230aa0d1c613ff36672c214652b3e86892efc9cae075be550517aa9ea68db20d

Analysis

max time kernel
1559s
max time network
1564s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdcamsetup.exe
Size

31.5MB
MD5

cbb2dc1b64c5a21da53d79f0ad2e1bdb
SHA1

b2e411fcbccedef4d3a64133aff5d5502291b24f
SHA256

5aa1234eb23bef8628cdc9189879d629b418cd1d176c99c024a15c3bfe5e413a
SHA512

73391f29a027f1184d2ed673667b86bd96eaf97df94e4fc13c03ec8913c9ff36f3a549b7a4f79f67755cdd8f61fe906e61de1559dd884f2623add72413b4841c
SSDEEP

786432:fmDBQyG/qdx5SFTFI/Xoa74EJCvBLRUH0PYNr/h4vW:+D0qd/SFTFIcGyIpr/v

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\system32\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\system32\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
844	bdcam.exe
844	bdcam.exe
1968	bdcam.exe
1968	bdcam.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Bandicam\data\effects\highlight30.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\translators.txt	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\stop.wav	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\English.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Greek.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Russian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Traditional_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Bosnian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Bulgarian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Croatian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Simplified_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Slovenian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\sample.png	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects20.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\uninstall.exe	BDMPEG1SETUP.EXE
File created	C:\Program Files\Bandicam\bdcamih.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Portuguese(BR).ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Indonesian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Spanish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Ukrainian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam32.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Azerbaijani.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Burmese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Serbian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Thai.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam32.bin	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\khmer.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Romanian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Kazakh.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Serbian(Cyrillic).ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\start.wav	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\highlight15.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam_admin.lnk	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcap64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Georgian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Italian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam_nonadmin.lnk	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcap32.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk64.json	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Hebrew.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Malay.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Uzbek.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\camera.wav	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects30.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files\Bandicam\bdfix.exe	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bandicam.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Slovak.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Uyghur.ini	bdcamsetup.exe
File opened for modification	C:\Program Files\Bandicam\data\language.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\skin.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Dutch.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Finnish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Sinhala.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects10.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\UnregVulkanLayer.bat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Arabic.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Latvian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Luxembourgish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Norwegian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Portuguese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\lclick.wav	bdcamsetup.exe

