e126ac98d067d5842e23712766a1dbebe593a6bb0f7ce5817113f44c681e4687a0f9cd0e7298237ca1154d9a7b55d6c19e47210f8144fe2bee2a162216cec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Picking
Filesize
49KB

MD5
59ed8d8e215bb76a0f0e4d3934656b2c

SHA1
e8f90242d5a1ea6ec7141820ec3eaf0f2bb80f38

SHA256
aac0fd2a26af5bc248a9f163dc3f0539368ed245411005181971219d891f30df

SHA512
036fb199cb8f56caa82fd404c10a43bf896149ed69d9b4d4b0855a0e922fa30ad77d3cb66c7a63f3bd60ba33a94de7daa4a4d909ed1afe25d265acc79c7858ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Prague
Filesize
105B

MD5
0714e5a662cd0e909addcad4ced2ad3f

SHA1
38a018ebe31b0562cd2f95b45d950b33f1546801

SHA256
6496648301e0c143429bd1ed94de5fbc40d2624b47463efb4a8f9da2d7771ab4

SHA512
5401c6b959a3e5e9b149f63fb8acac3c5f09b7937fd8a11948306951bb7bd56ee6dea288d2e3e167479d9090c6af2d6d067bcfe7d7eb6634f6a4706e0e0f5b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quad
Filesize
31KB

MD5
0196c8face0e36e26939e3287cb61212

SHA1
fa40d9f1a7120208256102f3724f7e3e86c6f61b

SHA256
41f65248d8075ed991d62e97ddb920d05b6cd84179f80b75ef308661a104e296

SHA512
c7aa4db7d5c1ff51f29650f540a2c49f29108d0a3b3ef6f5ec9e00cc3b84f20a382bbc2f2c18eb77c79380040f16f8a0c3a0d1caf30317bf2ad10b7c678509d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sacramento
Filesize
24KB

MD5
4727853c74f119c46981b61ac8eda367

SHA1
c8c4994b04c5b5175c0960e3878d431212a2f4f3

SHA256
ddf930d2a7841c75600191b5ac1ea2ce20e0847ffe4fe0150dea3c9c07d1c5b5

SHA512
50529d94034bf1a9f8cd319a0d32eba16f08265a33a6a55c8bc80f95873f84057a377f0a47f0e56ab4d6ee0f6cc7f40d277f70ab596681e9c000d14d2bd675a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Samba
Filesize
37KB

MD5
97cd5dc2cc427848c8b8e1581ab4726c

SHA1
cfd993d17608b9c670231dedbd17c820860dc269

SHA256
44f2b252c7abf576669d113f366411cf125e4d41ec2050d8df99a51dfc99c8ae

SHA512
dff07ea3197b44f19ceacc0d3efb33c8c88e062f11f2fcd2e0f80b75250f525720cc723ae2375e57df3c1367c564a06a5d21c4a1ab5cfb2a584b9438265c0e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stainless
Filesize
28KB

MD5
876b1ca94dc7115ab48e20e9f5ed1fe9

SHA1
69e5d1177ede52ab5600f05531b1299f64b3853d

SHA256
cf0e1853b3be64646e13ad19d79452571bc87a0bf37cc5cb034b2ef13d5c42d6

SHA512
7a317f0638e3f58320ca4ba4bd4210c51824897e2172113c6551f6d023df5a2d69a8f3c1d4a37d02a2ca712a4c710b14fb191444d11ba0c58a4684b24a2ef8e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Statewide
Filesize
55KB

MD5
32cdf261eee852f00656bcc85c2e5910

SHA1
fa8d288e01f53ab7793cdde48cee4a2dadbd447e

SHA256
1f7d3a1dad50a0f44e3cd982cfe1b79facf3fab3264c9aa311485bf675ce4700

SHA512
834a25f6b13f134637ace3867813cf824e2ce695ccb2efc0ee09a6d5bfc557be5dcc44bc547b2e68f2a883bdad40d9d096dcb6fb8a366672b2ddf92bb41346e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Stereo
Filesize
67KB

MD5
10371d256f6b8e75346ad82e492780a8

SHA1
125f88eaae5dc49717f896c17aadc7a053cd3871

SHA256
a702a50d745a2e6053a53b56acebe61562f3d1f8779e4a015f5e67d1b2cc8f76

SHA512
c45cacb4c5ccac0365ae9ea3030d2bf1b1b2afe4d5d20fe4528914ebb66e7b9957954edaca921af32639e267958b692701d7d09271686f7b141c62e0172a4b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Streams
Filesize
33KB

