Automated Malware Analysis Management Report for Recorder_System_v1.10.0048.exe

Overview

General Information

Sample name:	Recorder_System_v1.10.0048.exe
Analysis ID:	1432274
MD5:	a9042018e74f1fc91ebfc730a295c9b4
SHA1:	f8c642249bad0286b7d61867c1bb633a6c991608
SHA256:	5ffe4b15c63ad89d31c155585fae5a7a95cdd77b2300329b5c5a1a400b087541
Infos:

Detection

Score:	36
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Antivirus detection for URL or domain

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Uses 32bit PE files

Source: Recorder_System_v1.10.0048.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Kiloview End User License Agreement of Kiloview NDI RecorderThis Kiloview End User License Agreement of Kiloview NDI Recorder (here after called "EULA" or "the license agreement") is made available by Changsha KILOVIEW Electronics CO. LTD. (here after called "Kiloview"). If you are the direct user of Kiloview NDI Recorder please read this EULA carefully before you use them as it governs your use of the Software.You shall also be aware that the Software and all copyrights patents trademarks trade secrets and other intellectual property rights associated therewith are and shall remain the property of Kiloview. Furthermore the User acknowledges and agrees that the source and object code of the Software and the format directories queries algorithms structure and organization of the Software are the intellectual property and proprietary and confidential information of Kiloview and its affiliates licensors and suppliers. Nothing in this EULA shall give to the User or any other person any right to access or use the Source Code or constitute any license of the Source Code. Except as expressly stated in this License the User is not granted any intellectual property rights in or to the Software by implication estoppel or other legal theory and all rights in and to the Software not expressly granted in this License are hereby reserved and retained by Kiloview.In the course of building and using the Software you may provide Kiloview with such personal data like first name last name email address company name etc. The information will be used to contact or identify you and to smooth your registration by sending verification code and provide or offer software updates and instructions. We will not send you advertising information nor will we disclose your personal data.Personal Data is or may be used for the following purposes: (a) to provide and improve the Software Content Services and other features and content offered by Kiloview (b) to administer the use of the Software (c) to fulfill requests the User may make (d) to and (e) to provide the User with further information and offers from Kiloview that we believe you may find useful or interesting including newsletters marketing or promotional materials and other information on services and products offered by Kiloview.Definitions"Software" refers to a NDI Recorder designed and developed by Kiloview for all NDI sources.Grant of LicenseUpon your use and purchase of Kiloview NDI Recorder you are granted to use the software under the terms of this EULA.Restrictions on Use1. You shall use the Software strictly in accordance to the terms herein and during or after the term you shall not: a) modify sell transfer resell for profits distribute or create derivative work based on the Software or any part
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Kiloview End User License Agreement of Kiloview NDI RecorderThis Kiloview End User License Agreement of Kiloview NDI Recorder (here after called "EULA" or "the license agreement") is made available by Changsha KILOVIEW Electronics CO. LTD. (here after called "Kiloview"). If you are the direct user of Kiloview NDI Recorder please read this EULA carefully before you use them as it governs your use of the Software.You shall also be aware that the Software and all copyrights patents trademarks trade secrets and other intellectual property rights associated therewith are and shall remain the property of Kiloview. Furthermore the User acknowledges and agrees that the source and object code of the Software and the format directories queries algorithms structure and organization of the Software are the intellectual property and proprietary and confidential information of Kiloview and its affiliates licensors and suppliers. Nothing in this EULA shall give to the User or any other person any right to access or use the Source Code or constitute any license of the Source Code. Except as expressly stated in this License the User is not granted any intellectual property rights in or to the Software by implication estoppel or other legal theory and all rights in and to the Software not expressly granted in this License are hereby reserved and retained by Kiloview.In the course of building and using the Software you may provide Kiloview with such personal data like first name last name email address company name etc. The information will be used to contact or identify you and to smooth your registration by sending verification code and provide or offer software updates and instructions. We will not send you advertising information nor will we disclose your personal data.Personal Data is or may be used for the following purposes: (a) to provide and improve the Software Content Services and other features and content offered by Kiloview (b) to administer the use of the Software (c) to fulfill requests the User may make (d) to and (e) to provide the User with further information and offers from Kiloview that we believe you may find useful or interesting including newsletters marketing or promotional materials and other information on services and products offered by Kiloview.Definitions"Software" refers to a NDI Recorder designed and developed by Kiloview for all NDI sources.Grant of LicenseUpon your use and purchase of Kiloview NDI Recorder you are granted to use the software under the terms of this EULA.Restrictions on Use1. You shall use the Software strictly in accordance to the terms herein and during or after the term you shall not: a) modify sell transfer resell for profits distribute or create derivative work based on the Software or any part