Executes dropped EXE 3 IoCs

pid	Process
2508	BDMPEG1SETUP.EXE
844	bdcam.exe
1968	bdcam.exe

Loads dropped DLL 39 IoCs

pid	Process
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
2508	BDMPEG1SETUP.EXE
2508	BDMPEG1SETUP.EXE
2508	BDMPEG1SETUP.EXE
2508	BDMPEG1SETUP.EXE
2508	BDMPEG1SETUP.EXE
2508	BDMPEG1SETUP.EXE
1672	regsvr32.exe
2124	regsvr32.exe
2508	BDMPEG1SETUP.EXE
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe
1816	rundll32.exe
236	bdcamsetup.exe
1848	rundll32.exe
1848	rundll32.exe
1848	rundll32.exe
1848	rundll32.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
236	bdcamsetup.exe
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
236	bdcamsetup.exe
236	bdcamsetup.exe
1228	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDMPEG1SETUP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcamsetup.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 404f437281dfda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428176843"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	bdcamsetup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000002c8852066765c0e4ee7d19e7459fd59e02a9b8e90a7d013e49579e7c401bb2f1000000000e80000000020000200000005b9878eafe5af3e8d4461d4f6dc127a1b83fd74139c25f9a838a356630f9b146900000005159d33b2e6c6175e653981d55400ff9ef15bf1f51dccfa6c2316e59f6dc46b087acf0c810872a5cc6ffe49b61c3ce4b7d65ccc13e8508762a36329a42ec95b45c8d8a52fc0f1bc48a7ba6f27ebba8d2ffa5e400ca36371870cc4b4f4c1c998067329a817adcb6f8cd9cee48ceed47605fbd0e622e469bdcb84d7280a29a5c85ffd6f0cb351feb39630bd88fb5fafaca40000000ae0710aac36f92bc47d6668570b129a1387754fa861665fc66d315c3fe4c14d07d287ccd2ac4b56768dbef264157214c04d1f1fbc251023cdce3c3f3e9008801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A10B5A21-4B74-11EF-855C-D6FE44FD4752} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	bdcamsetup.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000006f204982c9852242fe49e0d32c95d4ceec99a09ce204a6d5e610ad432af5deaf000000000e8000000002000020000000d86e9f5fec6cc04eb4806b76de4e5b60c50765553f9439d80909a9e04b87c9a820000000d4d3207213bec350aeba28a27ec32c6664b27dc788e4ff10af15dbd878922f64400000003093c798f0155a9deea0ce0b7068a93a8adf62554d18bb8728fb54eccc05e53e45d76111ebcbf804c98c3c8c9ad393c73c7879b4421f316674be10576a650e71	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	bdcamsetup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix\DefaultIcon	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Program Files\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix\Shell	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix\DefaultIcon\ = "C:\\Program Files\\Bandicam\\bdfix.exe"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\BANDICAM.bfix\Shell\Open	bdcam.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
844	bdcam.exe
1968	bdcam.exe
1968	bdcam.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2508	BDMPEG1SETUP.EXE
Token: SeBackupPrivilege	2508	BDMPEG1SETUP.EXE
Token: 33	1968	bdcam.exe
Token: SeIncBasePriorityPrivilege	1968	bdcam.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2024	iexplore.exe
1968	bdcam.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1968	bdcam.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
844	bdcam.exe
2024	iexplore.exe
2024	iexplore.exe
1968	bdcam.exe
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1968	bdcam.exe
1968	bdcam.exe
1968	bdcam.exe
1140	IEXPLORE.EXE
1140	IEXPLORE.EXE
1772	IEXPLORE.EXE
1772	IEXPLORE.EXE
2024	iexplore.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 2508	236	bdcamsetup.exe	30
PID 236 wrote to memory of 2508	236	bdcamsetup.exe	30
PID 236 wrote to memory of 2508	236	bdcamsetup.exe	30
PID 236 wrote to memory of 2508	236	bdcamsetup.exe	30
PID 236 wrote to memory of 2508	236	bdcamsetup.exe	30
PID 236 wrote to memory of 2508	236	bdcamsetup.exe	30
PID 236 wrote to memory of 2508	236	bdcamsetup.exe	30
PID 2508 wrote to memory of 1672	2508	BDMPEG1SETUP.EXE	31
PID 2508 wrote to memory of 1672	2508	BDMPEG1SETUP.EXE	31
PID 2508 wrote to memory of 1672	2508	BDMPEG1SETUP.EXE	31
PID 2508 wrote to memory of 1672	2508	BDMPEG1SETUP.EXE	31
PID 2508 wrote to memory of 1672	2508	BDMPEG1SETUP.EXE	31
PID 2508 wrote to memory of 1672	2508	BDMPEG1SETUP.EXE	31
PID 2508 wrote to memory of 1672	2508	BDMPEG1SETUP.EXE	31
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	32
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	32
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	32
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	32
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	32
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	32
PID 1672 wrote to memory of 2124	1672	regsvr32.exe	32
PID 236 wrote to memory of 844	236	bdcamsetup.exe	33
PID 236 wrote to memory of 844	236	bdcamsetup.exe	33
PID 236 wrote to memory of 844	236	bdcamsetup.exe	33
PID 236 wrote to memory of 844	236	bdcamsetup.exe	33
PID 844 wrote to memory of 1816	844	bdcam.exe	34
PID 844 wrote to memory of 1816	844	bdcam.exe	34
PID 844 wrote to memory of 1816	844	bdcam.exe	34
PID 844 wrote to memory of 1848	844	bdcam.exe	35
PID 844 wrote to memory of 1848	844	bdcam.exe	35
PID 844 wrote to memory of 1848	844	bdcam.exe	35
PID 844 wrote to memory of 1848	844	bdcam.exe	35
PID 844 wrote to memory of 1848	844	bdcam.exe	35
PID 844 wrote to memory of 1848	844	bdcam.exe	35
PID 844 wrote to memory of 1848	844	bdcam.exe	35
PID 236 wrote to memory of 2024	236	bdcamsetup.exe	38
PID 236 wrote to memory of 2024	236	bdcamsetup.exe	38
PID 236 wrote to memory of 2024	236	bdcamsetup.exe	38
PID 236 wrote to memory of 2024	236	bdcamsetup.exe	38
PID 2024 wrote to memory of 1140	2024	iexplore.exe	39
PID 2024 wrote to memory of 1140	2024	iexplore.exe	39
PID 2024 wrote to memory of 1140	2024	iexplore.exe	39
PID 2024 wrote to memory of 1140	2024	iexplore.exe	39
PID 2024 wrote to memory of 1772	2024	iexplore.exe	42
PID 2024 wrote to memory of 1772	2024	iexplore.exe	42
PID 2024 wrote to memory of 1772	2024	iexplore.exe	42
PID 2024 wrote to memory of 1772	2024	iexplore.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe
"C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /S
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2124
- C:\Program Files\Bandicam\bdcam.exe
  "C:\Program Files\Bandicam\bdcam.exe" /install
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:1816
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1848
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2&lang=en
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1140
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:275471 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1772