MD5
b23e9c03125330a27152fe8c30ae77af

SHA1
836d7ecc0eb215eaebbda3a3052a4049315931c0

SHA256
ff966cb96671942115c8d19e137edb42f65e0ca2c4cd3e96505d2fd52e407721

SHA512
4e828c46db1e8bb06a83407696ed0c61466ec0d32bd91ef8b6ae78d8d31973480e9027f9a90ed9be17a8918672567d7d0c1eb658b3f6ac9a50325d7407884054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tax
Filesize
61KB

MD5
ce5e43f9a497f1097c30b05fde4745a8

SHA1
8ab6d307a0b9eab7deebcd0edaee0b1487855173

SHA256
8231f2ea6380f5d7a4a6ce923198b3e1b3b7bfa1b1fe062b3c703cd247ca9d1a

SHA512
cd7a2a42c7f6681b12ec344d1029519dc57fee9f1241a448ee3816745b4a129e464ba22c99555a784c9fb76b1b30ebdaa936e332c8f4a7822288ac43e5ec4800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tires
Filesize
44KB

MD5
25e570b261dcf40f42b765eaf491cd20

SHA1
daede71797167f0c49f37b402869946e96dabe2b

SHA256
d13e3bf244cdb2d14087f57b8eeddcb158f623bb3a370d8555c5ac9f7c3f850a

SHA512
1a1cbf40a5a84511b12d653a424cef86fd906f6988364ba8e5c8d47281b85c9bc403a9673d0ab9b15c43991bb34bb5471dc8b26e36f4fefc69eace1aaa77b938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Usually
Filesize
24KB

MD5
3f5fa5969c85c7f644603b66750b23cf

SHA1
88d34ba91e2a8e8bc97ff20e1c8d16f575b0142a

SHA256
468efb2bf6ec09abdd6eba42d585b03924a7c10921e7db4d8848b3d032e08fe8

SHA512
c006dd181fc240c8e25aaf924dc7773f05171a736dfe2dd971e7fdebb19e2951ee61b56d85c202888f90d26e3f1932620e97d25419e41ef33827768bfc34187c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Van
Filesize
14KB

MD5
9b5d932f579fec083734b3b739ae0d8d

SHA1
54e5e2113006ecdd7fbceb7b043172e72a0ff50b

SHA256
0b0948a698e3db925a2b18d5a75d922af0bdcc3bc5490797303285891a92f647

SHA512
d760c12ed2477b57bce7d108fb135d017515bc8ec42102ac598f77b44a614da605d21948a6d38ff2692aaf96de69ab8a50178b701579b32c9ac15c63cf5eaf5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Village
Filesize
25KB

MD5
f4542195b327688cc9065472f09bd5e2

SHA1
56de97a6209b480b18645c2cda6a74d5aec3316f

SHA256
271c31aa2127308ef7c97ec951ea3aba0dfe42d712429944e72ce90fe354fa70

SHA512
ffc70fe9435fc940fc9d6e71b55b0966d3d16a30bd806ef92b8e21b62401ff435e976f5e315bb914ff290c59bab8a508e614582ed8a618d565dd260fe025d2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpCE5C.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ITK9.tmp\Loader.tmp
Filesize
1.5MB

MD5
ddae9feac909a5d66b2bbefe3b63b96d

SHA1
571aa938cc350ad4aadbb18e671907fcffe17c52

SHA256
ae9004faaf62e4a65d4be02d204f54a5bec3fed1c1b8b41b741ae363f36e64e6

SHA512
3c8e04e45510435ff8098e56c6f967a2c2a2120346d202352f4a82f3df32875f5cac7c7676b8f07ab03405879a393c6bd60f5c0d17d0c4f9cd41baf251a51e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7A4LQ.tmp\Bandicam_v7.1.1.2158.tmp
Filesize
1.5MB

MD5
22fdea6634bf03f8b7e6080bff43895b

SHA1
761cc7eab102003d6d1583dd1cf33e67e34a9cc9

SHA256
1316becab4026dc52126f0e1f82cf2822ce3eff5fa56507d39a5e3449bf182f4

SHA512
acf4a57a1240e1657cacf9ca08c37b2413aa97e4e98147461e7d7f22228e184d7833b38e4e1579d62eb264a6daa5896f7d93c57fe230c9cf336c0f441b46c3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9N22H.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GLQSM.tmp\Bandicam_v7.1.1.2158.tmp
Filesize
3.0MB

