230aa0d1c613ff36672c214652b3e86892efc9cae075be550517aa9ea68db20d

Analysis

max time kernel
1799s
max time network
1704s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
26/07/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdcamsetup.exe
Size

31.5MB
MD5

cbb2dc1b64c5a21da53d79f0ad2e1bdb
SHA1

b2e411fcbccedef4d3a64133aff5d5502291b24f
SHA256

5aa1234eb23bef8628cdc9189879d629b418cd1d176c99c024a15c3bfe5e413a
SHA512

73391f29a027f1184d2ed673667b86bd96eaf97df94e4fc13c03ec8913c9ff36f3a549b7a4f79f67755cdd8f61fe906e61de1559dd884f2623add72413b4841c
SSDEEP

786432:fmDBQyG/qdx5SFTFI/Xoa74EJCvBLRUH0PYNr/h4vW:+D0qd/SFTFIcGyIpr/v

Score

5^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bdmpega.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\system32\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmpegv.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\system32\D3DCompiler_47.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\system32\bdmpegv64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\bdmpega64.acm	BDMPEG1SETUP.EXE
File created	C:\Windows\SysWOW64\msvcr110.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\msvcp110.dll	bdcamsetup.exe
File created	C:\Windows\system32\bdmjpeg64.dll	BDMPEG1SETUP.EXE
File created	C:\Windows\system32\vcomp140.dll	bdcamsetup.exe
File created	C:\Windows\SysWOW64\bdmjpeg.dll	BDMPEG1SETUP.EXE

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4224	bdcam.exe
4224	bdcam.exe
1276	bdcam.exe
1276	bdcam.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Bandicam\bdcam.exe	bdcamsetup.exe
File created	C:\Program Files\Bandicam\encap64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Georgian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Italian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Kazakh.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects20.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files\Bandicam\bdcam_admin.lnk	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\English.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Swedish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\highlight15.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcap32.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Malay.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Turkish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\sample.png	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamih.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bandicam.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects15.dat	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\uninstall.exe	BDMPEG1SETUP.EXE
File created	C:\Program Files\Bandicam\bdcap64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam64.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk32.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Croatian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Indonesian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\language.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects30.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\highlight30.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam32.dll	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Armenian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam_nonadmin.lnk	bdcamsetup.exe
File created	C:\Program Files\Bandicam\translators.txt	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Finnish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Norwegian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Sinhala.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Traditional_Chinese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcam_safemode.lnk	bdcamsetup.exe
File created	C:\Program Files\Bandicam\bdcamvk32.json	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Arabic.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Hebrew.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Russian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Thai.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Luxembourgish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Romanian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\rclick.wav	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\effects\effects10.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\uninstall.exe	bdcamsetup.exe
File created	C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll	BDMPEG1SETUP.EXE
File created	C:\Program Files\Bandicam\bdcamvk64.json	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Bosnian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Lithuanian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Serbian(Cyrillic).ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Ukrainian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\skin.dat	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\lclick.wav	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Bulgarian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Burmese.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Czech.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\French.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Hungarian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Polish.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Slovenian.ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\lang\Portuguese(BR).ini	bdcamsetup.exe
File created	C:\Program Files\Bandicam\data\camera.wav	bdcamsetup.exe