C:\Program Files\Bandicam\bdcam.exe
"C:\Program Files\Bandicam\bdcam.exe" 0x0001A5D3
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
9051ce47609c3670afedce797b9cc1c3

SHA1
6e7929058c8e011b1ac24e72f5c32570fb17b2b6

SHA256
07cfb828516e8ab690933df6012c97375b2825fa8784965eab2a4198b9b290da

SHA512
8f6712cbc68bdfb1c2b33a6231e33c57d476f20fe05299a22e95e6f47c4115a86efb750a97970aaec5132f99ff073aaa358fba63835fc1e3ef2cbce0a5009922

Download Submit
C:\Program Files\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
f488d01d37cdab9bbecf59632343f12f

SHA1
7d2914422378a17fa0551b71336a053e94d5a1c7

SHA256
7e3f8e9cb1c074af15384312568ff9b181cebcc452756d229adfd22fb163a1eb

SHA512
b605ba7aa17fe43a389061a77e21791845dccd55ca8a2e98cd38e0f730fe73560014de57f9069ae93906dd215c63b4f53b64b63849cdbdc13dce71052d7824b2

Download Submit
C:\Program Files\Bandicam\bdcap64.dll

Filesize
21.2MB

MD5
7214c7b4d2064db6827e2c3308a740de

SHA1
45bc92de40161252010dbde86a6637f34bcc46cb

SHA256
a7c59f782bc88f2fa39d7e7c8ec2fd2189325eb70c9e4b2dea1434cad1b768bc

SHA512
ef0ca3b5cdb5980586d886fa091efd67a51f031764628df01f3f7afb21c26484823bd86a6d29f2434b55fc766e101d80a1197d186404fe332fb1b4b0156700b6

Download Submit
C:\Program Files\Bandicam\data\language.dat

Filesize
97KB

MD5
1a2907234b069c1e52ad296bceb630f0

SHA1
202f189aa148ab080225c6fb351b5e664847f8ea

SHA256
789704bfc14da7326bb4756b7339026d8915914905e821d57a69804b11a27bf0

SHA512
27a8b36ccf0353cb0fc41d1b41f0c66cfe7c41e95a79918498051c1c70b08d9a76ca0c9ca3f5361bf12a5f26be919766a84831ed4171690ab545f68c88612c85