MD5
9885ab752261a129fd7da66832a655a0

SHA1
510dfd3c2295fdc3dc96e5f53b73d2df8b9dbb69

SHA256
d1d85d70f53b3a2df3c8ed47c0e1292344181eb120d2407c34fbf121eae95ef4

SHA512
4caabf20a7696fd71b17834d4611d6610a782bcfda334e2015ac447cd73a1abf7df92a939ce7a50d4781b1ea2cdfa2b673c34e925bdcc9f57b53d9b84e4cd6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\1.png
Filesize
23KB

MD5
1dd55302c74c0d48290a20e4472db1d6

SHA1
c13e9e49e887b788ba20f9dee5d8eaf0f6b91a6f

SHA256
edfd0a4ed2e6014b415aea57e9a8f3b87b781c09609aaf8d4f269f820706b61a

SHA512
b2468db76eb88c5b1fd293ad27b7b4c2b260b6ddb965ba189997251c318a7a33357304178a16d5400fe21901f3c40a2879ac044b20476d53a5bebd9c48e479db

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\Installer net.png
Filesize
11KB

MD5
1c5bfe3b17ae62449e5f9e42b762f33b

SHA1
47f77205abb1318baf5e3add0670b7ee9fbb8f24

SHA256
567a2d3cea865f672b63e6ff44fc7091173a79fa840c9d20286ecd5429029823

SHA512
07e8c8f38e4e8477248092656af2e6844e325e301647a84efd2435d9cf3e5876e17dc1baaf18435f7a90459a6ce35b47fee36f3098b74604e48c87072210cced

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\Portable.png
Filesize
23KB

MD5
89475a0f65e50ee9c484967ebc348ab7

SHA1
06ba9bcdada628fc6b0a77437c8f700004ae4648

SHA256
5f9ca566d37e1f25d19bbf5f885862808cb6b3d1a4dbcca5af812a58ae6fedf9

SHA512
d062a31dc8cacc15159e96b18f8aaa01c4457cacc7e0f6cf78b78bc30600dadfc3d12932d6ba72b03197df7d3c2d86757c474774bca3c430d7d0c8710713b0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\bdmjpeg64.dll
Filesize
73KB

MD5
531f17189c60ed61bde4dcc82cc66b59

SHA1
77cf2141da3a67f51a8a02376ca9d4481f3e4614

SHA256
4d4551ae19a5aa41fd235a73a9a3bbdda68560968c33f14549fe1ad49de1ded0

SHA512
b552e8b6e84cf8df6f01b3aba48794fa30fd239cf6f43c658319f38c8a19de555f1204ef1041e57c8ca8318d2ea7c627b3f0ff384fe5768ed4e2212099b22cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\bdreg.exe
Filesize
12KB

MD5
3b6f2c0f488835f80d67aca8795ce2ef

SHA1
98bf4a684606c5ea401f38f6c870672ab9fd794a

SHA256
e082eb7a81f7bce0602cf5945e270bd61eb52112c1fdff45cbd1144b4435f0bb

SHA512
69a3e5b6129a3b42557e16f60732489258ccaa04761025f4a9a53f6bb8aabda428a82fc993a7a89a17f5cbe9285da2fa541b59b785cdf57e17388f0c52b19d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\eng.jpg
Filesize
704B

MD5
4ad999118697c0735eed9b5437e2ddd9

SHA1
6f4c6026e3e31f8eaac4ab9ba633cdc64541a2c1

SHA256
ee6d8d45a073ff7c69012cf34b1fa4dafed071e709f64143d57a42be5bb6e7f4

SHA512
bf62bca3fa087cedf89c93a2a4952922e6ccf4c1ad356e68db33aae59bc10309fc37d778180ad20f48c8473a9c44fde3614a19c7e762c85588af0ca83c93ecaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\icon.png
Filesize
1KB

MD5
0fc3fa76e2b356b4815f67336908eb17

SHA1
034d3c447f51b1eabac7e8bab7ea6f0bb03dc3fa

SHA256
adc9d51d602878c3992f72f70faca2102e10c39c536724ba3454c67a5059d457

SHA512
37a65744159563d9ba8ef2f6c00cc5efa4685d1f5d9edeba622745f85843ccb07aeb1946ae9152e7824d2c96316bd1465c185fe51eb222c1136213303c5159e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\iswin7logo.dll
Filesize
74KB