Source: Recorder_System_v1.10.0048.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: Recorder_System_v1.10.0048.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_hangul.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_pinyin.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb<< source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_thai.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_tcime.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_pinyin.pdb11 source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_openwnn.pdb source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\qt\work\qt\qtvirtualkeyboard\plugins\virtualkeyboard\qtvirtualkeyboard_tcime.pdb&& source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles\Base\ButtonStyle.qmlc	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System\QtQuick\Controls\Styles	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File opened: C:\Program Files (x86)\Recorder System	Jump to behavior

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A4109000CC6X-BM-CBT: 1696420817X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 60X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: 0912CF9094994CFA88DE52C6FB19D4E1X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A4109000CC6X-MSEdge-ExternalExp: bfbwsbrs0830tf,d-thshldspcl40,msbdsborgv2co,msbwdsbi920t1,spofglclicksh-c2,webtophit0r_t,wsbmsaqfuxtc,wsbqfasmsall_t,wsbqfminiserp400,wsbref-tX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=0; DaylightBias=-60; TimeZoneKeyName=GMT Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2237Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=6666694284484FA1B35CCB433D42E997; _SS=SID=193A581F83766B4319784BBF829B6A16&CPID=1696420820117&AC=1&CPH=e5c79613&CBV=39942242; _EDGE_S=SID=193A581F83766B4319784BBF829B6A16; SRCHUID=V=2&GUID=BA43D82178364AEA9C1EE6C32BE93416&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231003; SRCHHPGUSR=SRCHLANG=en&LUT=1696420817741&IPMH=425591ef&IPMID=1696420817913&HV=1696417346; ANON=A=6D8F9DF00282E660E425530EFFFFFFFF; CortanaAppUID=4C9C2B2D0465FD7A42C74C7E93CFB630; MUIDB=6666694284484FA1B35CCB433D42E997

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.6.162
Source: unknown	TCP traffic detected without corresponding DNS query: 23.56.6.162
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.103.43
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.103.43
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=65Oa4kKcCE2B2pL&MD=WhAthezU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=65Oa4kKcCE2B2pL&MD=WhAthezU HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: unknown

Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/2
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/K
Source: Recorder System.exe, 00000008.00000003.3352744268.0000020128200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/auth/get.json
Source: Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.json
Source: Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.json8
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.jsonH
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/diff.jsonKq&
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.json
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.json1
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.json:65534/
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.jsonL
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/ntp/get.jsonl
Source: Recorder System.exe, 00000008.00000003.3236601604.00000201274F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1E
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1KX
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/output/get.json?project_id=1~
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.json
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.json%
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.json.1:65534/u
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.jsonid=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/performance/getSys.jsonnP
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/project/getList.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1_
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1er
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/record/get.json?project_id=1s
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/source/get.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getAvailable.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getAvailable.jsonhtml?output=1
Source: Recorder System.exe, 00000008.00000003.3311842712.00000201285B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.json
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.json0I
Source: Recorder System.exe, 00000008.00000003.3311842712.00000201285B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.json8
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/api/storage/getDeviceList.jsonn
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1
Source: Recorder System.exe, 00000008.00000003.2910001985.0000020127483000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2929949341.0000020127483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/home
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/home&Array.isArray(e)?d(t
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/home)
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homeT
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homea
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homeatch(t)
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homedex.html?output=1
Source: Recorder System.exe, 00000008.00000003.2930002756.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2993437399.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1#/homet)
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1&
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1534/
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1G
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1calX
Source: Recorder System.exe, 00000008.00000003.3306859801.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1id=1
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1json
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1l
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/index.html?output=1lX
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.json
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.json(
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.jsontput=1
Source: Recorder System.exe, 00000008.00000003.3174345836.00000201273BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/lang/en.jsontput=1=1
Source: Recorder System.exe, 00000008.00000003.3116261135.00000201271A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:65534/static/favicon.png
Source: Recorder System.exe, 00000008.00000003.3225818355.0000020128239000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3377926199.0000020128200000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3256437375.0000020128239000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3279634870.0000020128200000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.3352744268.0000020128200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://17.0.0.165534/index.html?output=1
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/chromium/issues/entry
Source: powershell.exe, 00000006.00000002.2953345209.000001A0F8D60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000006.00000002.2958676236.000001A0F90D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic
Source: powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mic4
Source: powershell.exe, 00000006.00000002.2959404528.000001A0F9102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micP
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: powershell.exe, 00000006.00000002.2858291908.000001A0819B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://primer.com
Source: powershell.exe, 00000006.00000002.2858291908.000001A08092E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000006.00000002.2858291908.000001A080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2858291908.000001A08092E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://skygz.taobao.com
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://t2.symcb.com0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://tl.symcd.com0&
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.innosetup.com
Source: Recorder_System_v1.10.0048.exe, 00000000.00000000.1783171187.00000000004B7000.00000002.00000001.01000000.00000003.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.0000000002306000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786730697.0000000000668000.00000002.00000001.01000000.00000004.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1783507148.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000003.1787745486.0000000003530000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/0http://www.kiloview.com/
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/9jB
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.0000000002306000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/Ah0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2723283541.0000000002426000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.kiloview.com/aiB
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000000.1786143348.0000000000401000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.skygz.com
Source: powershell.exe, 00000006.00000002.2858291908.000001A080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2956344021.000001A0F8EB0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A081312000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-BRAtalho
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-PTAtalho
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=roComanda
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=ru
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=skSkratka
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=slBli
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=sr
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=svGenv
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=swUmeondoa
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=te
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=th
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=trK
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=uk
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=vi
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW
Source: powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.2858291908.000001A080227000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Recorder System.exe, 00000008.00000003.2796730525.00000201276F1000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2797215811.0000020127841000.00000004.00000020.00020000.00000000.sdmp, Recorder System.exe, 00000008.00000003.2799992939.00000201276FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: powershell.exe, 00000006.00000002.2858291908.000001A08162A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000006.00000002.2858291908.000001A0819B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2936119512.000001A09006A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.com
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comConta
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comContul
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comGoogle-kontoSparade
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comKonta
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://passwords.google.comT
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://primer.com.Uporaba
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=pt-BR
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=pt-PT
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=ro
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=ru
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sk
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sl
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sr
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sv
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=sw
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=te
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=th
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=tr
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=uk
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=vi
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=zh-CN
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=ui_supervised_users&hl=zh-TW
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/cloudprint/answer/2541843
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com$1
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/cloudprint#jobs
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comC
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comPesquisa
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comT
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comVyh
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.comWyszukiwarka
Source: Recorder_System_v1.10.0048.exe, 00000000.00000000.1783068315.0000000000401000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2712606285.00000000063B0000.00000004.00001000.00020000.00000000.sdmp, Recorder_System_v1.10.0048.tmp, 00000001.00000002.2747259737.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49742 version: TLS 1.2

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Recorder_System_v1.10.0048.exe

Creates driver files

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe

File created: C:\Program Files (x86)\Recorder System\OpenHardwareMonitorLib.sys

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BADB772	12_2_00007FFD9BADB772
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BADA9C6	12_2_00007FFD9BADA9C6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BADA4C9	12_2_00007FFD9BADA4C9