Download Submit
C:\Program Files\Bandicam\data\skin.dat

Filesize
886KB

MD5
2ebf0e7158b899a32ac072cc7d5f8d9b

SHA1
1b677c3e9fda3593f1fcbcc4b429800f06f3d5f7

SHA256
1814cfd6c5b79f65880fad7558a1cef35fd5f8f1f06f60e61945b58ab29f6ecd

SHA512
4b3fe1e6737296216e81b750ccac01a3ce77848fc7f6cb9344ea7ff6c352b988e8c8fe889ad7a850285e8b0fed90808aca12bfbcab206c4fdecb4b3b3f085e8d

Download Submit
C:\Program Files\Bandicam\lang\English.ini

Filesize
135KB

MD5
4eaf9f783fe06f5ed362cdcf735687af

SHA1
28a76602a253fc165c83a8026037bbb8d4594242

SHA256
a6b5b9dbfb7a51aa91cea093e05699b28b55c92878b04887c72d7a23cfcb07b3

SHA512
286db775c95c171cbd4adde118b7af7616530ffeb4d337069b323f73ae966e2de9a75934a1af80c7f103c954c838e8e56acf020c21f65aa789a77bb9fb1ff0e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43039a2b82bf44ac09385256bcfcfc3c

SHA1
dd456e401bce477941228abf3001648654aa8f84

SHA256
e45d8cf18e8dd9351f38b5917f29962fbd036ac5d46b7c3e5db7ff1cf5ffc81a

SHA512
b38ad38951164e48b930a2e27f1dff3d14e0e10e85ed85cd6a5fcc74244c183d0cc017e97196e0fa0127c4e0af519602e6d34bc3bb228b184c78173435c28d90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b91a9d8d7883d2c1bc1660766643ebb6

SHA1
4543baea01a16d80aca44d2d4b9268c5699a963e

SHA256
7ef9d551d90ef9f84e51a0feb2a5df0d3cad4a074ff4388c23001f10c9a27a68

SHA512
987b5fb4debf80595dc9f93f9899c2ad3a2fea40302999a24358cf3ee064c13bb1a58ede5fa6022d8bd170ccf81d49fe9345d4ecf726d5766b9cf9aea3bc3d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cd31701afc6b656478c5e81330ebdbc

SHA1
ca412b9d23d721b6f94f4002edc0d3b8339ce794

SHA256
c8d13ecbdc59f650c13029326a837fb3decd39427dac8b24be0ca4ef1032b01e

SHA512
a137631e3e426d05b7b9c5540e13d5343fe0cb936a0ed5b95568f429f0f755f1afa0619add25f2f81e7b1e6b33f2eeb989921841a09be2a17b5eba8af702d0f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39189b272d5668924d60813951fdf69f

SHA1
cd333c3ba4a81647e1ebfcd578dcac9a9783f242

SHA256
01e0c07cab79e5bbe56b0125156e393f537606e0157e7358f0e92c3596d7f5b8

SHA512
b3fa52f765f2827ebba1693489e74fdfad75c2ec6330fcd05cea2cf7b57954720b9274c5f27cccc4ecb11e9baf6556ae3c7bf50763628ce34aad492c3dcd1df5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2372a47753cd8810c143834698c7c3a1

SHA1
3bfe13c338a430db8c89d5cca48f819526bb28b7

SHA256
7d553194953f3ae07fe49baaaa82d75bddfc317ebe32dc7e5d9935d641a95d1c

SHA512
d010132971fca2fce651be226b3f5c88624f279089251e9f4373ab4660c161e116ce64a2f77c4bd4e3ef9d6800ad9b7f4e4244ce0d775c038353edd95c811b9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7af94d83c23690cf6f99e11d5aa3cab

SHA1
8f6ff890fba362da4c1ee21bbf3a7b52c006f7ec

SHA256
ee3e0cbaa720feb8f1317a825cfd7b0ceae1687046ce2e6be5591c217b4f5ea3

SHA512
8939cff5dc615fd4926dbc6b7d2909ceafcd72a9fd6abacb4ccd7a7a58b6feae006eb0242a94aa4b1355a0f4fe53f6b41c20781dec5522cac82fd33223236f75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
650dce6bcc540b413fae0655bfea95dd