Executes dropped EXE 3 IoCs

pid	Process
5008	BDMPEG1SETUP.EXE
4224	bdcam.exe
1276	bdcam.exe

Loads dropped DLL 18 IoCs

pid	Process
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
5008	BDMPEG1SETUP.EXE
4848	regsvr32.exe
4436	regsvr32.exe
5008	BDMPEG1SETUP.EXE
4984	rundll32.exe
4552	rundll32.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe
1112	bdcamsetup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdcamsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BDMPEG1SETUP.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	bdcamsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\bdcam.exe = "11000"	bdcamsetup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	bdcamsetup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\bdcam.exe = "1"	bdcamsetup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix\Shell\Open\Command	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix\Shell\Open\Command\ = "\"C:\\Program Files\\Bandicam\\bdfix.exe\"\"%1\""	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix\DefaultIcon	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\.bfix\ = "BANDICAM.bfix"	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\CLSID = "{89C4B786-A490-4A3E-AA70-E6A8C61D3689}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FilterData = 02000000010080ff02000000000000003070693300000000000000000200000000000000000000003074793300000000700000008000000031747933000000007000000090000000317069330800000000000000010000000000000000000000307479330000000070000000a00000007669647300001000800000aa00389b714d50454700001000800000aa00389b714d50473100001000800000aa00389b7100000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix\Shell	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\.bfix	bdcam.exe
Key created	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix\Shell\Open	bdcam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\CLSID = "{E2E7539A-CECF-4A6A-B187-939943ECEF05}"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\FriendlyName = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters.dll"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix\ = "BandiFix Recovery File"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ = "C:\\Program Files (x86)\\BandiMPEG1\\bdfilters64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\BANDICAM.bfix\DefaultIcon\ = "C:\\Program Files\\Bandicam\\bdfix.exe"	bdcam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\InprocServer32	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\ = "Bandicam MPEG-1 Audio Decoder"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\InprocServer32\ThreadingModel = "Both"	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4F5C9E9-CFCC-4C65-A8BD-0423A338F188}\ = "Bandicam MPEG-1 Audio Property"	BDMPEG1SETUP.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FilterData = 02000000010080ff020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000006175647300001000800000aa00389b715000000000001000800000aa00389b710100000000001000800000aa00389b71	BDMPEG1SETUP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}	BDMPEG1SETUP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89C4B786-A490-4A3E-AA70-E6A8C61D3689}\ = "Bandicam MPEG-1 Video Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C6833E-A3EC-4397-9FA9-151792F3408F}\ = "Bandicam MPEG-1 Video Property"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E2E7539A-CECF-4A6A-B187-939943ECEF05}\FriendlyName = "Bandicam MPEG-1 Audio Decoder"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4224	bdcam.exe
4224	bdcam.exe
1276	bdcam.exe
1276	bdcam.exe
1276	bdcam.exe
1276	bdcam.exe
2028	msedge.exe
2028	msedge.exe
1636	msedge.exe
1636	msedge.exe
1828	identity_helper.exe
1828	identity_helper.exe
3168	msedge.exe
3168	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4992	AUDIODG.EXE
Token: 33	1276	bdcam.exe
Token: SeIncBasePriorityPrivilege	1276	bdcam.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1276	bdcam.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1276	bdcam.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4224	bdcam.exe
1276	bdcam.exe
1276	bdcam.exe
1276	bdcam.exe
1276	bdcam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 5008	1112	bdcamsetup.exe	78
PID 1112 wrote to memory of 5008	1112	bdcamsetup.exe	78
PID 1112 wrote to memory of 5008	1112	bdcamsetup.exe	78
PID 5008 wrote to memory of 4848	5008	BDMPEG1SETUP.EXE	79
PID 5008 wrote to memory of 4848	5008	BDMPEG1SETUP.EXE	79
PID 5008 wrote to memory of 4848	5008	BDMPEG1SETUP.EXE	79
PID 4848 wrote to memory of 4436	4848	regsvr32.exe	80
PID 4848 wrote to memory of 4436	4848	regsvr32.exe	80
PID 1112 wrote to memory of 4224	1112	bdcamsetup.exe	81
PID 1112 wrote to memory of 4224	1112	bdcamsetup.exe	81
PID 4224 wrote to memory of 4984	4224	bdcam.exe	82
PID 4224 wrote to memory of 4984	4224	bdcam.exe	82
PID 4224 wrote to memory of 4552	4224	bdcam.exe	83
PID 4224 wrote to memory of 4552	4224	bdcam.exe	83
PID 4224 wrote to memory of 4552	4224	bdcam.exe	83
PID 1112 wrote to memory of 1636	1112	bdcamsetup.exe	88
PID 1112 wrote to memory of 1636	1112	bdcamsetup.exe	88
PID 1636 wrote to memory of 3620	1636	msedge.exe	89
PID 1636 wrote to memory of 3620	1636	msedge.exe	89
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 4644	1636	msedge.exe	90
PID 1636 wrote to memory of 2028	1636	msedge.exe	91
PID 1636 wrote to memory of 2028	1636	msedge.exe	91
PID 1636 wrote to memory of 1124	1636	msedge.exe	92
PID 1636 wrote to memory of 1124	1636	msedge.exe	92
PID 1636 wrote to memory of 1124	1636	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe
"C:\Users\Admin\AppData\Local\Temp\bdcamsetup.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
  "C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /S
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32" /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4436
- C:\Program Files\Bandicam\bdcam.exe
  "C:\Program Files\Bandicam\bdcam.exe" /install
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk64.dll",RegDll
    3⤵
    - Loads dropped DLL
    PID:4984
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files\Bandicam\bdcamvk32.dll",RegDll
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bandicam.com/f.php?id=eng_app_complete_install&v=2&lang=en
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8196f3cb8,0x7ff8196f3cc8,0x7ff8196f3cd8
    3⤵
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
    3⤵
    PID:4644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:1124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:2924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
    3⤵
    PID:2308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:720
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8604453744555043982,9839554389749866790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4740 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:752

