URL:

https://programy.com.ua/ru/bandicam/download/

Full analysis: https://app.any.run/tasks/73e47c23-4222-4989-9f1c-8f9aa3c7711f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 11:29:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
stealer
arch-scr
telegram
arch-html
obfuscated-js
Indicators:
MD5:

A90D31BCF2CD019445141D1C658360E8

SHA1:

AD92DA967DFCC07403D5258BD12E8040D8C93417

SHA256:

046F5C7DA4B6891F7A0FF468F7E181BD8B879CABC56058C4B52FC1AC95D75EEA

SSDEEP:

3:N8TKCRcLd2RKAKC2Gn:2VRcLQsTG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • seederexe.exe (PID: 4164)

    • Actions looks like stealing of personal data

      • lite_installer.exe (PID: 8340)
      • seederexe.exe (PID: 4164)

    • Executing a file with an untrusted certificate

      • BDMPEG1SETUP.EXE (PID: 924)

    • Registers / Runs the DLL via REGSVR32.EXE

      • BDMPEG1SETUP.EXE (PID: 924)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • install.exe (PID: 516)
      • lite_installer.exe (PID: 8340)

    • Reads security settings of Internet Explorer

      • install.exe (PID: 516)
      • lite_installer.exe (PID: 8340)

    • Executable content was dropped or overwritten

      • install.exe (PID: 516)
      • lite_installer.exe (PID: 8340)
      • Yandex.exe (PID: 6964)
      • ybD1B4.tmp (PID: 6872)
      • setup.exe (PID: 7624)
      • Bandicam.6.2.4.2083.tmp (PID: 5600)
      • Bandicam.6.2.4.2083.exe (PID: 2064)
      • browser.exe (PID: 9788)
      • BDMPEG1SETUP.EXE (PID: 924)

    • Process requests binary or script from the Internet

      • install.exe (PID: 516)
      • lite_installer.exe (PID: 8340)

    • Process drops legitimate windows executable

      • install.exe (PID: 516)
      • Bandicam.6.2.4.2083.tmp (PID: 5600)

    • Application launched itself

      • install.exe (PID: 516)
      • setup.exe (PID: 7624)
      • explorer.exe (PID: 8684)
      • browser.exe (PID: 2908)
      • browser.exe (PID: 9924)
      • browser.exe (PID: 6256)
      • browser.exe (PID: 2644)
      • browser.exe (PID: 8288)
      • browser.exe (PID: 9620)

    • Starts a Microsoft application from unusual location

      • YandexPackSetup.exe (PID: 8264)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 8292)

    • Reads Mozilla Firefox installation path

      • seederexe.exe (PID: 4164)

    • Starts itself from another location

      • Yandex.exe (PID: 6964)
      • setup.exe (PID: 7624)

    • Starts application with an unusual extension

      • {2DDF4C96-05FF-438C-BEC4-0DEA7A51D57A}.exe (PID: 8560)

    • The process drops C-runtime libraries

      • Bandicam.6.2.4.2083.tmp (PID: 5600)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • Bandicam.6.2.4.2083.tmp (PID: 5600)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • BDMPEG1SETUP.EXE (PID: 924)

    • Uses TASKKILL.EXE to kill process

      • Bandicam.6.2.4.2083.tmp (PID: 5600)

    • Uses RUNDLL32.EXE to load library

      • bdcam.exe (PID: 4728)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 7368)
      • firefox.exe (PID: 7388)
      • msedge.exe (PID: 856)
      • msedge.exe (PID: 2552)

    • The sample compiled with russian language support

      • firefox.exe (PID: 7388)
      • msiexec.exe (PID: 8300)
      • setup.exe (PID: 7624)
      • Bandicam.6.2.4.2083.tmp (PID: 5600)

    • Checks proxy server information

      • install.exe (PID: 516)
      • lite_installer.exe (PID: 8340)

    • Creates files or folders in the user directory

      • install.exe (PID: 516)
      • msiexec.exe (PID: 8300)
      • msiexec.exe (PID: 8292)
      • seederexe.exe (PID: 4164)
      • lite_installer.exe (PID: 8340)

    • Reads the computer name

      • install.exe (PID: 516)
      • YandexPackSetup.exe (PID: 8264)
      • msiexec.exe (PID: 8292)
      • msiexec.exe (PID: 8300)
      • lite_installer.exe (PID: 8340)
      • install.exe (PID: 7856)
      • seederexe.exe (PID: 4164)

    • Create files in a temporary directory

      • install.exe (PID: 516)
      • install.exe (PID: 7856)
      • YandexPackSetup.exe (PID: 8264)
      • msiexec.exe (PID: 8300)
      • seederexe.exe (PID: 4164)
      • lite_installer.exe (PID: 8340)