SHA1
32be869c4a7dc7c91c4e3cafa5c8a7ec02e710e1

SHA256
8b21035097d6853658ad2ef3398ef80e00a14891698c94a44f824c2e0f1476ae

SHA512
0f3e062539e0443f00a0b6d71d4e8003143d9fa6058b159805a56bfcd8a4a32bb4298ee0e429681d16c6ca719227b81809b2a0c0e3b5cb3c12e6e8dca167524e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff9cdfe1839038757a106baa97088871

SHA1
90bac13520b97290ebad26c62afd7d73f3e380a9

SHA256
ec2f2d0ba9f138b5ea80aac2bc108efdd41733abd3c2dd775c0d3e4bd3cd8bce

SHA512
41ef7807592ae2cc97b947ba37cbe9c43b2083431cb0a7062f35aae487739bc351b500a67dc5e4b413263e17d9ffaf4beb101e4bfbdcb1de99d1bf4fec5e365f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deac5269bf5bb01176404dec5df5a130

SHA1
dca41123d3ec4343cce4ed923c8e575815a5232d

SHA256
5514e1ae8e70fe42ef4a2b1cc429ae915668e9c4388a9cc6f9a7fcae26ac3d72

SHA512
9b90cf2b4ff87cf4886d7be1a5ba3ae680c7996fd214efaa3d1d932a87cbce2a1226c19e98efee8f850f1db99941e31814e7386ee088f3217af7eb64deaa248c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b75ef914b2dab256f46bb90f2898b3e

SHA1
ecf258157e811bbb999b5759d0c63175e5e9d346

SHA256
413edd9ecb187f694080b8027f2fdf2f2f0b7e3435d3287da814fa9a6b83667b

SHA512
74f1b3bc88d736ecd00f49221734438ddd4d052ccfb506e4a7fc0def8a4e32cd6e2135714f3d4cd8bf8ad90dbcd919cdee8700b08c372d41081c685294c8ef23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c49f3697331d7f38885a1a69aeefc5a

SHA1
f96e2d0fa73c3e60acdabbca79ee4b891d3b0aec

SHA256
0074a6602a7bf6bb7a95fa4cd4e0f02599eb1c0f9f32cfa10b52c81a8b239573

SHA512
f8d8a999a6558d13558ffebc75935083349473869ac3493fab6e67ce9d2c0cf72296ee205bb5cd0acb8442d88262f6c461f0f135ea3c8edf3f6824d166953067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea1166920ca26b8dc763f2182c561924

SHA1
3cdb3cfb9ecc7f480caa69961b51bf7d1db466f9

SHA256
829c39227b7478a81882737740b1e26ee9c313ed5b13f9a9177fa78c0b22e56b

SHA512
521af395aef12a37453536434f2e41df0efff28d2249cb70b139f592f1b78895060e3e8ebab5ca69e59805264eb04c9333babbcaf6a7be2ab8c19655f8fd74a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bbf895b49f961ae3544da062b273acf

SHA1
6f0ad684afdf1bd80e0fa1983a36043f96ab5bdc

SHA256
cb37250d11f6995c6d09cf905dbcef38b603fb2d0dd8c6de6843e326ab6e8a23

SHA512
3a126d2ff8da8b6c532672eeb2d69e7bfaaf1ba89fa3e566b561f4cdf21d625b522c0a9567e500c23cc447c444a4569c54d7e39b0b388ea0187d3dcaa16f64c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ec8a43257522eb13e2d84a8b372a8f5