C:\Program Files\Bandicam\bdcam.exe
"C:\Program Files\Bandicam\bdcam.exe" 0x0001A5D3
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F4 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BandiMPEG1\bdfilters.dll

Filesize
4.1MB

MD5
ed730387fdcd684b756601b863c47417

SHA1
c49ed6d0d46facf4ceaeb21f5d6bfdf9e3587fde

SHA256
9cbc29696ad2d582e251bf9c4be5cce618753fa43551d2474e1ae5cc5e1245e5

SHA512
e32df727799d33922c6e92f94a7bdb0bc2772d6a6636d15e285d94d3ae4661062e5bc89ec3546b76ec853398f88d972f461327ef687f89093acf1096560d5c3f

Download Submit
C:\Program Files (x86)\BandiMPEG1\bdfilters64.dll

Filesize
4.6MB

MD5
13f7a29baa1e04f74151737cb71bd0e5

SHA1
0bc8682c6c96923a729aa6239aa53d95221b13ab

SHA256
008fababd36e8fbfd5f610a2c62d47963e78ec91e54ad69a1e20807445c3528d

SHA512
4cea11e88e8861c4094b227d85295c0d67452af703b0ec9dfe475797b87d03b40bc1f6b58dcc00996672c1c05d99b82dcc067bc429a1465ae90f4ec966f2bca8

Download Submit
C:\Program Files\Bandicam\bandicam.ini

Filesize
27B

MD5
d025f448d8dde9678a0bf6dac26a61fa

SHA1
c457f5ceffb60e233e131187bb7d11e20ce831f2

SHA256
cac812c36cbbe7821ac92669643572fd33002815976a43d1820d47205f264f6b

SHA512
e5ed08fe970d0f2293792982a52616efc69fc0cf3e3b3a2e96f083ed72fe06e4bfa6ae23d7c04d6a0483eb402d43c37cd1e4bf73334a116368cc097ce4c81adf

Download Submit
C:\Program Files\Bandicam\bdcam.exe

Filesize
13.4MB

MD5
995a92cc9018419ee100c0f19f40fc7f

SHA1
6a6347ac627a9fd035945c4a22b30a6d089a070a

SHA256
a8c3439c80e27c0a9eea4c13dd0fc263476a9d39ac7b0d3278be62e6e14f9ec0

SHA512
47ecd16b5d7fa1fdaedaebc075d5f12a6fed150e5309139a2d3c0559a04ced202788d24f252e7b0a775682adf90444cb1ad8be643f145dc91ab47ede55c00935