MD5
7363a2a5949c9f613cde458b89deecb5

SHA1
fb25bad5d2625210c4cb47a9c24b853e63d52ae0

SHA256
196390762f6393024e0c5d33b037d497c5a8cfdd6c406719c05b0081d7e45cb5

SHA512
323f8eb42f355a0dc2df2b5b2d7711842c688f770e4ea8cb671228c60e8f2dbd92468e248a824822a08ee557075b7aaa8e42ca7b870f49c4385c6b2e9227a021

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\port neaktiv.png
Filesize
11KB

MD5
893aa141cf93c75adeeb0f4e7ec917bc

SHA1
36bb3105e25671d2aa0da41e6f906f5bc24119f9

SHA256
f87de21bac4f7ee32d32f65c6754f57057bcb8b00376f13a9275e86b722c2fd9

SHA512
0a630b83b4ad69ccd0a5d48999e8702e3d8e72208a50e0b3efaecaca87d71995b8bc55c1a19918cff75710ad086d552a57bd1e861e7db2303959dc3ba2e7fb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H6560.tmp\stac.png
Filesize
15KB

MD5
eaec12cf0e741d23cbf1a100e7dee23e

SHA1
d4e20ea202eccedb63c35ee138726fadf16abd9f

SHA256
b38e0315691adf47090665ec21aee0c0cb5014246cfe0edf0c1f1ff36c45d2ac

SHA512
344c5f14efc854f579e925928ff3b95e213f4cf325e1d80359d7ea756b11f11d756338a921a370f6308abe78981f8f5808f4941b4646d31c7ee1819bb8216c50

Download Submit
memory/932-911-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/932-906-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1732-942-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1944-6-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/1944-25-0x0000000000400000-0x000000000070E000-memory.dmp

Filesize
3.1MB

Download
memory/2716-957-0x00007FF7BCF80000-0x00007FF7BDCE2000-memory.dmp

Filesize
13.4MB

Download
memory/3392-676-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3392-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3392-988-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3392-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3564-718-0x0000000006DF0000-0x0000000007408000-memory.dmp

Filesize
6.1MB

Download
memory/3564-730-0x0000000007B40000-0x0000000007D02000-memory.dmp

Filesize
1.8MB

Download
memory/3564-721-0x00000000068E0000-0x000000000691C000-memory.dmp

Filesize
240KB

Download
memory/3564-692-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/3564-696-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/3564-689-0x0000000000D00000-0x0000000000D52000-memory.dmp

Filesize
328KB

Download
memory/3564-697-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/3564-723-0x0000000006B90000-0x0000000006BF6000-memory.dmp

Filesize
408KB

Download
memory/3564-720-0x0000000006880000-0x0000000006892000-memory.dmp

Filesize
72KB

Download
memory/3564-731-0x0000000008690000-0x0000000008BBC000-memory.dmp

Filesize
5.2MB

Download
memory/3564-726-0x0000000008110000-0x0000000008160000-memory.dmp

Filesize
320KB

Download
memory/3564-719-0x0000000006940000-0x0000000006A4A000-memory.dmp

Filesize
1.0MB

Download
memory/3564-722-0x0000000006A50000-0x0000000006A9C000-memory.dmp

Filesize
304KB

Download
memory/3564-715-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/3564-714-0x0000000006020000-0x0000000006096000-memory.dmp

Filesize
472KB

Download
memory/3668-888-0x00007FF7BCF80000-0x00007FF7BDCE2000-memory.dmp

Filesize
13.4MB

Download
memory/3668-887-0x00007FFAAD490000-0x00007FFAAD492000-memory.dmp

Filesize
8KB

Download
memory/4192-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4192-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4192-27-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4684-954-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4684-919-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4880-952-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/5072-92-0x0000000003350000-0x000000000335F000-memory.dmp

Filesize
60KB

Download
memory/5072-904-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/5072-678-0x0000000003350000-0x000000000335F000-memory.dmp

Filesize
60KB

Download
memory/5072-677-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download
memory/5072-986-0x0000000000400000-0x0000000000586000-memory.dmp

Filesize
1.5MB

Download