SHA1
a729602ec447436874be24266f8eeb0bb7cbb170

SHA256
f58e042979c06c6c2621139c8e1a11a6222425502e115bc8fdc5fd6069eab74e

SHA512
33ff28af8434f1ac1546bbab4fa7d56f99a5d9853e7c2813734ec09fc047de945af0e7e29611664c2ad874a02d344d445e771fea4c3411ce0cd46f097db5e654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e07c7aa3a0c5fd4d5a551acefdc54b86

SHA1
1e0fc9ad383df6cbc02e01ac5604733148fe4205

SHA256
46c8188429169bce1e254d9072a8a90f567faa85081903786f8b56bd252733ee

SHA512
98393f0f8564d98fe4ddd0d0c097863075fe5256cf32704e1c09bb0dcc4f4d4feb47ceacc6e9ad370b845845018f2b8fb5d5d61c405031f44cb8d1aa06780a2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4c25fbf7449b37f78d8eaef241c2d99

SHA1
7e891dce981e66e8f0e5cf77f96b1905cef8b4f2

SHA256
70089e648ef974a6a2767f876763ee7533afb08ff4ebac2f92b14044e63c5036

SHA512
741ca0b6c3b4e9bf8eb10a16c855b5466e1b2181f97d543fa875446567263d13dc4b7ef3184c05f809b06110e418551c633327db4d6d500597bcf6cf128eb0a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abe2d11b55bc83faca8f434565415ced

SHA1
92675012018fcf22a9a30093604b37e8faad69b0

SHA256
24c1ac6e4330ab2dd2e97269e24d7e3dab93d495a08a07f0a581ba0ebd85c18e

SHA512
37981ee4996aa32e7c20e99bbc1aaa22015c65ec1314c534cc1adc6511e36cc62d52fc9bd1dfc2418bcf772d879856d6226924173f740a172b10e2f23338b91b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f1515398e2a4a483998e7e041901e76

SHA1
04fd32e1a448424a4fcd5971f65cc871c177ae28

SHA256
6082888f3ce91f4771c4993bdece357f6cd9e442345eeed9abb4e6067180fe55

SHA512
7e5424c37c4f5412dac1381939948c1529c6051ec72483ef3ab6394a27f194bd5c4aa6b6857d16f81a08be8a51bbe3ace1ebc0aab779b53cb79155da80c275a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
287b217be3a6991816692df04dbbc88f

SHA1
9688f0cab0a7b798a7e8f9fac5be4eb75f27c475

SHA256
457340ab59660ab13f5eed6c133bfbe3481938840a973927dae291a0ba3bf127

SHA512
1d02474979769310299e5badda2e3bad96f3f8f12022c6eb5a37b95469980ace612ed9b386fabb5ea357b37fddebe01f85dc89c54a8b478aa4dcffd24ade6213

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabADB0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE30.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2E23.tmp\ShellExecAsUser.dll

Filesize
43KB

MD5
552cba3c6c9987e01be178e1ee22d36b

SHA1
4c0ab0127453b0b53aeb27e407859bccb229ea1b

SHA256
1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

SHA512
9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2E23.tmp\ioSpecial.ini

Filesize
1KB

MD5
58a9cb88ef48da73e51968fd08e72fc5

SHA1
48d072b7d523f54320bfac847306b08f8b9dea38

SHA256
eca4b66ded0c2c81db9f10200bb318ae82f5b4f7fdfd60561b1ca399ccb1d1f7

SHA512
14ff96b6a5480352e47163c08219fe65a84662ec9ef8b3b954c0eee3e748151746824498a9e6e1e7b30ad44976d3b66e10955f025f9ac98cf5aa24d97c99f845

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2E23.tmp\ioSpecial.ini

Filesize
1KB

MD5
7b6e59deb9e156823332c1d331069de5

SHA1
cc2464df37b5a63279835715c852ca162668a684

SHA256
e0ba462c6d500a5444bb6d7dfbde0d461d262255945da9b3d50fd6a9ecec6e1c

SHA512
7df8b59b6f8b06b5fb9c929136a812dee1fa686d968a2061726a1cc9dabac0016e8cc7a163caaa589a55e900fb197b66a27256f2343d88bf2a78087c292638be