    • Checks supported languages

      • install.exe (PID: 516)
      • YandexPackSetup.exe (PID: 8264)
      • msiexec.exe (PID: 8292)
      • msiexec.exe (PID: 8300)
      • install.exe (PID: 7856)
      • lite_installer.exe (PID: 8340)
      • seederexe.exe (PID: 4164)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 7388)
      • msiexec.exe (PID: 8292)
      • msiexec.exe (PID: 8300)
      • WinRAR.exe (PID: 7196)
      • msedge.exe (PID: 8596)

    • Reads the machine GUID from the registry

      • install.exe (PID: 516)
      • msiexec.exe (PID: 8292)
      • seederexe.exe (PID: 4164)

    • The sample compiled with english language support

      • install.exe (PID: 516)
      • lite_installer.exe (PID: 8340)
      • setup.exe (PID: 7624)
      • ybD1B4.tmp (PID: 6872)
      • browser.exe (PID: 9788)
      • Bandicam.6.2.4.2083.tmp (PID: 5600)
      • msedge.exe (PID: 8596)
      • BDMPEG1SETUP.EXE (PID: 924)

    • Reads the software policy settings

      • install.exe (PID: 516)
      • msiexec.exe (PID: 8292)
      • slui.exe (PID: 2152)

    • Process checks computer location settings

      • install.exe (PID: 516)
      • msiexec.exe (PID: 8300)

    • Manual execution by a user

      • {2DDF4C96-05FF-438C-BEC4-0DEA7A51D57A}.exe (PID: 8560)
      • YandexWorking.exe (PID: 736)
      • browser.exe (PID: 2908)
      • WinRAR.exe (PID: 7196)
      • Bandicam.6.2.4.2083.exe (PID: 920)
      • Bandicam.6.2.4.2083.exe (PID: 2064)
      • browser.exe (PID: 6256)

    • Attempting to use instant messaging service

      • firefox.exe (PID: 7388)

    • The sample compiled with korean language support

      • Bandicam.6.2.4.2083.tmp (PID: 5600)
      • BDMPEG1SETUP.EXE (PID: 924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
309
Monitored processes
166
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sppextcomobj.exe no specs slui.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs install.exe yandexpacksetup.exe no specs install.exe msiexec.exe msiexec.exe lite_installer.exe seederexe.exe slui.exe yandex.exe explorer.exe no specs {2ddf4c96-05ff-438c-bec4-0dea7a51d57a}.exe sender.exe firefox.exe no specs ybd1b4.tmp firefox.exe no specs setup.exe setup.exe no specs yandexworking.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs explorer.exe no specs explorer.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs clidmgr.exe no specs conhost.exe no specs clidmgr.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs browser.exe browser.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe identity_helper.exe no specs browser.exe no specs identity_helper.exe no specs msedge.exe no specs browser.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs browser.exe no specs msedge.exe no specs winrar.exe msedge.exe no specs bandicam.6.2.4.2083.exe no specs bandicam.6.2.4.2083.exe bandicam.6.2.4.2083.tmp msedge.exe netsh.exe no specs conhost.exe no specs netsh.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs bdmpeg1setup.exe regsvr32.exe no specs regsvr32.exe no specs bdcam.exe no specs rundll32.exe no specs rundll32.exe no specs bdcam.exe no specs taskkill.exe no specs conhost.exe no specs bdcam.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\Downloads\install.exe" C:\Users\admin\Downloads\install.exe
firefox.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup Downloader
Exit code:
0
Version:
0.1.0.33
Modules
Images
c:\users\admin\downloads\install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
684C:\Users\admin\AppData\Local\Temp\65A2B181-BA97-41E4-8E07-0B8EB9BBFAAC\sender.exe --send "/status.xml?clid=9183476-846&uuid=b706b4a6-df34-4bc2-bed2-591438172371&vnt=Windows 10x64&file-no=8%0A10%0A12%0A15%0A17%0A18%0A20%0A21%0A22%0A25%0A36%0A40%0A42%0A45%0A58%0A59%0A89%0A102%0A103%0A111%0A123%0A124%0A125%0A129%0A"C:\Users\admin\AppData\Local\Temp\65A2B181-BA97-41E4-8E07-0B8EB9BBFAAC\sender.exe
seederexe.exe
User:
admin
Company:
Yandex
Integrity Level:
MEDIUM
Description:
Yandex Statistics
Exit code:
0
Version:
0.0.2.14
Modules
Images
c:\users\admin\appdata\local\temp\65a2b181-ba97-41e4-8e07-0b8eb9bbfaac\sender.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
736"C:\Users\admin\AppData\Local\Yandex\YaPin\YandexWorking.exe" C:\Users\admin\AppData\Local\Yandex\YaPin\YandexWorking.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
YandexPin
Exit code:
0
Version:
3.7.9.0
Modules
Images
c:\users\admin\appdata\local\yandex\yapin\yandexworking.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
744"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6944 --field-trial-handle=2428,i,15284785325674720445,8490661159981073830,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
856"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ya.ru/?win=699&clid=9183494-846&from=dist_pinC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
YandexWorking.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
920"C:\Users\admin\Desktop\Bandicam.6.2.4.2083.exe" C:\Users\admin\Desktop\Bandicam.6.2.4.2083.exeexplorer.exe
User:
admin
Company:
Bandicam Company
Integrity Level:
MEDIUM
Description:
Bandicam Setup
Exit code:
3221226540
Version:
6.2.4.2083
Modules
Images
c:\users\admin\desktop\bandicam.6.2.4.2083.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
924"C:\Users\admin\AppData\Local\Temp\BDMPEG1SETUP.EXE" /SC:\Users\admin\AppData\Local\Temp\BDMPEG1SETUP.EXE
Bandicam.6.2.4.2083.tmp
User:
admin
Company:
Bandicam Company
Integrity Level:
HIGH
Description:
Bandicam MPEG-1 Decoder Setup File
Exit code:
0
Version:
V1.0.5.17
Modules
Images
c:\users\admin\appdata\local\temp\bdmpeg1setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1348"C:\WINDOWS\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Bandicam\bdcamvk32.dll",RegDllC:\Windows\SysWOW64\rundll32.exebdcam.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1388"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=ru --service-sandbox-type=service --user-id=b706b4a6-df34-4bc2-bed2-591438172371 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Data Decoder Service" --field-trial-handle=2396,i,8245829153219859101,36429025841887898,262144 --variations-seed-version --mojo-platform-channel-handle=7224 --brver=25.4.1.1055 /prefetch:8C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Exit code:
0
Version:
25.4.1.1055
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.4.1.1055\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
1804"C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=ru --service-sandbox-type=audio --user-id=b706b4a6-df34-4bc2-bed2-591438172371 --brand-id=yandex --partner-id=pseudoportal-ru --process-name="Audio Service" --field-trial-handle=2396,i,8245829153219859101,36429025841887898,262144 --variations-seed-version --mojo-platform-channel-handle=3480 --brver=25.4.1.1055 /prefetch:8C:\Users\admin\AppData\Local\Yandex\YandexBrowser\Application\browser.exebrowser.exe
User:
admin
Company:
YANDEX LLC
Integrity Level:
LOW
Description:
Yandex with voice assistant Alice
Exit code:
0
Version:
25.4.1.1055
Modules
Images
c:\users\admin\appdata\local\yandex\yandexbrowser\application\browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\yandex\yandexbrowser\application\25.4.1.1055\browser_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
Total events
70 578
Read events
69 435
Write events
1 055
Delete events
88