Download Submit
C:\Program Files\Bandicam\bdcamvk32.dll

Filesize
1.5MB

MD5
9051ce47609c3670afedce797b9cc1c3

SHA1
6e7929058c8e011b1ac24e72f5c32570fb17b2b6

SHA256
07cfb828516e8ab690933df6012c97375b2825fa8784965eab2a4198b9b290da

SHA512
8f6712cbc68bdfb1c2b33a6231e33c57d476f20fe05299a22e95e6f47c4115a86efb750a97970aaec5132f99ff073aaa358fba63835fc1e3ef2cbce0a5009922

Download Submit
C:\Program Files\Bandicam\bdcamvk64.dll

Filesize
1.9MB

MD5
f488d01d37cdab9bbecf59632343f12f

SHA1
7d2914422378a17fa0551b71336a053e94d5a1c7

SHA256
7e3f8e9cb1c074af15384312568ff9b181cebcc452756d229adfd22fb163a1eb

SHA512
b605ba7aa17fe43a389061a77e21791845dccd55ca8a2e98cd38e0f730fe73560014de57f9069ae93906dd215c63b4f53b64b63849cdbdc13dce71052d7824b2

Download Submit
C:\Program Files\Bandicam\bdcap64.dll

Filesize
21.2MB

MD5
7214c7b4d2064db6827e2c3308a740de

SHA1
45bc92de40161252010dbde86a6637f34bcc46cb

SHA256
a7c59f782bc88f2fa39d7e7c8ec2fd2189325eb70c9e4b2dea1434cad1b768bc

SHA512
ef0ca3b5cdb5980586d886fa091efd67a51f031764628df01f3f7afb21c26484823bd86a6d29f2434b55fc766e101d80a1197d186404fe332fb1b4b0156700b6

Download Submit
C:\Program Files\Bandicam\data\language.dat

Filesize
97KB

MD5
1a2907234b069c1e52ad296bceb630f0

SHA1
202f189aa148ab080225c6fb351b5e664847f8ea

SHA256
789704bfc14da7326bb4756b7339026d8915914905e821d57a69804b11a27bf0

SHA512
27a8b36ccf0353cb0fc41d1b41f0c66cfe7c41e95a79918498051c1c70b08d9a76ca0c9ca3f5361bf12a5f26be919766a84831ed4171690ab545f68c88612c85

Download Submit
C:\Program Files\Bandicam\data\skin.dat

Filesize
886KB

MD5
2ebf0e7158b899a32ac072cc7d5f8d9b

SHA1
1b677c3e9fda3593f1fcbcc4b429800f06f3d5f7

SHA256
1814cfd6c5b79f65880fad7558a1cef35fd5f8f1f06f60e61945b58ab29f6ecd

SHA512
4b3fe1e6737296216e81b750ccac01a3ce77848fc7f6cb9344ea7ff6c352b988e8c8fe889ad7a850285e8b0fed90808aca12bfbcab206c4fdecb4b3b3f085e8d

Download Submit
C:\Program Files\Bandicam\lang\English.ini

Filesize
135KB

MD5
4eaf9f783fe06f5ed362cdcf735687af

SHA1
28a76602a253fc165c83a8026037bbb8d4594242

SHA256
a6b5b9dbfb7a51aa91cea093e05699b28b55c92878b04887c72d7a23cfcb07b3

SHA512
286db775c95c171cbd4adde118b7af7616530ffeb4d337069b323f73ae966e2de9a75934a1af80c7f103c954c838e8e56acf020c21f65aa789a77bb9fb1ff0e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
299868876d41f6e81bfdd0219ac691c7

SHA1
8348f369d6b61959f1246e46e6c8af2267904123

SHA256
865f91ecd933366ac960decb8e5e332d103f47c50eedf31101e63b6709462ce3

SHA512
3227aff461fccbdacfb9509a5319a0ab7da45c34ec2b1b3db2246a1da85df86df42137f86a6ff7925fdf63e36619d0b37d40b7a9b53afe75f6e57a0fb912b79d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
1d1c869d85ae11559e4398e89f9dfc37