Source: Recorder_System_v1.10.0048.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-MNRBK.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: is-3SREB.tmp.1.dr	Static PE information: Number of sections : 17 > 10
Source: is-RTIAS.tmp.1.dr	Static PE information: Number of sections : 12 > 10
Source: is-PN0JG.tmp.1.dr	Static PE information: Number of sections : 12 > 10
Source: is-1NU94.tmp.1.dr	Static PE information: Number of sections : 12 > 10
Source: is-5LL7O.tmp.1.dr	Static PE information: Number of sections : 12 > 10

Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.2757737505.00000000022E8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs Recorder_System_v1.10.0048.exe
Source: Recorder_System_v1.10.0048.exe, 00000000.00000000.1783171187.00000000004B7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs Recorder_System_v1.10.0048.exe
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784888881.000000007FBE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Recorder_System_v1.10.0048.exe
Source: Recorder_System_v1.10.0048.exe, 00000000.00000003.1784363744.0000000002580000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs Recorder_System_v1.10.0048.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\NewTek_AirPlay_UdpPingMutex
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_ISABUS.HTP.Method
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_03
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\NewTek_AirPlay_UdpSendMutex
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Access_PCI
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex

Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe "C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp "C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp" /SL5="$402A6,102473945,718848,C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-Executionpolicy remotesigned -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Program Files (x86)\Recorder System\Recorder System.exe "C:\Program Files (x86)\Recorder System\Recorder System.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe "C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-CH --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -file C:/Users/user/AppData/Local/official-recorder/temp/gpu.ps1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe	Process created: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp "C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp" /SL5="$402A6,102473945,718848,C:\Users\user\Desktop\Recorder_System_v1.10.0048.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" Set-Executionpolicy remotesigned -Force	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Process created: C:\Program Files (x86)\Recorder System\Recorder System.exe "C:\Program Files (x86)\Recorder System\Recorder System.exe"	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe "C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe" --type=renderer --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --use-gl=angle --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,BlinkGenPropertyTrees,MojoVideoCapture,NetworkServiceNotSupported,OriginTrials,SmsReceiver,UsePdfCompositorServiceForPrint,UseSurfaceLayerForVideo,VizDisplayCompositor,WebAuthentication,WebAuthenticationCable,WebPayments,WebUSB --lang=en-CH --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11831953104643474927 --renderer-client-id=3 --mojo-platform-channel-handle=3536 /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -file C:/Users/user/AppData/Local/official-recorder/temp/gpu.ps1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-UNUI8.tmp\Recorder_System_v1.10.0048.tmp	Automated click: Next >

Source: is-TU764.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x444f6
Source: is-Q5FKQ.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x2e387
Source: is-MNRBK.tmp.1.dr	Static PE information: real checksum: 0x27437c should be: 0x27ab3b
Source: Recorder_System_v1.10.0048.tmp.0.dr	Static PE information: real checksum: 0x27437c should be: 0x26cf9f
Source: is-J7HE7.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x18b2
Source: is-804L0.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x1a6ea
Source: is-83BH1.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x3515c4
Source: is-SHFJV.tmp.1.dr	Static PE information: real checksum: 0x0 should be: 0x5a6e9