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFE24F8BCDAE6FDF9C.TMP

Filesize
16KB

MD5
0cf850e53a134686c6d0d73b97df2717

SHA1
d1a726d4d3349fc01eadf9c022871a8aeed017a5

SHA256
76ffc21f94493417a47b06837d48dc4ca0809731c5144254aee1eab566fc2c81

SHA512
78efd39041ae6f30ce6f6404c331fe9795063b096d98ab7e73991fb4735a4d852acf7671ad810d509d6de98a1c6b64f109c24ffc80336b7286b368efbfc67b18

Download Submit
C:\Users\Admin\AppData\Roaming\Bandicam Company\BANDICAM\version.ini

Filesize
88B

MD5
af923cd9678eb10e4da1cbeb74413bf0

SHA1
7c1461527d2dc58884294cf6b9f70a85caf24390

SHA256
b3dfab5d1b753121252c149284465ba1c1651e3af1e80ce2ed5b7e7cd84efb7d

SHA512
c2905935c2945daee449f81f76254f18766dcbd4f18c832acc91728e996e60399ff0dff8d09f2aab9dc5ff477a094aa109ad8e01d98f98dca749b60a67cd7921

Download Submit
\Program Files\Bandicam\bdcam.exe

Filesize
13.4MB

MD5
995a92cc9018419ee100c0f19f40fc7f

SHA1
6a6347ac627a9fd035945c4a22b30a6d089a070a

SHA256
a8c3439c80e27c0a9eea4c13dd0fc263476a9d39ac7b0d3278be62e6e14f9ec0

SHA512
47ecd16b5d7fa1fdaedaebc075d5f12a6fed150e5309139a2d3c0559a04ced202788d24f252e7b0a775682adf90444cb1ad8be643f145dc91ab47ede55c00935

Download Submit
\Program Files\Bandicam\bdfix.exe

Filesize
3.5MB

MD5
f2e8726551d0700e627609fe2ba536da

SHA1
4144c862d8c9b82e3e734bbc72f4a8ae37ca3086

SHA256
a4f3a6df37e7fafe48dc7bb610f7525ae728b83a1acfb6837dd38e21be7e6d9c

SHA512
98262c569e63928a950be50260d4f8a47278fc9bbe1774eabf05af99af5384be2121fd0b7b5641083e37d2af6c15c32e940bbd1fa22908ec87959c98de3fd857

Download Submit
\Program Files\Bandicam\uninstall.exe

Filesize
174KB

MD5
82fde2252e6011362c52fa4f5e837348

SHA1
f8ffcdcb1faf46b9d21ad3aa7e82f80a318f5032

SHA256
0ff2cb8e8f79350255dcabc9572b6e518f368a8a181e6eb649a7b15fd285aa0b

SHA512
4bb4f696be45fb61ea0c02c3f95d5807eaf22f7358a8bf852228e3dd4e58dc6e3cf44c19077b41a97d27ce2e65806ac7e6419a215737d3779108ef076a848626

Download Submit
\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
\Users\Admin\AppData\Local\Temp\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
\Users\Admin\AppData\Local\Temp\nso2E23.tmp\Dialer.dll

Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
\Users\Admin\AppData\Local\Temp\nso2E23.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nso2E23.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
\Users\Admin\AppData\Local\Temp\nso2E23.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nso2E23.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
\Users\Admin\AppData\Local\Temp\nso7438.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
memory/236-464-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/844-250-0x000000013F860000-0x00000001405C9000-memory.dmp

Filesize
13.4MB

Download
memory/844-249-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/844-245-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/844-247-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/1968-496-0x000000013FDE0000-0x0000000140B49000-memory.dmp

Filesize
13.4MB

Download
memory/1968-944-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1968-945-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1968-495-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/1968-499-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1968-497-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download
memory/1968-498-0x0000000000230000-0x000000000023A000-memory.dmp

Filesize
40KB

Download