SHA1
55a5fe9e9fc086a0ab1eada0f20d7eb8d50c9f56

SHA256
c2be584720d733967489560e6e39268114df5b04f549716cea162da72a5b50a9

SHA512
91e28acbb91eb8e7966f016d96d57575009b135fbaa7aab5483e49b31c6b0ffbfec18ad533a08ac147557eddb917582743d3da3dc7ff478b83c380474daec0ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53eb880cad5acef8c91684b1a94eed6

SHA1
afab2b1015fecbc986c1f4a8a6d27adff6f6fde9

SHA256
5cb8554e763313f3d46766ab868f9d481e3644bfc037f7b8fe43d75d87405a27

SHA512
d53f3965428f73c0dfed1d941a9ff06eb70b254732410b815bc759b8c7904e11292ad7e9624c12cccaed6763e7bea68208bc0b67fc70b7616d25bda143833794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0499f1feacbab5a863b23b1440161a5

SHA1
37a982ece8255b9e0baadb9c596112395caf9c12

SHA256
41799b5bbdb95da6a57ae553b90de65b80264ca65406f11eea46bcb87a5882a7

SHA512
4cf9a8547a1527b1df13905c2a206a6e24e706e0bc174550caeefabfc8c1c8a40030e8958680cd7d34e815873a7a173abe40c03780b1c4c2564382f1ceed9260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
8a416e4e7407956dc38ef2d8649af474

SHA1
4b7890b6c7f800615d0ae3473331d3a3871ceafb

SHA256
5fe6b45f72ec98753eccf894cbd3d20b8241c0831391e0af0c55499170beb40f

SHA512
ea183e8cc7d10c805cd6df728bf16956e5129faf1c998007e138b5b118ae21c1b1a3d4007d7da506276fe8b2d8ecc3cb56b5a32dc3715478d5b837ac7132ad1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6ff995b2299b4a8c41119e6c1535bb09

SHA1
f196ffb5c443e17327a37825fa28fc6897a99cb4

SHA256
0daea310e307973f9f5fb533a9af46946ffd65f962441f225823cae8dd6787f0

SHA512
b210f5beabe534e7c7a4a89c0f834fec7b835e024b3679bb32683a65e6f992c43a24b6b590e6efe539c15643599246214476a6313092f89b436015bf71780b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50125b51ae62ddd1ee43bd61c79732bf

SHA1
8b4726579398801ef0f65171796476461e736bbc

SHA256
775f7b1bffc66148a71691e9e0a81629bc7d42348693de02a59f86e004787d64

SHA512
f014196d50b900f7912c4b39d97791e9f962cdeb7d7fc1f34debff2bc7ed9cc69d63259a83119fa2375dfc71adcad5358f4d4691858c7f81b62e14eff36cff8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b125aa06bc8e09081a3275b966ebea2

SHA1
b4987d4a63a5c2714d411355577d6d4e0a82a23a

SHA256
85ea78f26f73bea84cb80f125bce57895f2d4050534aee471ad5dcbe15f00c1e

SHA512
3e4e03faf920bc5fe28df99aac906bf933eeff380fe29564f5871ae0492711533654a1e3b3a15f1aa6a19ea04ce751d8ff0d7a15682509366330af74d3632146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3eeb0d2edd03f754367fe5457885635

SHA1
fbc2fa450ad16e3249d00a416e87b637331a158c

SHA256
951439aa5fc78efd1f29b563b66a52b8e13fda191494d1f50efad2d3aa0ba163

SHA512
82ee0f0fa3cfe021803e6c7e5c75ceb0582517abf8948df92fc4f240b682193a9b515efd71715063a1b2f4585d23c607c80b2dfd01e9ea652fceabd584f87410

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDMPEG1SETUP.EXE

Filesize
1.4MB

MD5
461d135a4fccd51bbae38f742e123fd3

SHA1
c12a442fbcd4a9c44102f0a560ba03d59bc501ed

SHA256
4c441e7d744a2a273f780103bcf5bcb1e32c2d9c6a32b62f9044b32107544079

SHA512
41eb816bf0cc0ca12b5c6c07517cd718b8701255ea81e94ffc937f2538b8cdf5db24751cdbc22fefd6496b767fc0d631fea76216b0363f4b625557097b3caaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb7CF5.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\Dialer.dll