Source: Recorder_System_v1.10.0048.exe	Static PE information: section name: .didata
Source: Recorder_System_v1.10.0048.tmp.0.dr	Static PE information: section name: .didata
Source: is-MNRBK.tmp.1.dr	Static PE information: section name: .didata
Source: is-RTIAS.tmp.1.dr	Static PE information: section name: .xdata
Source: is-1NU94.tmp.1.dr	Static PE information: section name: .xdata
Source: is-EUM4R.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-UI7R7.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-E91NQ.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-JD84L.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-4OUCQ.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-TIBQQ.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MBHPB.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-GE8FV.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MH0HG.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-F27G2.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /4
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /19
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /31
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /45
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /57
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /70
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /81
Source: is-3SREB.tmp.1.dr	Static PE information: section name: /92
Source: is-S4J4O.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-N1301.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-G8AU8.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-5FVBS.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MP9MT.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-0HJJO.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-AJ66B.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-MJI5C.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-DRGH1.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-EFF43.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-D9NLO.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-8H8RT.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-VGKVT.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-CQUNS.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-CUVSA.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-08QUI.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-K2N1T.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-R5K5O.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-THCCM.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-OH7NK.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-PQ3NI.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-K7O5H.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-N8GIK.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-EADOB.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-KMNA3.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-KV5D3.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-4IBFD.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-0QFR5.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-VKBN9.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-CKTA5.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-T1S7O.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-LT1NT.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-VCRLV.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-G1MA9.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-PN0JG.tmp.1.dr	Static PE information: section name: .xdata
Source: is-5LL7O.tmp.1.dr	Static PE information: section name: .xdata
Source: is-Q5FKQ.tmp.1.dr	Static PE information: section name: .nep
Source: is-804L0.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-83BH1.tmp.1.dr	Static PE information: section name: .00cfg
Source: is-T9U84.tmp.1.dr	Static PE information: section name: .didat
Source: is-F4125.tmp.1.dr	Static PE information: section name: .qtmetad
Source: is-SIQ9G.tmp.1.dr	Static PE information: section name: _RDATA

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BAD2B14 push eax; iretd		12_2_00007FFD9BAD2B41
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_00007FFD9BAD8615 push ebx; retf 0009h		12_2_00007FFD9BAD877A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	WMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: 20108AD0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: 20122E20000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6789	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1450	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Window / User API: threadDelayed 5697	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6778
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2236

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3672	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4944	Thread sleep count: 6778 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4944	Thread sleep count: 2236 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732	Thread sleep time: -1844674407370954s >= -30000s

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File Volume queried: C:\Users\user\AppData\Local\Kiloview\Recorder System\QtWebEngine\Default\blob_storage\84b40db6-5102-449d-9a83-6065507ecf8b FullSizeInformation			Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	File Volume queried: C:\Users\user\AppData\Local\Kiloview\Recorder System\cache\QtWebEngine\Default\Cache FullSizeInformation			Jump to behavior

Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2716711201.0000000000916000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\G
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: Recorder System.exe, 00000008.00000003.3397153646.0000020128239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Recorder_System_v1.10.0048.tmp, 00000001.00000003.2745011340.00000000008AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ms

Windows Analysis Report Recorder_System_v1.10.0048.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
Recorder_System_v1.10.0048.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491A90000 protect: page read and write	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AA0000 protect: page no access	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD000 protect: page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory allocated: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AB0000 protect: page read and write	Jump to behavior

Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491A90000	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD420	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220DA90	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD460	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D650	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD4A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D790	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD4E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220F8A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD520	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D4D0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD560	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220F5A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD5A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D4B0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD5E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220F4E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD620	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D190	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD660	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D470	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD6A0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D5F0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD6E0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D5D0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD720	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D4F0	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD760	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FFE2220D530	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AAD400	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056540	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056690	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056760	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 1B491AB0000	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056530	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056750	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056828	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641056830	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF641055000	Jump to behavior
Source: C:\Program Files (x86)\Recorder System\Recorder System.exe	Memory written: C:\Program Files (x86)\Recorder System\QtWebEngineProcess.exe base: 7FF6410568B0	Jump to behavior

ID:	1432274
Product:	CloudBasic
Start time:	19:06:31
Start date:	26.04.2024
Sample:	Recorder_System_v1.10.0048.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a9042018e74f1fc91ebfc730a295c9b4
SHA1:	f8c642249bad0286b7d61867c1bb633a6c991608
SHA256:	5ffe4b15c63ad89d31c155585fae5a7a95cdd77b2300329b5c5a1a400b087541
Filetype:	Win32 Executable (generic) a (10002005/4) 98.04%