Modification events

(PID) Process:(7388) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(516) install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(516) install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(516) install.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8292) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
642000007A8CEB7268CDDB01
(PID) Process:(8292) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A59A93C462D8C5CF2B31AAE741C5141EAF4A2F6228E13D00D3CED2DBDFA66839
(PID) Process:(8292) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(4164) seederexe.exeKey:HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Yandex
Operation:writeName:UICreated_admin
Value:
1
(PID) Process:(8292) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(8292) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\11b99b.rbs
Value:
31182184
Executable files
131
Suspicious files
1 173
Text files
499
Unknown types
3

Dropped files

PID
Process
Filename
Type
7388firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
7388firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.jsonbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7388firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
7388firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
7388firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7388firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7388firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7388firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
7388firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
7388firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
117
TCP/UDP connections
329
DNS requests
380
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
304
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7388
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
7388
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
7388
firefox.exe
POST
200
2.16.168.113:80
http://r11.o.lencr.org/
unknown
whitelisted
7388
firefox.exe
POST
2.16.168.113:80
http://r11.o.lencr.org/
unknown
whitelisted
7388
firefox.exe
POST
200
2.16.168.113:80
http://r11.o.lencr.org/
unknown
whitelisted
7388
firefox.exe
POST
200
142.250.186.99:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
5496
MoUsoCoreWorker.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7388
firefox.exe
34.107.221.82:80
detectportal.firefox.com
GOOGLE
US
whitelisted
7388
firefox.exe
45.95.180.166:443
programy.com.ua
Hostinger International Limited
DE
unknown
7388
firefox.exe
34.36.137.203:443
contile.services.mozilla.com
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
  • 2.16.253.202
whitelisted
google.com
  • 142.250.185.78
whitelisted
programy.com.ua
  • 45.95.180.166
  • 2a02:4780:8:1353:0:75a:1ef6:4
unknown
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted
contile.services.mozilla.com
  • 34.36.137.203
whitelisted
spocs.getpocket.com
  • 34.36.137.203
whitelisted
content-signature-2.cdn.mozilla.net
  • 34.160.144.191
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
516
install.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
516
install.exe
Misc activity
ET INFO Packed Executable Download
8340
lite_installer.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
8340
lite_installer.exe
Misc activity
ET INFO EXE - Served Attached HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://programy.com.ua/ru/bandicam/download/