Filesize
3KB

MD5
6e7e197ffa13cea15434b221b96b3202

SHA1
5fc93dca4a33d79d8601e888daa21a1d0e02eab3

SHA256
cb94aead070194af4d3b01f80ef85f227a70b5cfcfa305d26c3b42b8853ac6b4

SHA512
4d294929ba55e145027107aeef135d918f2d6ec4a7e3b9fc8fc028924019d1987c12202cf37e9adf18a70a02fb321de7f060c4977de874687fc8a4d924cfb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\InstallOptions.dll

Filesize
15KB

MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ShellExecAsUser.dll

Filesize
43KB

MD5
552cba3c6c9987e01be178e1ee22d36b

SHA1
4c0ab0127453b0b53aeb27e407859bccb229ea1b

SHA256
1f17e4d5ffe7b2c9a396ee9932ac5198f0c050241e5f9ccd3a56e576613d8a29

SHA512
9bcf47b62ca8ffa578751008cae523d279cdb1699fd916754491899c31ace99f18007ed0e2cbe9902abf132d516259b5fb283379d2fead37c76b19e2e835e95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\UserInfo.dll

Filesize
4KB

MD5
1b446b36f5b4022d50ffdc0cf567b24a

SHA1
d9a0a99fe5ea3932cbd2774af285ddf35fcdd4f9

SHA256
2862c7bc7f11715cebdea003564a0d70bf42b73451e2b672110e1392ec392922

SHA512
04ab80568f6da5eef2bae47056391a5de4ba6aff15cf4a2d0a9cc807816bf565161731921c65fe5ff748d2b86d1661f6aa4311c65992350bd63a9f092019f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ioSpecial.ini

Filesize
1KB

MD5
e78ca9704d25f8c56df8369cc6c2a071

SHA1
cf286bf7a7134ea8e1704d54855d41e6f0e12beb

SHA256
dcb74a57f74f8eb1c3dedc18ab248309b60f1b551a8b8d3e1a9913a08ed3ba2a

SHA512
0aab4d2a71cc0ef29cbd2dd1ea351feaa99db5231cac0163d2d826dd5b9b4784b78d593ff11d3b5d6dae4e140800af78415e450b3e30137dc9dc4e188e22bb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ioSpecial.ini

Filesize
1KB

MD5
bfbd2151d94842168ecc6d2f5dca0358

SHA1
e57f8865401592d2758fdf276a4043e905267dcd

SHA256
0a614f51564588b9c95893174cd618e936a1f8e56b6c7ae07fff28ba93efd84c

SHA512
27790cc08ef482e14e3033f4c0d11cc53737f1122f90ba15ff0a766ef7869f4183b097d32d5756f68f9c8aa59469b57ab06aa8af4949e6f25cb6ac3f605861c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsqE1D5.tmp\ioSpecial.ini

Filesize
1KB

MD5
0475a65cfe471749c783a180bdd6fcb1

SHA1
c2cd16843314a6ace0dcfe0c1b817c21d2cbe206

SHA256
b9697c6224681ef586faa150066cb272327552f89ffa5c690805a98c185fab39

SHA512
79b5a69d6aa503ce603bc6cf86290547ff91a3518c0b712118560af946fa8690119424748234ef534b6e02c6640353fcea980e012b12c24435c49795c36bccf0

Download Submit
memory/1276-459-0x00007FF7863F0000-0x00007FF787159000-memory.dmp

Filesize
13.4MB

Download
memory/4224-236-0x00007FF7863F0000-0x00007FF787159000-memory.dmp

Filesize
13.4MB

Download
memory/4224-235-0x00007FF82D510000-0x00007FF82D512000-memory.dmp

Filesize
8KB

Download